Unintended Installation


Under normal circumstances, the end user operating a specific computer will not want to go out of his or her way to install a rootkit, and system administrators will not want to go out of their way to promulgate its use. This leaves the rootkit developer with a set-and-forget environment that should not interfere with normal user operations. Unfortunately, this approach must target the 5 percent of computer users with the wherewithal to circumvent simple rootkits. Installing a rootkit in this environment can be difficult, but there are many options.

Pushing rootkits from a domain administrator account is perhaps the easiest form of unintended installation. Files can be transferred and the registry can be updated without the knowledge of the recipient. This can be automated with a short program and compressed with a zip utility to reduce the strain on larger networks. The steps involved in this type of installation include the following:

  • Get the hostname, username, password and install path from input (default = local machine, current user, current directory).

  • If not local, connect using WNetAddConnection2.

  • Copy files to install path.

  • If not local, open remote registry using RegConnectRegistry.

  • Update the remote registry.

  • If not local, close the remote registry using RegCloseKey.

  • If possible, force a reboot after a slight timeout.

  • If connected, disconnect using WNetCancelConnection2.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net