Well, I was quite surprised by the amount of interest that has been shown in the POC kernelmode ircbot.

So what should come next? Should I continue to develop these kind of kernelmode applications, or is it a bad thing that these come out in the public?

I've seen feedback positive and negative, the arguments against mainly along the lines that malware will become nastier as a result of this code being published...I take an issue with this view.

Ok, so I could have kept this quiet or not have even bothered to write it...but let's get this in perspective. I am a single person in this rather large world, and probably not more than average skilled in kernel mode programming (I'm pretty good in writing usermode applications, but am purely a hobbyist kernel mode programmer).

So, if I can write this POC, you are guaranteed that the full time professional spyware writers, black hat hackers etc are more than capable of this - and I would wager this type of kernel mode application already exists in the wild.

Now, what's better? I keep quiet, and we can all pretend to be safe? (while cybercriminals use this technology in secret...). Or, I should publish every idea and POC I can think of, and share this knowledge with the security community?

I personally favour this being out in the open, as it means the anti-virus and firewall companies can research this type of threat and develop technologies to protect the end user.

This is the general argument for "full disclosure" and I think most will agree it is a policy that works.

I therefore have no moral issues with proceeding with further related research and will be 100% open with the results.

The kernel ircbot was a client network application, the next step will be to write a server network application within the kernel, and I think it will be called "KFtp".

See you next time,

Tibbar.

The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits.

In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the operating system, and allows the attacked to hide certain files and programs from the user. It usually will also provide a hidden backdoor into the system, and will hide network connections made through the backdoor from the user.

Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are actually device drivers running at the highest priviledge level (ring 0).

Now generally, the kernel mode rootkits will hide files, hide network connections and the most sophisticated ones will provide a kernel mode backdoor. This means all the functionality is held within a single driver (.sys file), and it is extremely difficult to detect whether one is installed on a machine.

However, the attacker will rarely be able to provide all the functionality they need purely in a driver, and still need to rely on usermode applications, for things like ftp servers, irc bots etc...

So I thought it would be interesting to see how hard it is, to actually provide this part of the attackers toolkit directly within the kernel mode driver.

One of the developers from rootkit.com called Valerino released a kernel mode socket library, that allows you to create sockets from a kernel mode driver, with reasonable ease. His post is here:
http://www.rootkit.com/newsread.php?newsid=416

I have used this library to create what I believe is the world's first kernel mode ircbot. It's extremely basic in its' current form and will just join a channel plus responding to its' name. But it is a framework that can be built upon and you could in theory write an extremely complex ircbot in this fashion.

Here's a screenshot of the system internals app "DebugView" that allows you to see kernel messages. I have set the ircbot to ouput text received on irc into the debug messages:

As I have very limited time for development, I thought I would share this one with the world...the source lives at:

http://tibbar.gso.googlepages.com/KIrcBot.rar

and I have set this up in Visual Studio 2003. There are two build modes: usermode and kernelmode.

I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a usermode executable. The reason for doing this, is that it is notoriously hard to develop kernel mode applications and the test process is very slow - by allowing usermode builds, the code can be perfected in usermode, before beginning the kernel mode tests.

If you want to compile using the DDK, the batch file should be used.

Finally, if you want to support my releases, then I would be grateful if you could take some time to visit any sponsors on this page that are of interest to you.

Tibbar.