A European student has just developed a Proof of Concept for what the developer believes is the world's first kernel mode IRCbot.
The creator, Tibbar ("Rabbit" spelled backwards), says the difference between this innovation and standard Windows rootkits lies in its crossover ability. Most Windows-based rootkits hide in device drivers, then depend on outside, usermode applications to get anything done.
This creates several challenges for rootkitters:
* The abilities of requested apps are limited to the security rights granted to the User.
* The apps needed by the rootkit may not be present or accessible on the victim's system.
* Usermode operations are easier than kernelmode to detect.
That's why Tibbar thinks IRCbot is a huge leap forward. It carries its IRC app onboard, inside the kernel driver. So it doesn't need any outside help to get the job done.
This means that future generations of rootkits... if that's what we'll call these... will be even stealthier than the current crop. Oh joy.
To pull this off, Tibbar drew from a Kernel mode sockets library by Valerino, who described his effort at rootkit.com as:
A fully functional TDI sockets library. You can connect, send, receive, all from your supa-dupa-l333t kernelmode rootkit. Yes, you can bypass lame TDI firewalls with this. No, you can't bypass NDIS firewalls.
(read : you can bypass norton's firewall).
While the IRCbot does no damage by itself, Tibbar helpfully set the project up in Visual Studio 2003, so it can be easily extended. In addition, bot builders can compile the beast as either a kernelmode driver or usermode executable.
In case you were wondering, Tibbar says it's easier to build and debug your usermode IRCbot, before creating the device driver.
, but that really is not the fault of XP specifically, per se, and let's be glad that we are not in the windows 95 and 98 era for those who remember it unfondly
