Introduction to pentesting: Maintaining Access with Backdoors and Rootkits

Rootkits

Just like Metasploit, when people are first exposed to the power and cunning of rootkits, they are usually amazed. To the uninitiated, rootkits appear to have an almost black-magic-like quality. They are usually simple to install and can produce amazing results. Running a rootkit gives you the ability to hide files, processes and programs as if they were never installed on the computer. Rootkits can be used to hide files from users and even the operating system itself.

Because rootkits are so effective at hiding files, they will often be successful at evading even the most finely tuned antivirus software. The name rootkit is typically said to be a derivative of the words “root”, as in root-level or administrative access and the “kit” or collection of tool that were provided by the software package.

As we already mentioned, rootkits are extremely stealthy. They can be used for a variety of purposes including escalating privileges, recording keystrokes, installing backdoors and other nefarious tasks. Many rootkits are able to avoid detection because they operate at a much lower level of the operating system itself, inside the kernel. The software that users typically interact with functions at a higher-level of the system. When a piece of software like an antivirus needs to perform a particular task, it’ll often pass the request off to the lower levels of the operating system to complete the task. Remember, some rootkits live deep inside the operating system. They can also work by “hooking” or intercepting these various calls between the software and operating system.

By hooking the request from a piece of software, the rootkit is able to modify the normal response. Consider the following example: assume that you want to see what processes are running on a Windows machine. To accomplish this, most users will depress the key combination “CTRL+ALT+DEL”. This will allow the user to start the Task Manager and view running processes and services. Most people perform this task without thinking about it. They examine the process list presented and move on.

While the follow is a gross oversimplification, it should serve as an example to help you understand the basics. In this case, software is makig a call to the operating system and asking what processes or services are running. The operating system queries all the running programs it’s aware of and returns the list. However, if we add a rootkit to the mix, things get a little more complicated. Because rootkits have the ability to intercept and modify the responses returned by the operating system, when a user attempts to view the process list, the rootkit can simply remove selected programs, services and processes from the list. This happens instantaneously and the user is not aware of any differences. The program itself is actually functioning perfectly. It’s reporting exactly what it was told by the operating system. In many senses of the word, the rootkit is causing the operating system to lie.

It’s important to point out that a rootkit is not an exploit. Rootkits are something that is uploaded to a system after the system has been exploited. Rootkits are usually used to hide files or programs and maintain stealthy backdoor access.