Rootkit
- changing system-wide files or settings requires local administrator-level privileges
- obtains through user manually accepting User Account Control (UAC)
- Critical processes run with a higher level of privilege called SYSTEM
- Trojans installed or executed with local administrator privileges will show up as a running process or service
- often process name is typosquatted
- To ensure persistence
- Trojan may have to use a registry entry or create itself as a service
- but can be detected easily
- Trojan may have to use a registry entry or create itself as a service
- malware may be able to escalate privileges to SYSTEM level after installation
Rootkit is a class of malware that modifies system files, often at the kernel level, to conceal its presence.
- derives from UNIX/Linux where any process running as the root superuser account has unrestricted access to everything from the root of the file system down
- typically involves privilege escalation
- Windows uses code signing to prevent misuse of kernel processes
- rootkits can reside in firmware
- can survive any attempt to remove the rootkit by formatting the drive and reinstalling the OS
- e.g.,
- US intel agencies developed DarkMatter and Quark Matter UEFI rootkits
- target firmware on Apple Macbook laptops
- US intel agencies developed DarkMatter and Quark Matter UEFI rootkits
Info
- Software processes can run in one of several rings
- Ring 0 is the most privileged (it provides direct access to hardware)
- so should be reserved for kernel processes only
- Ring 1 & Ring 2 run drivers and I/O processes
- Ring 3 is where user-mode processes run
- This architecture can also be complicated by the use of virtualization