Intended Installation Software
Intended Installation Software
My installation software preference for intended installation onto Microsoft Windows operating systems is
files generated by
can be used by every major software management system to distribute software to every computer in the largest of networks, or an individual
can simply double-click the file to install a single copy.
is not free. If you are looking for a no-cost solution, you can write an application that copies the required files and creates the required registry entries. Ultimately, however, a professional rootkit will require professional installation techniques. Keep in mind that the price of the installation software will only go up, whereas your need for it will
of intended installation is “intended by the company” but “not wanted by any user.” This is where the need for a professional installation meets the need to be stealthy. I have found that an InstallShield installation, installed by an SMS system, using “quiet” and “force restart” (
) parameters, is the best approach. There is a
need to obfuscate the name of the installation program, as this name will appear in the Add and Remove Programs applet, but something like “Microsoft Event Manager” or “OLE Service Controller” will virtually guarantee that users won’t remove the software just to see what happens.
End User License Agreements (EULAs)
There is a category between intended and unintended installation: the “
but authorized” category. This was the “infamous” rootkit installation technique
by Sony when they released the “Van Zant” CD. By providing necessary software that requires acceptance of a license agreement that in
authorizes the insertion of a rootkit, many legal loopholes can be circumvented. Unfortunately, as with Sony, this can become a very embarrassing public relations problem and damage the reputation of an
reputable company. As such, this installation technique is not recommended.
Under normal circumstances, the end
operating a specific computer will not want to go out of his or her way to install a rootkit, and system administrators will not want to go out of their way to promulgate its use. This
the rootkit developer with a set-and-forget environment that should not interfere with normal user operations. Unfortunately, this approach must target the 5 percent of computer users with the wherewithal to circumvent simple rootkits. Installing a rootkit in this environment can be difficult, but there are many options.
Pushing rootkits from a domain administrator account is perhaps the
form of unintended installation. Files can be transferred and the registry can be updated without the knowledge of the recipient. This can be automated with a short program and compressed with a zip utility to reduce the strain on larger networks. The steps involved in this type of installation include the following:
Get the hostname, username, password and install
from input (default = local machine, current user, current directory).
If not local, connect using
Copy files to install path.
If not local,
remote registry using
Update the remote registry.
If not local, close the remote registry using
If possible, force a reboot after a
If connected, disconnect using