Persistence

Question 1

Rootkits

Answer 1

• Rootkits are a form of malware designed to allow an attacker back into a system at a later date, while hiding their presence.
• There are generally two types of rootkits: ‘usermode’ and ‘kernelmode’.

Question 2

Usermode Rootkit

Answer 2

A ‘usermode’ rootkit will typically try to hide its presence on a system by replacing system binaries with custom versions which report all the right information except for information that would compromise the rootkit’s presence.

• For example, the ‘netstat’ binary could be swapped with a version that shows all connections except for the one held open by the rootkit.

Question 3

Kernelmode Rootkit

Answer 3

• A ‘kernelmode’ rootkit lives in the kernel and can change the results of kernel calls.
• A rootkit that lives in the kernel doesn’t have to replace the ‘netstat’ binary with a new version. Instead, when the ‘netstat’ program runs and it asks the kernel for a list of open ports, the kernel will respond with all the open ports except for the one that the rootkit is using.
• This means any program that could list the open ports will get the same response from the kernel as well.

Question 4

Bootkits

Answer 4

• If malware can run at a high enough privilege level, it can write directly to the disk without having to use the file system as an intermediary.
• If it can write malicious code to the master boot record, it can be incredibly difficult to remove.
• Some bootkits can even survive after the disk has been wiped and re-partitioned by persisting in the firmware of the hard disk itself.
• At that point, the only way to remove the bootkit would be to both erase the drive, and re-flash the hard disk with its original firmware.