Remote Command, Control, and Exfiltration of Data

As you know, a rootkit is installed to gain remote access to a computer. This serves two primary purposes: to control computer software operation, and to copy data from the system. Examples of such command and control include shutting a computer down, enabling or disabling features, and manipulating the kernel. Taking data from a system is typically called exfiltration, or exfil for short. Exfiltration may take such arcane forms as data transmissions over electromagnetic emissions, via extra data inserted into network protocols, and in the form of time delays.

Where remote access is required, the rootkit must be able to communicate over a network. For a TCP/IP network, this could mean via a TCP connection. Once a connection has been established, commands can be issued and data can be exfiltrated.

In the hacker underground, a typical generic solution to the problem of exfil is the remote shell. A remote shell is simply a TCP session connected to the native command interpreter on the system. The command interpreter is supplied with the operating system. On an MS-Windows machine, this would be cmd.exe, and on a UNIX system it may be /bin/sh or /bin/bash.

These command interpreters are actually software programs themselves. Since the command interpreters are already installed on the system before the hacker arrives, the attack program just connects the command interpreter to a network port. In other words, the hacker borrows the existing program when she attacks.

For the most part, hackers are just lazy; they don't want to write their own shell programs. There are, however, cases where hackers have created complex remote-control software. Back Orifice 2000^[1] is one example of a full remote-control system, with file access, screen capture, and even audio bugging.

^[1] "Back Orifice" is a play on "BackOffice," the name of a product offered by Microsoft.

Large, full-featured back-door programs have a few drawbacks. First, they are overkill for most needs. Second, every virus scanner on the planet will detect them. Third, and perhaps most importantly, they are written by people you don't know.

When engaging in an activity as sensitive as remote penetration, you should be concerned about risk of exposure before anything else. Two concepts that are key to avoiding exposure are minimal footprint and unique structure.

• Minimal footprint: The tools used for remote penetration should affect as little as possible on the remote system. (This is a good reason to design a rootkit that never uses the file system.) This minimizes the chance of detection. Also, fewer lines of code means less complex code, and less complex code means less chance of failure.

• Unique structure: The tools used for remote penetration should have structures and methods that are unique. Virus-detection solutions are always looking for the known. In virus-detection development, a publicly known virus is analyzed for general patterns, and these patterns are then applied to finding unknown viruses. If you attempt to download a rootkit from www.rootkit.com, for example, your virus scanner will likely quarantine the file. If they do not contain patterns found in known infections, then your tools will slip by undetected.