Posts tagged programming

10+ things you should know about rootkits


By Michael Kassner, Techrepublic

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren’t bad enough, rootkit-based botnets generate untold amounts of spam. Here’s a look at what rootkits are and what to do about them.

Rootkits are complex and ever changing, which makes it difficult to understand exactly what you’re dealing with. Even so, I’d like to take a stab at explaining them, so that you’ll have a fighting chance if you’re confronted with one.

#1: What is a rootkit?

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that’s the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge.


#2: Why use a rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren’t malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt to prevent copyright violations. Sony BMG didn’t tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

#3: How do rootkits propagate?

Rootkits can’t propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit’s installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

* Instant Messenger (IM) — One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it’s from a friend), that computer becomes infected and has a rootkit on it as well.
* Rich content — The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it’s all over.

#4: User-mode rootkits

There are several types of rootkits, but we’ll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports, and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer’s hard drive, automatically launching with every system boot.

Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It’s an old rootkit, but it has an illustrious history. If you read the link about Hacker Defender, you will learn about Mark Russinovich, his rootkit detection tool called Rootkit Revealer, and his cat-and-mouse struggle with the developer of Hacker Defender.

#5: Kernel-mode rootkit

Malware developers are a savvy bunch. Realising that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that’s getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco’s IOS operating system.

Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.

#6: User-mode/kernel-mode hybrid rootkit

Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.

#7: Firmware rootkits

Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business. John Heasman has a great paper called “Implementing and Detecting a PCI Rootkit” (PDF).

#8: Virtual rootkits

Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.

#9: Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it’s difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that’s the nature of the beast. Here’s a list of noteworthy symptoms:

* If the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
* Settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.
* Web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.

If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.

#10: Polymorphism

I debated whether to include polymorphism as a topic, since it’s not specific to rootkits. But it’s amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defences useless. Polymorphism even gives behavioural-based (heuristic) defences a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.

#11: Detection and removal

You all know the drill, but it’s worth repeating. Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up-to-date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.

Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:

* F-Secure Blacklight
* RootkitRevealer
* Windows Malicious Software Removal Tool
* ProcessGuard
* Rootkit Hunter (Linux and BSD)

The problem with these tools is that you can’t be sure they’ve removed the rootkit. Albeit more labour-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can’t obscure their tracks when they aren’t running. I’m afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like EnCase to check for any additional code.

Final thoughts

Opinions vary when it comes to rootkit removal, as discussed in the NetworkWorld article “Experts divided over rootkit detection and removal”. Although the article is two years old, the information is still relevant. There’s some hope, though: Intel’s Trusted Platform Module (TPM) has been cited as a possible solution to malware infestation. The problem with TPM is that it’s somewhat controversial. Besides, it will take years before sufficient numbers of computers have processors with TPM.

If you’re looking for additional information, I recommend the book ROOTKITS: Subverting the Windows Kernel, by Gary Hoglund and James Butler, of HPGary.


MetaSploit an Exploits Framework Build on Ruby [on Rails]


Ruby and Metasploit, you propably already notice one of that or maybe both of them. Ruby on Rails is one of Web Application Framework build on Ruby Language Programming which have MVC (Model-View-Controller) as it’s framework concept. How about Ruby?! Ruby is another kind of language programming, announce by ” ” in , Ruby is a Full Object Oriented language programming, supported by thousands component library called gems, supported by a large community around the world, and now have place in most country in the world as a web framework to build the new era web concept, Web 2.0. I think this enough to describe Ruby and Rails. now let’s talk about MetaSploit Framework.

MetaSploit Framework is one of most populer Penetration Test and Hacking Tools in this time, it consists hundreds exploits modules, with some payloads function and another customize auxiliary. and also MetaSploit is a ready to use and easy to use Hacking Tools, formerly it have several operate mode, Console, Web and know it have GUI version. Before current version realease, in earlier version, Metasploit build not with Ruby, but it’s Perl Powered Application, but in Framework 3, all module and application re-build in Ruby. all exploits modules re-build in Ruby.


Tortoise SVN, The Easy way to manage project with SVN


According to my tutorial before, SVN is a version control system. It allows users to keep track of changes made to any type of electronic data, typically source code, web pages or design documents. this is the alternative of CVS (another version control system).

there is a builtin client packaged with the binary of SVN, but if you need another client which has many feature on Windows OS Family, you might interested to install Tortoise SVN

from the website,

TortoiseSVN is an easy to use SCM / source control software for Microsoft Windows and maybe the best Subversion client there is. It is implemented as a Windows shell extension, which makes it integrate seamlessly into the Windows explorer. Since it’s not an integration for a specific IDE you can use it with whatever development tools you like.

in my side, i use this tools partially, when i need the simplier and more user friendly step to manage my code under versioning. with tortoise i can create local repository (with fsfs storage or bdb storage) and importing initial project to its. but not only that, when u do initial import, u can choose not only to local repos, but u can choose the remote repos too.  after the initial import u can just do checkout the project and working with it (commit and update).

in a versioned folder / source, u can do many operation to  versioned source/folder with easy rigth click, coz tortoise integrated with explorer shell.

with just right click, u can resolv, revert, view log, browse repos folder, cleanup lock, or another advance operation like create branch, merging, or even create a patch.

all svn command i describe before, can be done with single click without write down long command.

Working with SubVersion


Working with SubVersion

  • SVN a.k.a Subversion is a version control system allows users to keep track of changes made to any type of electronic data, typically source code, web pages or design documents. =>
  • SVN URI : is an url address where u can access repository, with SVN there many protocol supported besides it’s original protocol(svn) its also support ssh,http+https
  • uri example :
  • svn://
  • SVN Client
  1. Console Verision : svn  (all OS) =>
  2.  Integrate with OS :
    • Tortoise SVN (Win32) =>
    • KDESVN (linux + KDE)
  3.  Integrate with IDE (Rails IDE) :
    • Subclipse -> Eclipse + RadRails + Subclipse ( RadRails / Aptana) =>
  4.  another client software
    •  RapidSVN (linux)
  • SVN Command
  1. svn help : list all available svn command
  2. svn checkout / svn co : subversion checkout, initial download working dir
  1. how to  : svn co remote_dir_uri working_dir_destination
  2. example : svn co
  3. troubleshoot:
    • when it need SVN authentication, add this paramater to your command line => svn co –username <username>
  • svn update / svn up : subversion update, update your working dir
  1. how to  : svn up working_dir/file(s)
  2. example : svn up
  3. troubleshoot:
    • when it need SVN authentication, add this paramater to your command line => svn up –username <username>
  • svn commit / svn ci : committing your working dir to repository
  1. how to  : svn ci working_dir/file(s)
  2. example : svn ci
  3. troubleshoot:
    • when it need SVN authentication, add this paramater to your command line => svn ci –username <username>
    • for win32 user you need default editor, add this option to your command line => svn ci –editor-cmd notepad
  • svn cleanup : cleanup locking files, or unsuccessfull commit
  1. how to  : svn cleanup  working_dir/file(s)
  2. example : svn cleanup
  • svn revert  : reverting your working file(s) to versioned
  1. how to  : svn revert working_dir/file(s)
  2. example : svn revert app/controllers/my_friends_controller.rb
  • svn resolved : resolve the conflicted file
  1. how to  : svn resolved file(s)
  2. example : svn resolved app/controllers/my_friends_controller.rb
  3. note    : when you face conflicted file, u can choose to revert it or to resolved it
  •  Get UR project code from SubVersion
  1. do svn co from above tutorial
  2. maintain your code up to date, with svn update
  • Checkin your changes to your project repos
  1. do svn ci like above tutorial
  2. write down in your editor :
    • your issued number #<ticket number>
    • describe your changes
    • describe your addition / fix

Ruby on Rails


Something weird with this kind of programming…
in this programming language we can’t read the code partially, we must know how the code flow. in Rails we will find concept of MVC (Models,Views n Controller) something like ASP.NET have.. in this concept we just create the model, decide how it will displayed on web browser and controlling it’s behavior when it’s communicate with the database server or something like event driven.

first sight, because of my basic web programming which develop the web application using function based method, i found a few problem when implemmentating a web application using rails framework. some idea how to learn the framework is read step by step from the idiots guide and practice it on it’s environment.

before we can develop it, we need the suitable environment. because the minimality of resource n net connection, some problem arise when set up the development environment in first time. but with the magically n the power of LINUX and all my kungfu, the development environment and the server can be setup.

first thing to do with the power of rails n ruby, we can use the scaffold function from rails to generate form from the table in the database server. with the controller we can validate every data which will be inserted to database.

now… there are something to do to get familiar with this environment. hopefully there many people who can help me to explain n solve  every problems.

thanks to ruby n the rails framework..

Go to Top