A large part of this project is to document with code the various methods employed by modern rootkits. Using Systemtap and                 loadable kernel modules I will develop common rootkit functionality. Hopefully I can gain a much deeper understanding of the Linux              operating system in the process,  also how rootkits can leverage this  operating system. The goal is to have a tool at the end of the development process that could be used by amateur or professional security enthusiasts. I would also hope to investigate many interesting ideas and techniques along the way.

Although normally associated with malicious intent and rightfully so, there are some legitimate uses of rootkits.  They can be and are used by law-enforcement agencies to collect evidence. This of course only applies to suited cases where the crime is technologically based. A few examples of such cases are mass fraud, network/system trespassing, distribution of under-age pornography, software/media piracy and other associated copyright violations.

Also in more recent times malicious rootkit type software has and is being used in Military applications as Military forces of course rely heavily on technology.  Spying and Security Intelligence is a massive industry and an area that could and does benefit from this “stealthy” software.

Regrettably most rootkits are used maliciously; having their attributes leveraged for profit by “Black-Hat” individuals. They are commonly part of and associated with, Illegal Botnets or Malware. I believe understanding how rootkits are created and how they operate will greatly benefit myself as I intend on pursuing work in the information security field. I would hope the fundamentals of this project could be used by anyone hoping to gain insight into rootkits.

Another very important element of this project is to examine how rootkits avoid detection and to see whether these techniques could be improved or how they can be thwarted. Through probing the operating system internals with Systemtap I hope to collect reliable data and draw some interesting conclusions.

Some of the components and functionality I hope to Investigate and develop:

  • Installation of a rootkit

  • Accessing the System call table

  • Modifying System calls

  • Hiding the rootkit module

  • Implementing a Keylogger

  • Network traffic sniffing

  • Data exfiltration

  • Remote Hidden Access

  • Affecting User space functions

  • Detection / Mitigation

- Ciaran McNally

Leave a Reply