Novel Implementation of Hybrid Rootkit

Prof K. S Wagh, Shivani Bhakare, Siddesh Garsund, Shravani Jadhav, Shashank Patwardhan
waghks@gmail.com, shivanibhakare99@gmail.com, chintyam.t@gmail.com, shravanijadhav8@gmail.com,
shashankpatwardhan7@gmail.com
Computer Dept, AISSMS IOIT,
Pune, India

ABSTRACT 2. ALGORITHM
Statistics show that although malware detection are 2.1 Reverse Connection
detecting and preventing malware, they do not (1) Develop a rootkit which consists
guarantee a 100% detection and/or prevention of
malware. This is especially the case when it comes to i. An IP address
rootkits that can manipulate the operating system such
that it can distribute other malware, hide existing ii. A sequence of executable code
malware, steal info, hide itself, disable anti-malware
software etc. all without the knowledge of the user. This
paper will demonstrate that by implementing hybrid
(2) Patch this rootkit to a legitimate file and upload
rootkits or any other type of malware, a researcher will it on the website.
be able to better understand the techniques and
vulnerabilities used by an attacker. Such information (3) Create a webpage with a GUI that looks like a
could then be useful while implementing anti-malware legitimate file provider or file downloadable page.
techniques.
General Terms (4) After selecting download, the page should be
Metasploitable Framework. redirected to our actual webpage which has the
Keywords rootkit uploaded.
Hybrid rootkit, malware, stealth, security, Trojans,
(5) The redirected website will be clickjacking
Amazon Web Services.
enabled. In all scenarios, the file will be
1. INTRODUCTION
A Rootkit [1] is a suite or collection of one or more downloaded to the victims machine.
programs that allows a third party to hide files and
activities from the administrator of a computer system.
An intruder takes advantage of one or more known
vulnerabilities on a particular computing platform to 2.2 On victim's machine
deliver and install the rootkit. Once the rootkit is in i. Victim executes the file. The legitimate file runs,
place, the intruder can use the infected system while also a patched file runs with it in the background
remaining undetected. in stealth mode.
A battle has begun between attackers and defenders
of computer systems. An attacker, who manages to ii. This patched file consists of the IP
compromise a system seek to carry out malicious address of the attacker's machine and an
activities on the system that remain invisible to executable code sequence.
defenders. At the same time, defenders search for
successful attacker by looking for signs of system iii. The executable sequence defines a
compromise or malicious activities. [5] routine that will send a request for connection to
In this paper, we assume the perspective of the the attackers machine / IP address. This technique
attackers that is trying to run malicious software and is called Reverse Connection.
avoid its detection. By assuming this perspective, we
hope to help defenders understand and defend against
the threat posed by a new class of rootkits.

Volume 3 Issue 2 April - 2018 125

2.3 On Attacker’s End 3. PROPOSED ARCHITECTURE
We will receive a connection request at the
attackers end which when accepted will give us
root access to victim’s machine.

Fig 1: Proposed Architecture.

4. DESIGN ARCHITECTURE

5. APPLICATIONS
• This rootkit can be used in creating anti
malwares

• Spying system for federal agencies can be

provided by using this rootkit

• Piracy or scam can be reduced with the

use of rootkit

6. IMPLEMENTATION

Volume 3 Issue 2 April - 2018 126

Volume 3 Issue 2 April - 2018 127
Volume 3 Issue 2 April - 2018 128
Volume 3 Issue 2 April - 2018 129

7. ACKNOWLEDGMENTS
We would like to thank our Guide Mr. K.S Wagh who helped
us throughout the project whenever we stumbled across any
obstacle. We would like to also thank the principal of our
institution who gave us the opportunity to work on this
project.
8. REFERENCES
[1] Virus Analysis on IDT Hooks of Rootkits Trojan:
Yong Wang, DawuGu, Wei Li, Jing Li, Mi Wen. 978-
0-7695-3686-6/09/ 2009 IEEE. DOI 10.1109.
[2] Implementing Rootkits to Address OS Vulnerabilities:
ManuelCorregedor and Sebastiaan Von Solms. 978-1-
4577—1483-2/11/ 2011 IEEE.
[3] Windows Rootkits: Attacks and Countermeasures:
Desmond Lobo, Paul Watters, Xin-Wen Wu, Li Sun.
978-0-7695-4186-0/10/ 2010 IEEE. DOI 10.1109
Volume 3 Issue 2 April - 2018
[4] A Practical Approach for Generic Rootkit Detection
and Prevention: Bernhard Grill, Christian Platzar and
JurganEckel
[5] SMM Rootkits: A New Breed of OS Independent
Malware: Shawn Embleton, Sherri Sparks, Cliff Zou.
NSF Cyber Trust Grant CNS-0627318 & Intel
Research Fund.
[6] SubVirt: Implementing malware with virtual machines:
Samuel T. King, Peter M. Chen, Yi-Min Wang, Helen
J. Wang.
[7] Proposal of Kernel Rootkits Detection Method by
Monitoring Branches Using Hardware Features:
YoheiAkao, Toshihiro Yamauchi.
[8] Detecting Kernel-Level Rootkits Using Data Structure
Invariants: AratiBaliga, Vinod Ganapathy, and
LiviuIftode.
130