The rootkit driver must be loaded upon system boot. If you think about this problem generally, you will realize that many different software components get loaded when the system boots. As long as a rootkit is connected with one of the boot-time events listed in Table 2-2, it will also load.
Table 2-2. Some ways to load a rootkit at system-boot time.
Using the run key ("old reliable") | The run key (and its derivates) can be used to load any arbitrary program at boot time. This program can decompress the rootkit and load it. The rootkit can hide the run-key value once loaded so that it remains undetected. All virus scanners check this key, so it's a high-risk method. However, once the rootkit has been loaded, the value can be hidden. |
Using a Trojan or infected file | Any .sys file or executable that is to be loaded at boot time can be replaced, or the loader code can be inserted similarly to the way a virus can infect a file. Ironically, one of the best things to infect is a virus-scanning or security product. A security product will typically start when the system is booted. A trojan DLL can be inserted into the search path, or an existing DLL can simply be replaced or "infected." |
Using .ini files | .ini files can be altered to cause programs to be run. Many programs have initialization files that can run commands on startup or specify DLLs to load. One such file that can be used in this way is called win.ini. |
Registering as a driver | The rootkit can register itself as a driver which is loaded on boot. This requires creating a registry key. Again, the key can be hidden once the rootkit has loaded. |
Registering as an add-on to an existing application | A favorite method used by spyware is to add an extension to a Web-browsing application (for example, in the guise of a search bar). The extension is loaded when the application loads. This method requires that the application is launched, but if that's likely to occur before the rootkit must be activated, it can be effective for loading the rootkit. A downside to this approach is that many free adware scanners are available, and these may detect the application extension. |
Modifying the on-disk kernel | The kernel can be directly modified and saved to disk. A few changes must be made to the boot loader so that the kernel will pass a checksum integrity check. This can be very effective, since the kernel will be permanently modified, and no drivers will need to be registered. |
Modifying the boot loader | The boot loader can be modified to apply patches to the kernel before it loads. An advantage is that the kernel file itself will not appear modified if the system is analyzed offline. However, a boot-loader modification can be detected with the right tools. |
There are many ways to load at boot time; the list in Table 2-2 is by no means complete. With a little creativity and some time, you should be able to discover additional ways to load.
