Unintended Installation

Under normal circumstances, the end user operating a specific computer will not want to go out of his or her way to install a rootkit, and system administrators will not want to go out of their way to promulgate its use. This leaves the rootkit developer with a set-and-forget environment that should not interfere with normal user operations. Unfortunately, this approach must target the 5 percent of computer users with the wherewithal to circumvent simple rootkits. Installing a rootkit in this environment can be difficult, but there are many options.

Pushing rootkits from a domain administrator account is perhaps the easiest form of unintended installation. Files can be transferred and the registry can be updated without the knowledge of the recipient. This can be automated with a short program and compressed with a zip utility to reduce the strain on larger networks. The steps involved in this type of installation include the following:

• Get the hostname, username, password and install path from input (default = local machine, current user, current directory).

• If not local, connect using WNetAddConnection2.

• Copy files to install path.

• If not local, open remote registry using RegConnectRegistry.

• Update the remote registry.

• If not local, close the remote registry using RegCloseKey.

• If possible, force a reboot after a slight timeout.

• If connected, disconnect using WNetCancelConnection2.