What is a Rootkit
What is a Rootkit WEyIchO

Rootkit is a set of software tools that enables an unauthorized user to gain control of a computer system without being detected. While being closely associated with malware, rootkits are not inherently malicious. However, their ability to manipulate a computer’s operating system and provide remote users with administrator access has – unsurprisingly – made them popular tools among cybercriminals.

The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.

Historically, rootkits were confined to the world of Unix and Linux, but eventually made their way over to the Windows operating system, starting with NTRootkit, a tool targeting Windows NT that was first spotted back in 1999. Since then, rootkits have rapidly grown in popularity on Windows and today are a common, stubborn blight on the digital world.

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.

Rootkits are unable to spread by themselves and instead rely on clandestine tactics to infect your computer. They typically disseminate by hiding themselves in devious software that may appear to be legitimate and could actually be functional. However, when you grant the software permission to be installed on your system, the rootkit quietly sneaks inside where it may lay dormant until the hacker activates it.

Other common infection vectors include email phishing scams, downloads from dodgy websites and connecting to compromised shared drives. It’s important to note that rootkits don’t always require you to run an executable – sometimes something as simple as opening a malicious PDF or Word document is enough to unleash a rootkit.

Rootkits and their payloads have many uses:
  • Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms.

  • Conceal other malware, notably password-stealing key loggers and computer viruses.

  • Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can launch denial-of-service attacks, distribute e-mail spam, conduct click fraud, etc.

  • Enforcement of digital rights management (DRM).


In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user. For example: To conceal cheating in online games from software like Warden or Detect attacks, for example, in a honeypot etc..

There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.

User Mode Rootkits

User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.

User mode rootkits are very popular in financial malware these days. One of the most copied financial malware named Carberp includes this technique and also had its source codes leaked several years ago, so its user mode rootkit component has been recycled over and over again and can be found in many financial malware families to this day.



Kernel Mode Rootkits

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Kernel rootkits are engineered to change the functionality of your operating system. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write. Creating an effective kernel rootkit is fairly complex and, if implemented incorrectly, can have a noticeable impact on system performance. The good news is that most kernel rootkits are easier to detect than other types for rootkits.




Bootkits

A kernel-mode rootkit variant called a bootkit can infect startup code like the Master Boot Record (MBR), Volume Boot Record (VBR) or boot sector, and in this way can be used to attack full disk encryption systems. This vector of attack was rendered useless in the (non-server) versions of Windows 8, which use a unique, machine-specific key for each system, that can only be used by that one machine. Many antivirus companies provide free utilities and programs to remove bootkits.




Hypervisor level

Hypervisor (Ring -1): running on the lowest level, hypervisor, that is basically a firmware. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware, but with the environment altered by a rootkit.

The rule states that a rootkit running in the lower layer cannot be detected by any rootkit software running in all of the above layers.

By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system.

Windows 10 introduced a new feature called "Device Guard", that takes advantage of virtualization to provide independent external protection of an operating system against rootkit-type malware.




Firmware and Hardware Rootkit

A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a router, network card, hard drive, or the system BIOS. The rootkit hides in firmware, because firmware is not usually inspected for code integrity.

Intel Active Management Technology, part of Intel vPro, implements out-of-band management, giving administrators remote administration, remote management, and remote control of PCs with no involvement of the host processor or BIOS, even when the system is powered off. Remote administration includes remote power-up and power-down, remote reset, redirected boot, console redirection, pre-boot access to BIOS settings, programmable filtering for inbound and outbound network traffic, agent presence checking, out-of-band policy-based alerting, access to system information, such as hardware asset information, persistent event logs, and other information that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off. Some of these functions require the deepest level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have "the ability to remotely kill and restore a lost or stolen PC via 3G". Hardware rootkits built into the chipset can help recover stolen computers, remove data, or render them useless, but they also present privacy and security concerns of undetectable spying and redirection by management or hackers who might gain control.


It is difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.


Did you find this tutorial helpful? Don’t forget to share your views with us.