Summary
Fu rootkit is publicly available in binary and source code format. The technical information below is based on the public version.
Installation
The public version of Fu rootkit consists of two files: one executable file (.exe) and one kernel-mode driver file (.sys). The driver does the actual hiding where as the executable file is used to configure and command the driver.
Fu requires administrative privileges to install successfully. The executable file installs and loads the driver. This results in one registry key:
- HKLM\SYSTEM\CurrentControlSet\Services\[driver_name]
where [driver_name] represents the name of the driver file without the .sys extension.
Hiding Technique
Fu allows the intruder to hide information from user-mode applications and even from kernel-mode modules. Following items can be hidden:
- Processes
- Kernel-mode modules
Fu hides information by directly modifying certain kernel data structures used by the operating system. Specifically, it removes to-be-hidden entries from two linked lists with symbolic names: PsActiveProcessHead and PsLoadedModuleList.
In addition, Fu is able to modify a process' token to change its security context. This has two impacts on the compromised system. First, it can modify privileges and access rights of any running process. Second, it can fool security auditing by replacing the owner SID of any running process.
Write-up: Kimmo Kasslin
Technical Details: Kimmo Kasslin, January 23, 2006
Description Updated: Kimmo Kasslin, January 23, 2006
F-Secure Corporation
