The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits.
In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the operating system, and allows the attacked to hide certain files and programs from the user. It usually will also provide a hidden backdoor into the system, and will hide network connections made through the backdoor from the user.
Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are actually device drivers running at the highest priviledge level (ring 0).
Now generally, the kernel mode rootkits will hide files, hide network connections and the most sophisticated ones will provide a kernel mode backdoor. This means all the functionality is held within a single driver (.sys file), and it is extremely difficult to detect whether one is installed on a machine.
However, the attacker will rarely be able to provide all the functionality they need purely in a driver, and still need to rely on usermode applications, for things like ftp servers, irc bots etc...
So I thought it would be interesting to see how hard it is, to actually provide this part of the attackers toolkit directly within the kernel mode driver.
One of the developers from rootkit.com called Valerino released a kernel mode socket library, that allows you to create sockets from a kernel mode driver, with reasonable ease. His post is here:
http://www.rootkit.com/newsread.php?newsid=416
I have used this library to create what I believe is the world's first kernel mode ircbot. It's extremely basic in its' current form and will just join a channel plus responding to its' name. But it is a framework that can be built upon and you could in theory write an extremely complex ircbot in this fashion.
Here's a screenshot of the system internals app "DebugView" that allows you to see kernel messages. I have set the ircbot to ouput text received on irc into the debug messages:
As I have very limited time for development, I thought I would share this one with the world...the source lives at:
http://tibbar.gso.googlepages.com/KIrcBot.rar
and I have set this up in Visual Studio 2003. There are two build modes: usermode and kernelmode.
I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a usermode executable. The reason for doing this, is that it is notoriously hard to develop kernel mode applications and the test process is very slow - by allowing usermode builds, the code can be perfected in usermode, before beginning the kernel mode tests.
If you want to compile using the DDK, the batch file should be used.
Finally, if you want to support my releases, then I would be grateful if you could take some time to visit any sponsors on this page that are of interest to you.
Tibbar.
objfre_wxp_x86
ELIMAP
Kernel mode IRC bot …
Today again, Jan, one of my colleagues here at Lavasoft pointed me to an article. This article is based on this blog entry. Seemingly someone took the time to write a kernel-mode module that communicates via IRC. Nothing really sophisticated, given th...
http://www.listsofbests.com/list/44388
13/11/07 @ 03:42
Hi, nice topic. Thanks. Honda body kit