The Register By Kevin Poulsen, SecurityFocus Online- Windows Root kits a stealthy threat.
Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning, say SecurityFocus' Kevin Poulsen.
[ … ]
Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break — they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed “Slanret”, “IERK,” and “Backdoor-ALI” by anti-virus vendors, experts say the tool is a rare example of a Windows “root kit” – an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.
Also known as “kernel mode Trojans,” root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. Conventional backdoors like SubSeven and BO2K operate in “user mode”, which is to say, they play at the same level as any other application running on the compromised machine. That means that other applications – like anti-virus scanners – can easily discern evidence of the backdoor's existence in the Window's registry or deep among the computer's files.
In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. The root kit is the man-in-the-middle, squatting between the operating system and the programs that rely on it, deciding what those programs can see and do.
It uses that position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden – MP3s, password lists, a DivX of the last Star Trek movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked. [Privacy Digest]