Subversion… something nasty lurks

Subversion is defined by our friends in the Princeton U’s English department as follows:





1.  destroying someone's (or some group's) honesty or loyalty; undermining moral integrity; "corruption of a minor"; "the big city's subversion of rural innocence" [syn: corruption] 

2.  the act of subverting; as overthrowing or destroying a legally constituted government 


I use the term most days but it means something rather more specific in the jargon of the security researcher. An application or operating system is subverted when its functionality has been changed in a way that it (and possibly other software) is not intended to detect.


There are sensible and legal and valid cases where software can be subverted. A screen reader for visually impaired users might want to hook in to the system in weird and wonderful ways if the MSAA interface doesn’t do all that is needed. A parent or employer might reasonably want to monitor some aspect of a system that they own. In both cases, it is reasonable that the developer of the additional code would not want the application to change its behavior. In the case of a screen reader, it won’t hide from the process list as it is perfectly OK, even desirable for the user to be able to detect that the process is running. An employer might not want its staff to know that they are monitored and whether that is legal depends on where you are. I suspect that it would fall foul of the German privacy laws but would be fine in some countries – although it might be necessary to warn staff that there is monitoring software in place.  


Of course, malware is pretty much universally illegal. Some malware doesn’t attempt to hide at all although that is in a minority. I came across some the other day that used the rather basic approach of calling itself notepad.exe and using the notepad icon. Needless to say, that didn’t divert us for long. I have seen svehost.exe processes and scvhost.exe processes and services with all manner of names and false descriptions. One of the oddest claimed to be a service pack for Sid Meier’s Colonization (watch the hit count soar) which was running as a service. Yeah, that makes sense, nothing suspicious there at all. These are normally quite simple beasts that we can combat quite easily.


Malware that hides is a bit more interesting. It normally does this by attacking the operating system itself. You know that malware hooks in to components and changes behavior. Imagine what would happen if FindFirstFile or EnumProcesses were altered. I don’t have to imagine because we routinely see rootkits that do exactly this. You can think of a rootkit as an SDK for malware writers. It is designed to hide something from the system and the developer normally has some degree of control over what is hidden. What they normally hide is the payload and that can vary immensely. There are many more payloads than rootkits and we see the same ones over and over. Some people class rootkits as application, library or kernel but things are not that pure in the malware world. We generally just think of them as kernel or user mode.


User mode rootkits will often be fairly crude in their attacks – for example, they will typically disable antivirus solutions and leave the malware to rely on being in hidden files or odd directories. There isn’t that much that you can do in user mode and, to be frank, the developers of user mode rootkits are not the best of the blackhats.


There is a very simple rule for rootkits and it is of use to those that write them and those that hunt for them. He who hooks lowest will win. What that means is that the lower level the rootkit, the harder it is to detect. A user mode rootkit detector will struggle to detect that the operating system below it is no longer telling the truth. A kernel mode detector will be quite immune to some user mode subversion. The serious rootkits are all kernel mode now and some of them are tricky customers indeed.


One the plus side, there are some very good rootkit detectors out there now and since there are few rootkits and many payloads, it can be a very quick way of detecting if there is malware on a system even if the payload is a variant that we have never seen before.


The fight between the blackhats and whitehats goes on and we dive deeper and deeper in to the OS, both of us trying to get below each other. There are some clever people out there and the battle is not won either way as yet… but I would not be surprised if future designs of PCs had to have more security features built in. You can’t get below the hardware. Well, not unless you virtualize the hardware that is.


Oh, and I notice that I have hardly mentioned the platform in this blog and that is because rootkits come in a variety of flavors. Some are for Windows, some are for Linux and some are for BSD which is appropriate in a way. The first ones were found on Unix.


Until next time



Skip to main content