Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

rfredell — Wed, 23 Feb 2005 03:34:00 GMT

you ask "What would you call a bot that installed a backdoor server that was stealthed by a rootkit?". if you change that slightly to "What would you call a bot that installed a backdoor server that is stealthy?". given that most likely a privilege escalation occurred when the bot was installed, id call it a rootkit.

it seems silly to redefine the term rootkit exclusively for windows machines. by your definition it should more accurately be called a stealthkit, as its purpose is to hide some sort of malware.

even better, as you said, is to avoid calling malware by an aggregated name and discuss its attributes. a bot with a backdoor that's stealthy is exactly that. a bot with a backdoor that's stealthy.

Botdoorkit

Martin's WebLog — Wed, 23 Feb 2005 11:12:00 GMT

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

keydet89 — Wed, 23 Feb 2005 13:49:00 GMT

"What would you call a bot that installed a backdoor server that was stealthed by a rootkit?".

I think you've already answered the question. The initial code is a bot...the bot is used to install a backdoor server, that has rootkit code accompanying it.

"it seems silly to redefine the term rootkit exclusively for windows machines."

Again, Robert's issue of semantics, or as I refer to it, specificity of language, arises. I don't see him redefining anything. His backdoor can have rootkit code as part of it's core, or accompanying it.

Here's an example...the russiantopz IRC bot consisted of mIRC32.exe and hidewndw.exe. So it's a bot, right? Right. Did hidewndw.exe make it stealthy? Perhaps to some...it simply makes the main window (in this case, of mIRC32.exe) invisible on the desktop...it's simply a property of the windows itself. Now, the original admin couldn't find it...b/c it was named something else.

So...rootkit? Nope. Bot? Yes. Could a bot be a backdoor? Perhaps...unless you define a backdoor explicitly as something that waits for a connection, while a bot connects to an already-established communications channel.

I like your idea of aggregated names, where it applies. A stealthy bot is exactly that...a stealthy bot.

Now, how do we overcome the need of the average admin to speculate rather than collect data and make decisions based on facts?

Advanced hiding techniques and Incident Response Team

Sergey Simakov blog — Thu, 24 Feb 2005 10:25:00 GMT

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Josh Koppang — Fri, 25 Feb 2005 19:01:00 GMT

I agree with you. More and more of my clients are asking me what a rootkit is and how to protect themselves from them. I wish that it was as easy as "Just goto Microsoft.com and download the anti-rootkit beta."

Rootkits - Invasion of the Windows Snatchers

Adam's Mindspace — Fri, 25 Feb 2005 21:14:00 GMT

Rootkit Detectors

Daniele Muscetta's WebLog — Fri, 25 Feb 2005 23:09:00 GMT

Rootkits - Invasion of the Windows Snatchers

Adam's Mindspace — Fri, 25 Feb 2005 23:51:00 GMT

Some more interesting finds this week

Jason Haley — Sat, 26 Feb 2005 20:19:00 GMT

Some more interesting finds this week

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

URSA CRISTIAN MIRCEA — Tue, 01 Mar 2005 19:58:00 GMT

-HELLO WHY IS THIS ISTERICAL INCIDENT,S IN ROMANIA AFTER RSA OPEN WAWE ENTERED IN FUNCTION?
-ROMANIA STATE HAVE DIRECT AT ME TO PAY IN CASH
NEXT AMMOUNTH:65MILION,S POUND,S
-169 MILIONS USD
-810 MILIES MILIARD EURO

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Zerothz — Sat, 05 Mar 2005 15:25:00 GMT

That last post scares me.
So you say, "sophisticated crime rings" use rootkits and spam. Who are these mobsters? I think what you really mean is "fat, lonely nerds who send unsolicited junk email because they are afraid of the social requirements of a job at the local Borders." ...or maybe I'm just naive? Is it really fair to label these idiots "crime rings," and doesn't it take something away from actual crime rings?

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

rich — Sun, 06 Mar 2005 03:10:00 GMT

<And finally - I predict that 2005 will be the year the Windows 'rootkit' finally goes 'mainstream' . . .>

Ho hum... borrring... just install DeepFreeze and forget about it

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Robert Hensing — Mon, 07 Mar 2005 17:54:00 GMT

Sorry, but you are naieve; spam and spyware are billion dollar per year businesses. You can probably spend some time researching on any news site for the word 'spam' and 'billion' and you'll get some industry pundits guestimating the estimated size / market for spam.

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Robert Hensing — Mon, 07 Mar 2005 17:55:00 GMT

Deepfreeze? Do share . . .

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Aaron Margosis — Mon, 07 Mar 2005 23:42:00 GMT

You seem to suggest that the primary stealthing method on Unix has been through replacement of system binaries, rather than through the adding of new "functionality" through kernel-level drivers as we typically see on Windows. Isn't it true that equivalent implementations have been developed for Unix? .... which would presumably be easy to port to all variants (Solaris, Linux, Mac OS X...)

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Robert Hensing — Mon, 07 Mar 2005 23:45:00 GMT

I am pretty sure the most common / easiest method used to subvert the Unix operating systems is good ole' binary replacement. I see / hear of it all the time - in fact just as recently today new attacks from the .RO domain against SSH servers was being discussed on an incident response list I'm a member of and the method of choice used by the rootkit for providing stealth was the trojaning of the system binaries.

That said - more advanced techniques certainly do exist for that platform (as I mention in the blog). I'm definitely not qualified to talk about the relative prevalance of one technique or the other in the wild but I would venture a guess that the trojaning of the system binaries may be more common - based on how often its talked about in IR circles by IR folks for that platform. :) I may be completely wrong. ;)

re: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

rich — Tue, 08 Mar 2005 02:23:00 GMT

< 3/7/2005 9:55 AM Robert Hensing Deepfreeze? Do share . . .>

http://www.faronics.com/html/product.asp

Once DeepFreeze is enabled, nothing written to the frozen partition(s) will survive a reboot.

-rich