Rootkits are much in the news lately. They were recently sighted in the Street Fighter V video game, critical infrastructure controls and even Yahoo email servers.
In the case of Yahoo, the spying tool that the U.S. government ordered the company to install on its servers was a “buggy” rootkit that concealed itself on Yahoo’s systems and provided the government with a backdoor into Yahoo emails, according to an article in Motherboard.
What Is a Rootkit?
What are rootkits, anyway? And why should security professionals care about them?
Security firm Symantec defines [pdf] a rootkit as “any software that acquires and maintains privileged access to the operating system while hiding its presence by subverting normal OS behavior.”
A rootkit has three goals:
- to run without restrictions on a target computer
- to go undetected by security products and IT administrators
- to get something from the target computer, such as passwords, remote access or recruitment into a botnet
What makes a rootkit particularly pernicious is its ability to hide its presence from anti-virus programs, system and network administrators, and system management utilities.
Here are the top rootkit types that can pose threats to enterprises and individuals.
A kernel-mode rootkit alters components within the computer operating system’s core, known as the kernel. Some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. These rootkits avoid detection by operating at the same security level as the OS. Examples include FU, Knark, Adore, Rkit and Da IOS.
A bootkit is a type of kernel-mode rootkit that infects the master boot record, volume boot record or boot section during computer startup. The malware loader persists through the transition to protected mode when the kernel has loaded and is thus able to subvert the kernel. Examples include Olmasco, Rovnix and Stoned Bootkit.
The user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces. It alters the security subsystem and displays false information to administrators of the target computer. It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services. Examples of this type of rootkit include Vanquish, Aphex and Hacker Defender.
A virtual, or hypervisor, rootkit hosts the target OS as a virtual machine, enabling it to intercept hardware calls made by the original OS. The rootkit does not have to modify the kernel to subvert the operating system. So far, this type of rootkit is only a proof of concept.
A firmware rootkit uses device or platform firmware to create a persistent malware image in the router, network card, hard drive or the basic input/output system (BIOS). The rootkit is able to remain hidden because firmware is not usually inspected for code integrity. These rootkits can be used for legitimate purposes, such as anti-theft technology preinstalled in BIOS images by the vendor, but they can also be exploited by cybercriminals. Examples include Cloaker and VGA rootkit.
Rooting out Rootkits
So what can IT administrators due to counter the threats posed by rootkits?
Preventing Rootkit Infections
In their chapter in the Information Security Management Handbook, Sixth Edition, Volume 2, security researchers E. Eugene Schultz and Edward Ray recommend that enterprises consider the following measures to prevent rootkit infections:
- using intrusion detection and prevention tools such as rootkit scanners
- applying vulnerability patches in a timely manner
- configuring systems according to security guidelines and limiting services that can run on these systems
- adhering to the least privilege principle
- deploying firewalls that can analyze network traffic at the application layer
- using strong authentication
- performing regular security maintenance
- limiting the availability of compiler programs that rootkits exploit
Once an infection takes place, things get tricky. The researchers caution that detecting and removing a rootkit is difficult. However, a rootkit can be detected by trained investigators and analysis tools, such as rootkit scanners, which uncover clues to the presence of the rootkit. Major security firms, such as Symantec, Kaspersky Lab and Intel Security (McAfee), offer rootkit scanners to enterprise customers.
Some of the telltale signs that a rootkit is present include unexplained changes in target systems, strange files in the home directory of root or unusual network activity.
Cryptographer and computer programmer Thomas Pornin noted that the rootkit needs to maintain an entry path for the attacker, creating an opportunity for detection. In a post on Information Security Stack Exchange, Pornin recommends that IT administrators reboot the computer on a live CD or USB key and then inspect the hard disk. “If the same files do not look identical, when inspected from the outside (the OS booted on a live CD) and from the inside, then this is a rather definite sign of foul play,” he wrote.
Another contributor to the Information Security Stack Exchange who goes by the moniker user2213 explained that another way to detect a rootkit is to use spurious device codes on devices that do not normally respond to the codes. “If you get anything other than the relevant ‘Not implemented’ error code on your system, something strange is going on.”
User2213 also suggested mounting the system drive on a different PC to see if an incorrect filesystem size or unexpected files come up. This could be an indication of a rootkit. “Unfortunately, there aren’t generic red flags for rootkits in general — the battle is more cat-and-mouse,” the writer noted.
Removing a rootkit is a challenge because it runs with a full set of system privileges, which means it could have done anything to the system. Schultz and Ray recommend making an image backup and then rebuilding the compromised system using the original installation media; otherwise, the malicious code or unauthorized changes could continue even after the rootkit is “deleted.” Security patches then need to be installed and a vulnerability scan performed.
In sum, the best strategy to deal with rootkit threats is to stop the rootkit from infecting computers in your network through security best practices such as patch management and regular maintenance, and specialized tools such as rootkit scanners and firewalls. Should your computers become infected anyway, you need to rebuild the compromised computer from the ground up to ensure that the rootkit is eradicated.
Fred Donovan is a freelance writer and editor specializing in technology, cybersecurity and national security. He is president of Donovan Editorial Services, and a member of the Editorial Freelancers Association and Toastmasters International.