The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.
These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.
Stay tuned for Part 2…..