Security Market Segment LS
Tuesday, 11 August 2015 08:26

You have been rooted

By

Rootkits are the nirvana for hackers. Primarily designed to gain privileged administrator access - a backdoor - to any device they allow the hacker to do pretty much anything.

They can have other characteristics but the major one is stealth – you may never know your device is infected. Detection is often difficult as many root kits impair or disable antivirus/malware detection software.

The usual delivery vector is via malware that you unwittingly agree to install – spear phishing emails, drive-by webpage exploits, from an infected USB key, or some other network exploit like the new ThunderStrike 2 that affects Thunderbolt cable connected Macs.

The majority take advantage of known operating system vulnerabilities and some of hardware vulnerabilities (like the newly discovered x86 vulnerability that has existed since 1977).

Removal can be complicated to impossible because most root kits ‘hide’ in the operating system kernel making a clean install the best, but not necessarily a fool proof option as some root kits can load to, and from, memory or firmware, and back to the hard disk master boot record during a clean install.

The majority can do a combination of the following:

  • Steal personally identifiable information including passwords, banking details, and documents via screen intercepts or key logging
  • Download and install other malware to perform specific tasks
  • Turn the computer into a zombie or botnet to send spam email or launch denial of service attacks

Now I admit that I understand the Windows OS more than Mac so if there is a helpful Mac person out there feel free to comment or correct.

Windows presents the biggest target because it ts been around a lot longer than Mac OS X. ecasue has been around a lot longer than Mac OS X. Mac has 20+ known root kits. When a vulnerability is found Microsoft and Apple release a security patch or in some cases need to rewrite the OS code for the next version. If all devices were regularly patched there would not be an issue – but the fact that the majority of rootkits are still using vulnerabilities discovered up to 10 years ago speaks spades for ‘lazy users’.

Mac – OS X

Macs are not immune from Malware and virus – they simply don’t present as big of a target with <5% of the market. The first Mac rootkit OS X Opener was found in 2004. A search on ‘rootkit mac’ is the best place to start.

Mac hackers seen to be working at hiding root kits in the Boot Rom chip (this Erasable, Programmable, Read only memory - EPROM - holds the machines firmware), attached Thunderbolt device ROMs (ThunderStrike/2), Extensible Firmware Interface (EFI) code, Boot sector on the hard disk, and the kernel (Operating system).

The Safe Mac is a good place to visit for information. It has updates on the very recent DYLD privilege escalation exploit and many more. Its blog is current until mid-August when it was acquired by MalwareBytes and the information continues here. It does not hurt to install the free MalwareBytes for Mac.

Another free rootkit detector is from eset .

There is a lengthy article from Sophos on Thunderbolt and Thunderbolt 2 here and it has a Mac blog as well.

Symantec states “Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications … An attacker can exploit these issues to execute arbitrary code, gain elevated privileges, cause denial-of-service conditions, and gain unauthorized access.” Of course it recommends the A$89.99 Norton 360 that includes up to 5 installs on Windows or OS X machines.

Windows

Having 95% of the market means Windows has been the prime delivery vector for attacks on both consumers and enterprise. Interestingly because Windows has been the main target users are more likely to use Antivirus/Malware software and Windows comes with Windows Defender as standard so the days of bagging Windows as a malware magnet are over.

Still rootkits use known vulnerabilities in Windows to gain access. It is vital that you apply all patches and security updates. Belarc will run an analysis and let you know if any updates or patches are missing. This can happen if the Windows automatic update system is turned off.

Like Mac, hackers look at the BIOS, hard disk master boot record and partition table, the operating system kernel, drivers, and disguise rootkits within so called benign programs.

The better known AV products (AVG, Norton, Kaspersky, Trend, and McAfee) have rootkit detection and some like MalwareByte offer a free standalone tool to detect and remove. Do not risk using less known detection tools – it could be a Trojan - and always download from the maker’s official web site.

Windows 10 will be more secure and less prone to root kits – its new system should protect it from any new vulnerabilities discovered. Windows 8.1 and 10 hardware uses a secure boot system with a UEFI 2.3.1 (Unified Extensible Firmware Interface) that replaces the older EPROM based BIOS. Combined with a Trusted Platform Model (TPM) it can be configured to load only a trusted bootloader of the operating system e.g. one that is checked for before loading. Then ELAM (Early Launch Anti-Malware) kicks in to test all drivers and prevent unapproved ones from loading. Finally Windows logs the boot process and Windows can send it to a trusted server to assess the PC’s health. Older hardware without UEFI is not protected.

Android/Chrome

Space does not permit a detailed analysis but sufficient to say that 98% of all mobile malware has been developed for Android. Perhaps it is because Android has its roots in Linux and ‘rooting’ or side loading apps is a normal practice. Don’t be confused between rooting an Android and rootkit – they have the same objective to allow privileged administrator access to do anything.

There are a plethora of hacker’s tools and instructions and kits to gain access to even the latest Lollipop 5.x versions. Simply search for ‘rootkit Android’.

Of greater concern is the proliferation of Adware or potentially unwanted programs (PUPs). In April Symantec’s Internet Security Report stated ‘17% of all Android Apps (about 1 million) were malware in disguise.’ Then there was what Symantec calls ‘grayware or madware’ that drives advertisements to your device – many of these are permitted in Google Play store.

If you don’t have recognised antivirus/malware protection from the Google Play Store like MalwareBytes, McAfee, AVG, Norton, and Kaspersky you are crazy.

Summary

This article is about rootkits – stealthy, undetectable, and buried in firmware or the kernel. These are designed for one purpose – to gain administrator control of the device so it can do almost anything to it.

Both Apple and Microsoft are working very hard to protect your devices.

The coming release of OS X El Capitan 10.11 demonstrates Apple’s commitment to security. It will have a new security feature called System Integrity Protection (also known as "rootless") which protects certain system processes, files and folders from being modified or tampered with by other processes, even when executed by the root user. Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which the user is the de facto administrator. System Integrity Protection is enabled by default, but can be disabled.

Windows 10 is immensely more secure than previous versions having implemented secure boot.

Neither system can protect a user against stupidity – installing mal/ad/nuisance/ware, using no or weak passwords, not using AV software and generally not taking care.

The latter is best summed up by a true story.

A Mac user had a Windows 7 PC at the office and an Android smartphone. As a Mac user they had little awareness of malware and blissfully downloaded PC apps and software like VLC, TeamViewer, Newsletter of the day, Horoscope, and many more. They did the same on the Android smartphone. Both devices were acting a little strangely – getting random advertisements, slow performance, and lockups.

I installed MalwareBytes on the PC and it revealed 51 pieces of Malware including five root kits. The safest way to clean was a full reinstall of the OS.

MalwareBytes revealed 231 pieces of malware on the Android smartphone ! A full reset worked.

Moral of the story – be alert to the tricks like spear phishing, bundled software, visiting suspect web sites etc.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.

REGISTER HERE!

LAYER 1 ENCRYPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments