Introduction

Modern malware threats and the motivation behind creating them have evolved. Today’s threats have become complex multi-module systems using sophisticated techniques to target and attack vulnerable systems. In an attempt to remain undetected, malware creators incorporate rootkit components to maximize their stealth capabilities. Deploying rootkit technology buries the malware deep within the computer making it much more difficult to detect and complex to remove. The longer the malware can remain undetected on a compromised machine, the more the cybercriminal can profit.

We will present an overview of some of the more widespread user and kernel mode rootkit malware found in the wild, according to statistics gathered by Lavasoft: Qvod, ZeroAccess, TDL2 and Zbot. We discuss the technical details of rootkit stealth techniques and demonstrate diagnostic methods that show how to uncover them using the anti-rootkit tool GMER. 

Zbot

Hiding the presence and destructive activity of malicious code is the main purpose of rootkits. Zbot is no exception. After installation, a dynamic library (DLL) which has the capability to hide the malicious program components is loaded to all system processes.

The hiding mechanism can be divided by the following actions:

• hide files on the drive using a mask
• hide a malware process in the system
• hide a record in the system registry which runs the malware automatically on system boot

Anti-rootkit based on GMER  technology allows for the detection of intercepted functions, if any, as well as uncovering hidden processes.  Figure (1) shows a hidden process and the names of the intercepted functions.

Figure 1. Diagnosing the system for the rootkit detection using GMER anti-rootkit

The installed interceptors that are loaded to the address space of processes being run on the system (Figure 2) can be detected by debugging the malicious dynamic library in OllyDBG. Handlers of the intercepted functions are located in the body of the loaded library.

Figure 2. Examples of the original and modified handlers of the system functions

To hide components located on the drive, the malware intercepts the FindFirstFile and FindNextFile functions responsible for receiving a list of file catalogs and sub-catalogs. The hooking excludes the names of files which meet the conditions from returned values.

Hooking the NtQueryInformationSystem function allows a malware process to hide on the system. Using its processor for the hooked function, the malware modifies a list of the returned values to exclude process names which meet the conditions. As you can see in Figure (1) above, the process name is “volmgr.exe”.

The malware autorun mechanism is very simple. It adds a reference to its executable file to the Run key in the system registry. To hide the record and block easy registry modification using a program like regedit, the malware intercepts the NtEnumerateValueKey function call and modifies it so that it’s returned values do not contain information about system registry key parameters responsible for malware autorun function. To view hidden records in the system registry, special programs are required such as GMER anti-rootkit (Figure 3).

Figure 3. A hidden record in the Autorun key of the system registry

The rootkit autorun is essential to the malware surviving a system reboot. Hiding the autorun mechanism, components and running process guarantees a long life for the malware on the PC of a user who suspects nothing.

Next, we will review various hiding mechanisms for ZeroAccess kernel mode rootkit.