A Guide to Rootkits

Rootkits can be named the most technically sophisticated form of malicious code (malware) and one of the most difficult to discover and eliminate. Of all types of malware, probably viruses and worms get the most publicity because generally they are wide-spread and many people know to have been affected by a virus or a worm, but this definitely does not mean that viruses and worms are the most destructive malware variety. There are more dangerous types of malware, because as a rule they operate in stealth mode, are difficult to detect and remove and can go unnoticed for very long periods of time, silently stealing data and modifying the files on the victim’s machine.

An example of such a stealth enemy are rootkits – a collection of tools that replace or change executable programs or the kernel of the operating system itself to gain administrator-level access to the system, which can be used for installing spyware, keyloggers and other malicious tools. Essentially, a rootkit allows an attacker to gain complete access over the victim’s machine (and possibly to the whole network the machine belongs to). One of the known uses of a rootkit to cause considerable damage was the theft of the source code of Half Life-2.

Rootkits are not something new – they have been known for decades and are known to have effected various operating systems (Windows, UNIX, Linux, Solaris, etc.) – but if it was not for one or two mass occurrences of rootkits (See the Famous Examples section), which draw public attention to them, they might have again escaped from being known, except to a small circle of security professionals. As of today, rootkits have not unleashed their bad potential and are not as wide-spread as viruses but this can be of little comfort.

Rootkits Mechanism Exposed

Similar to Trojan horses, viruses and worms, rootkits install themselves exploiting flaws in the network security and the operating system itself and often no action on user side is necessary, although there are rootkits that come as an e-mail attachment or are bundled with a legitimate software program and are harmless until the user opens the attachment or installs the program. But unlike less sophisticated forms of malware, rootkits infiltrate the operating system very deep and make special efforts to disguise their presence – for instance by modifying system files.

Basically, there are two types of rootkits: kernel and application level. Kernel level rootkits add code to or modify the kernel of the operating system. This is achieved by installing a device driver or a loadable module, which alters system calls to hide the presence of an attacker. Thus if you look in log files, you will see no suspicious activity on the system. Application level rootkits are less sophisticated and generally are easier to detect because they modify the executables of applications, rather than the operating system itself. Since Windows 2000 every change in an executable file is reported to the user, thus making it more difficult for the attacker to go unnoticed.

Why Rootkits Pose a Risk

Rootkits can act as a backdoor and usually they are not alone in their mission – they are often accompanied by spyware, trojan horses or viruses and the aims of a rootkit can vary from simple malicious joy of penetrating somebody else’s computer (and hiding the traces of foreign presence), to building a whole system for illegally obtaining confidential data (credit card numbers, or the source code as in the case of Half Life-2).

Generally, application level rootkits are less dangerous and easier to detect. But if the program you are using to keep track of your finances, gets “patched” by a rootkit, then the monetary loss could be significant – i.e. an attacker can use your credit card data to purchase a couple of items and if you don’t notice suspicious activity on your credit card balance in due time, it is most likely that you will never see the money again.

Compared to kernel level rootkits, application level rootkits look sweet and harmless. Why? Because in theory a kernel level rootkit opens all doors to a system, after which installing other malware, for instance for theft of financial data, is pretty easy. Having a kernel level rootkit and not being able to detect and remove it easily (or at all, as we will see next) means that somebody else is having total control over your computer and can use it in any way he or she pleases – for instance to initiate an attack to other machines, making the impression that the attack originates from your computer, not from somewhere else.

Detection and Removal of Rootkits

Not that other types of malware are easy or fun to detect and remove but kernel level rootkits are a particular disaster. In a sense, it is a Catch 22 – if you have a rootkit, then the system files needed by the anti-rootkit software are likely to be modified and therefore the results of the check cannot be trusted. What is more, if a rootkit is running, it can successfully modify the list of files or list of running processes that anti-virus programs rely on, thus providing fake data. Also, a running rootkit can simply unload from memory the processes of the anti-virus program, causing it to shutdown unexpectedly. However, by doing this it indirectly shows its presence, so one can get suspicious about something going wrong.

A recommended way for detection of the presence of a rootkit is to boot from an alternative media, which is known to be clean (i.e. a backup, or rescue CD-ROM) and check the suspicious system. The advantage of this method is that the rootkit will not be running (therefore it will not be able to hide itself) and the system files will not be tampered.

There are ways to detect and (attempt to) remove rootkits. One way is to have clean MD5 fingerprints of the original system files and when in doubt of having a rootkit – to compare the current system files fingerprints with the clean ones. This method is not very reliable but is better than nothing. Using a kernel debugger is more reliable but it requires in-depth knowledge of the operating system and even the majority of system administrators will rarely resort to it, especially when there are free good programs for rootkits detection, like Marc Russinovich’s RootkitRevealer. Go to his site and you will find detailed instructions how to use the program.

After you detect a rootkit on your computer, the next step is to get rid of it (easier said than done). And now comes even the trickiest part – with some rootkits removal is not an option, unless you want to remove the whole operating system as well! The most obvious solution – to delete infected files (provided you know which ones exactly are cloaked) is absolutely inapplicable, when vital system files are concerned. If you delete these files, chances are that you will never be able to boot Windows again. You can try a couple of rootkit removal applications, like UnHackMe or F-Secure BlackLight Beta but do not count too much that they will be able to remove the pest safely.

It might sound like shock therapy, but the only proved way to remove a rootkit is by formatting the hard drive and reinstalling the operating system again (from a clean installation media, of course!). If you have a clue where you got the rootkit from (was it bundled in another program, or did somebody send it to you via e-mail), don’t even think of running the source of infection again!

Famous Examples of Rootkits

Rootkits have been stealthily existing for decades until last year they became prime-time news. The case of Sony-BMG with their Digital Right Management (DRM) technology, which protected unauthorized CD copying by installing a rootkit on the user’s machine provoked sharp criticism. There were lawsuits and criminal investigation. Sony-BMG had to withdraw their CDs from stores and replace the sold copies with clean ones. Sony-BMG was accused of secretly cloaking system files in an attempt to hide the presence of the copy-protection program that also used to send private data to Sony’s site. If the program was uninstalled by the user, the CD drive became inoperable. In fact, this copyright protection program violated all privacy rights, employed illegal techniques that are typical for this kind of malware, and above all left the victim’s computer vulnerable to different hacker attacks. Typically for a big corporation, Sony-BMG tried to go the arrogant way first by stating that if most people didn’t know what a rootkit was, why would they care that they had one? Well, if there had been no guys like mark Roussinovich, who was the first to ring the bell about Sony’s rootkit, the trick could have worked and millions of computers would have been infected – quite a global offense in the alleged defense of a company’s intellectual property!

Similar to the case with Sony, when it was not necessary to be connected to the Internet in order to get fresh supply of rootkits, is the case of Norton SystemWorks. It is true that both cases cannot be compared from an ethical or technical point of view because while Norton’s rootkit (or rootkit-like technology) modifies Windows system files to accommodate the Norton Protected Recycle Bin, Norton can hardly be accused of malicious intentions to restrict user’s rights or to benefit from the rootkit, as is the case with Sony. The purpose of the cloaking was to hide from everybody (users, administrators, etc.) and everything (other programs, Windows itself) a backup directory of files users have deleted, and that can later be restored from this backup directory. The function of the Protected Recycle Bin was to add one more safety net against quick fingers that first delete and then think if they have deleted the right file(s), providing an additional way to restore files that have been deleted from the Recycle Bin (or that have bypassed the Recycle Bin).

These two examples are hardly the most severe cases of rootkits’ activity but they are worth mentioning because by attracting attention to the particular case, public interest was drawn to rootkits as a whole. Hopefully, now more people not only know what a rootkit is but care if they have one!

Posted in Security | Tagged , | Comments Off