Word Notes 11.24.20
Ep 25 | 11.24.20

rootkit (noun)

Transcript

Rick Howard: The word is: rootkit.

Rick Howard: Spelled: R is in Rami Malek, O is an obscure O, is an open source, T is in Terry Colby, K is in killer app, I as in IRC, and T as in telnet.

Rick Howard: Definition: A clandestine set of applications designed to give hackers access and control over a target device.

Rick Howard: Example sentence: Memory rootkits, hide in the system's RAM, or random access memory, to avoid detection.

Rick Howard: Origin and context: In 1984, Ken Thomson, the co-founder of the original UNIX system with Dennis Ritchie back in the 1960s, published a paper in the Communications of the ACM called "Reflections on Trusting Trust." As a thought experiment, he devised a way to alter the C compiler that shipped with all Unix systems at the time. When the compiler noticed an administrator recompiling the "login" program, the compiler would insert additional functionality to not only accept the password of the user trying to get in, but also a second password that only the hacker knew about. When reviewers analyzed the code for the "login" program later, they would see no signs of this additional functionality. Mr. Thomson essentially invented the first rootkit some years before we saw the first one in the wild. According to Vince Polston at Malware Fox, Lane Davis and Riley Dake wrote the first rootkits in 1990 that targeted the Sun Operating System, a Unix-based architecture. Greg Hoglund wrote the first public Windows rootkit called NTRootkit in 1999. The first Mac OS rootkit appeared in 2009.

Rick Howard: The word "root" originally referred to the admin account on Unix and Linux systems. Today it means the admin account on any system. "Kit" refers to the software components that implement a collection of tools. Modern rootkits hide their presence using some of the lower abstraction layers of the operating system, which makes them hard to detect. Generally, hackers try three different techniques to install rootkits on the target device. Number 1: Hooking, or injecting malicious code, into the applications execution flow. The Zeus Panda banking Trojan performs keylogging on the victim's machine by hooking the Windows operating system functions TranslateMessage and WM_KEYDOWN. Number 2: DLL injection, or inserting a dynamic link library or DLL into a running process address space. There is a module in the Equation Group's GrayFish cyberespionage platform that uses DLL injection. Or Number 3: Kernel Object Manipulation, or modifying the kernel structure and bypassing the kernel object manager to avoid access checks. The Russian GRU's Unit 26165, aka Fancy Bear, aka APT28 and aka Strontium, uses a Drovorub toolset that includes a Linux kernel module rootkit. By the way, Drovorub means woodcutter in Russian. Finally, the rootkits target various operating systems' functionality like applications, the kernel, the boot process, memory and firmware.

Rick Howard: Nerd reference: In Season 1, Episode 1 of Mr. Robot, Gideon, played by Michel Gill, Elliot played by Rami Malek, Angela played by Portia Doubleday, and Lloyd played by Aaron Takahashi, are in the office at 3:00 in the morning trying to fend off a denial of service attack against their biggest client, Evil Corps. Elliot discovers several rootkits deployed on their client's servers.

Mr. Robot dialogue:

-What? 

-I don't think is just a DDoS attack. I think they got a rootkit sitting inside the servers. 

-What's a rootkit? 

-Sorry, it's malicious code that completely takes over their system. It could delete system files, install programs, viruses, worms.

-How do we stop it? 

-That's the thing. It's fundamentally invisible. You can't stop it. All of the servers are timing out. None of them are coming back up. 

-That's because every time we restart the server, the virus replicates itself during bootup and crashes the host.