Category list

Intended Installation Software

My installation software preference for intended installation onto Microsoft Windows operating systems is InstallShield . The setup.exe and product Name .msi files generated by InstallShield can be used by every major software management system to distribute software to every computer in the largest of networks, or an individual user can simply double-click the file to install a single copy.

Unfortunately, InstallShield is not free. If you are looking for a no-cost solution, you can write an application that copies the required files and creates the required registry entries. Ultimately, however, a professional rootkit will require professional installation techniques. Keep in mind that the price of the installation software will only go up, whereas your need for it will remain constant.

Another subcategory of intended installation is “intended by the company” but “not wanted by any user.” This is where the need for a professional installation meets the need to be stealthy. I have found that an InstallShield installation, installed by an SMS system, using “quiet” and “force restart” ( msiexec ) parameters, is the best approach. There is a slight need to obfuscate the name of the installation program, as this name will appear in the Add and Remove Programs applet, but something like “Microsoft Event Manager” or “OLE Service Controller” will virtually guarantee that users won’t remove the software just to see what happens.

End User License Agreements (EULAs)

There is a category between intended and unintended installation: the “ unintended but authorized” category. This was the “infamous” rootkit installation technique chosen by Sony when they released the “Van Zant” CD. By providing necessary software that requires acceptance of a license agreement that in turn authorizes the insertion of a rootkit, many legal loopholes can be circumvented. Unfortunately, as with Sony, this can become a very embarrassing public relations problem and damage the reputation of an otherwise reputable company. As such, this installation technique is not recommended.

Unintended Installation

Under normal circumstances, the end user operating a specific computer will not want to go out of his or her way to install a rootkit, and system administrators will not want to go out of their way to promulgate its use. This leaves the rootkit developer with a set-and-forget environment that should not interfere with normal user operations. Unfortunately, this approach must target the 5 percent of computer users with the wherewithal to circumvent simple rootkits. Installing a rootkit in this environment can be difficult, but there are many options.

Pushing rootkits from a domain administrator account is perhaps the easiest form of unintended installation. Files can be transferred and the registry can be updated without the knowledge of the recipient. This can be automated with a short program and compressed with a zip utility to reduce the strain on larger networks. The steps involved in this type of installation include the following:

Get the hostname, username, password and install path from input (default = local machine, current user, current directory).
If not local, connect using WNetAddConnection2 .
Copy files to install path.
If not local, open remote registry using RegConnectRegistry .
Update the remote registry.
If not local, close the remote registry using RegCloseKey .
If possible, force a reboot after a slight timeout.
If connected, disconnect using WNetCancelConnection2 .