A European student has just developed a Proof of Concept for what the developer believes is the world’s first kernel mode IRCbot.
The creator, Tibbar (”Rabbit” spelled backwards), says the difference between this innovation and standard Windows rootkits lies in its crossover ability. Most Windows-based rootkits hide in device drivers, then depend on outside, usermode applications to get anything done.
This creates several challenges for rootkitters:
- The abilities of requested apps are limited to the security rights granted to the User.
- The apps needed by the rootkit may not be present or accessible on the victim’s system.
- Usermode operations are easier than kernelmode to detect.
That’s why Tibbar thinks IRCbot is a huge leap forward. It carries its IRC app onboard, inside the kernel driver. So it doesn’t need any outside help to get the job done.
This means that future generations of rootkits… if that’s what we’ll call these… will be even stealthier than the current crop. Oh joy.
To pull this off, Tibbar drew from a Kernel mode sockets library by Valerino, who described his effort at rootkit.com as:
A fully functional TDI sockets library. You can connect, send, receive, all from your supa-dupa-l333t kernelmode rootkit. Yes, you can bypass lame TDI firewalls with this. No, you can’t bypass NDIS firewalls.(read : you can bypass norton’s firewall).
While the IRCbot does no damage by itself, Tibbar helpfully set the project up in Visual Studio 2003, so it can be easily extended. In addition, bot builders can compile the beast as either a kernelmode driver or usermode executable.
In case you were wondering, Tibbar says it’s easier to build and debug your usermode IRCbot, before creating the device driver.
Email Battles Backgrounder:
4 comments
Comments feed for this article
April 7th, 2006 at 8:07 am
Eligah Underwood (Rife)
Very interesting - it’ll be even more intresting to see a functional animal once in the wild!
Only down side I can see - is now my rootkit books are out of date!
[BTW - is the question Base10?]
April 9th, 2006 at 7:26 am
weedougie
Having read what it is supposed to do it appears to me to breach the European Human Rights Act in so much as it violates the right of privacy in your home and family life. If this becomes commercial who will be the first to take whoever to court?
April 10th, 2006 at 6:54 am
myrdd1n
@weedougie
That is why something like this will never become a commercial product.
The source will leak, and people who actually have a clue will start compiling and distributing to unsuspectng user’s computers.
I foresee an entire new breed of botnets. This new IRCBot gets major brownie points because it will most likely be undetectable by most of today’s Anti Virus software.
September 6th, 2006 at 4:09 pm
Anubis
You know whats funny is it sounds like you guys that commented above me have no clue of what you are talking about. First off, this will be no worse than any other rootkit out there. Now if he divised some new rootkit technology, like a new way to hook ntoskrnl.exe’s services then yeah, i’d be impressed. Tibbar, he’s a good developer, but this whole Kernel-Mode IRCBot is not a new concept. I wrote a Kernel-Mode driver that exploited a remote windows system service to download the driver to the remote machine and run it. If I had released this into the wild there would be much more damage(possible) than your normal virus or worm. Rootkits(kernel drivers) have a much higher level of privileges, and my driver would do *anything* i wanted it to. It would not be restrained to the currently running user context.