Malware

10+ things you should know about rootkits

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren't bad enough, rootkit-based botnets generate untold amounts of spam. Here's a look at what rootkits are and what to do about them.

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren't bad enough, rootkit-based botnets generate untold amounts of spam. Here's a look at what rootkits are and what to do about them.


Rootkits are complex and ever changing, which makes it difficult to understand exactly what you're dealing with. Even so, I'd like to take a stab at explaining them, so that you'll have a fighting chance if you're confronted with one.

Note: This information is also available as a PDF download.

#1: What is a rootkit?

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that's the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit -- all of which is done without end-user consent or knowledge.

#2: Why use a rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer's configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren't malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG's attempt to prevent copyright violations. Sony BMG didn't tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

#3: How do rootkits propagate?

Rootkits can't propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

IM. One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it's from a friend), that computer becomes infected and has a rootkit on it as well. Rich content. The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it's all over.

#4: User-mode rootkits

There are several types of rootkits, but we'll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports, and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer's hard drive, automatically launching with every system boot.

Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It's an old rootkit, but it has an illustrious history. If you read the link about Hacker Defender, you will learn about Mark Russinovich, his rootkit detection tool called Rootkit Revealer, and his cat-and-mouse struggle with the developer of Hacker Defender.

#5: Kernel-mode rootkit

Malware developers are a savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that's getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco's IOS operating system.

Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.

#6: User-mode/kernel-mode hybrid rootkit

Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.

#7: Firmware rootkits

Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

#8: Virtual rootkits

Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven't found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.

#9: Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it's difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that's the nature of the beast. Here's a list of noteworthy symptoms:

  • If the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
  • Settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.
  • Web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.

If the rootkit is working correctly, most of these symptoms aren't going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can't hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.

#10: Polymorphism

I debated whether to include polymorphism as a topic, since it's not specific to rootkits. But it's amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.

#11: Detection and removal

You all know the drill, but it's worth repeating. Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia's Vulnerability Scanning program can help.

Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:

The problem with these tools is that you can't be sure they've removed the rootkit. Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can't obscure their tracks when they aren't running. I'm afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like Encase to check for any additional code.

Final thoughts

Opinions vary when it comes to rootkit removal, as discussed in the NetworkWorld article "Experts divided over rootkit detection and removal." Although the article is two years old, the information is still relevant. There's some hope, though: Intel's Trusted Platform Module (TPM) has been cited as a possible solution to malware infestation. The problem with TPM is that it's somewhat controversial. Besides, it will take years before sufficient numbers of computers have processors with TPM.

If you're looking for additional information, I recommend the book ROOTKITS: Subverting the Windows Kernel, by Gary Hoglund and James Butler, of HPGary.


Michael Kassner has been involved with wireless communications for 40-plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and an independent wireless consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

113 comments
michaelaknight
michaelaknight

sorry but thats simply misinformation. a. VNC, all flavors, are run as a service. This service is freely visible through task manager and services mmc. As such it requires manual configuration of the client firewall. b. VNC does not attempt to intercept system hooks or otherwise manipulate legitimate system information. it could be argued that the ability to send function keys remotely is shady, however this 'hook' is widely used by many comercial applications as well. c. VNC does precisely (and well) what it's stated intention is...to remotely manage computers. By your logic wouldn't Remote Desktop also be a rootkit?... and even more so as it does rely on system calls to a certain extent? that statement would also be false. You are correct, however on BMG/Sony's foolery, that was a legitimate(though mostly non-malicious), perfect working example of a rootkit. Installed without user intervention, interfered (often fataly) with legitimate system procsess, opened ports for data exchange, hid itself etc.

Michael Kassner
Michael Kassner

I especially wanted to thank everyone for the great comments. I personally have a lot to think about and research. I also have plans to write a 10 thing article on botnets, which is the natural progression to a discussion on rootkits. If you have any special thoughts on how that article should go, please let me know. Botnets are both amazing and scary at the same time. I'm so totally fascinated by this technology.

JCitizen
JCitizen

of a benevolent rootkit Michael? BTW - another fine article!

BALTHOR
BALTHOR

Actually disable the card's firmware.They can make it impossible to access the real GM Soundfont in the sound card.Without these rootkits there would be no need for drivers or codecs.To date there is absolutely no way to remove them.

Jaqui
Jaqui

hmm, not in my package lists. chrootkit, which is for finding and removing them, yup. though you can call su and sudo rootkits in that they are priviledge escalation tools.

Michael Kassner
Michael Kassner

Your point is well taken and appreciated. I find it very important to first define the terms before one starts to debate context. With that in mind, the experts I consulted typically define a rootkit as stated in my article: Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer?s configuration. If you refer to your comment about VNC: "VNC does precisely (and well) what it's stated intention is...to remotely manage computers." Well, I suspect that you would agree that is exactly what any malicious rootkit does as well. It's all about intent.

Dumphrey
Dumphrey

botnets on one hand are spam machines, but if knowingly installed, we have seti and several university distributed computing clusters. There are also several distributed clusters for brute forcing passwords. Fun stuff. Protecting yourself against botnet ddos is a big challenge and impossible for many without deep pockets.

Dumphrey
Dumphrey

as rootkit tech since it does not try to hide its own processes (note, it does redirect some memory addresses as it "grabs" a process), it just intercepts those going for screen grabs, and is easy to disable with a mouse click on its icon.

Michael Kassner
Michael Kassner

Thanks J, I get a bit leery when there's a claim that an application can detect and remove all suspicious applications. I didn't see any discussion of the process or if it was open source or not. I'm not trying to be negative, it's just that I've grown cautious when it comes to installing programs that have extensive access to the OS kernel.

Michael Kassner
Michael Kassner

In all sincerity, I am very flattered that BALTHOR was so moved as to comment twice. I just wish that I could comprehend the comments.

Michael Kassner
Michael Kassner

I was curious to learn if you have had any dealings with rootkits, that you would like to share. I'm trying to build up a database of rootkit experiences by members.

Michael Kassner
Michael Kassner

I'm by no means what could even be considered knowledgeable in Linux distro's. So I really appreciate your input as well as other members in this regard.

Michael Kassner
Michael Kassner

Like most everything else in life, it's not the device or program that causes the pain its the person behind it.

JCitizen
JCitizen

I should have said,"Does it install like a rootkit?"; instead of implying that it acted like a rootkit. Plus I should have stated that it does not look for other rootkits, only detects I/O requests for keyboard hooks and screen capture(probably still hooking), and alert/blocks the requests. Perhaps firewall is a better description of its actions?

boxfiddler
boxfiddler

using commonly accepted logical methodologies are doomed to failure. It's a niggle thing. Drink it in, let it niggle around the back of your brain until the sense hidden in the words jumps right out of the blue at you. Don't worry if it takes awhile. Works for me, as often as not.

Neon Samurai
Neon Samurai

.. just so I'm in the right frame of mind to fully comprehend an interview with Balthor. Well, as much as one can be with legal substances. ;) (It did take me a while but I think I finally get the charm of the Balthor)

boxfiddler
boxfiddler

I second The Scummy One. Really, I'm interested to hear you.

Michael Kassner
Michael Kassner

Sorry Scummy, a Are you referring to me or BALTHOR. I amongst everyone else would love to see BALTHOR do an inteview. As for me that's snooze-ville, I suspect.

JCitizen
JCitizen

but I remember someone telling me they had caught a lot of simple Windows variety by booting into the Windows Recovery Consol and simply looking at the file structure to spot rootkits. Perhaps one of them will weigh in and whap me on the head for misquoting! =) I haven't had the opportunity to find one yet, despite diligent attempts.

Jaqui
Jaqui

it was Chad who posted a 10 things on securing Linux ayear or ttwo ago, making sure that chrootkit was installed was mentioned in the discussion on that entry. most distros include the package as an option, but not as a default install. first boot after install fire up the package manager and install it, make sure it's active then look at getting any updates or changing to a different office suite / browser / email client. Having an anti rootkit application running is just "good policy". [ and one reason the Sony thing didn't get to hit GNU-Linux ]

dlovep
dlovep

The response time of the newer version are slightly quicker than the old one, it shows you a lot of other tracerable items(SPI,BHO,SSDT..etc.), the one extra function which now allow you to scan modules hook in memory or the module scan. With this rootkit scanner, I found out that you are having more control than other tools, it shows you nearly all the things what XP doing at the back, while its still a freeware.

Michael Kassner
Michael Kassner

Have you tried the new version? I'd appreciate hearing your opinion on how well the application works and if there were any issues that you encountered.

Jellimonsta
Jellimonsta

You should PM Soni and request she get in touch with BALTHOR. :)

boxfiddler
boxfiddler

an interview with you would be a snoozer.

JCitizen
JCitizen

Sorry for the slow reply, but I'm 64bit permanently now and I've been going crazy troubleshooting a QAM cable device I've purchased. It's practically taken all my spare time for the last month. Now I have to start from the ground up to find the good AV/AS stuff that works on Vista x64.

Dumphrey
Dumphrey

but a good method would be to do a dir c:\windows\system32 > c:\sys32dir.txt and then make that file read only and put it in a safe/odd location in the sys32 dir. Then in recovery console you could repeat the command (diff ouptput name)and do a fc on the two to see the changes. Primitive, but it would catch the obvious junk from infections quicker then a visual scan would.

Dumphrey
Dumphrey

i use it on every infected machine I run across, and their support forums are almost as good as the spybot guys. A required piece of kit for sure. And the user databas eof programs can provide a quick auto scan of your log file. Short of automatic removal, its perfect. Also, it will run just fine no matter what you name the .exe, which you have to do from time to time to get around some malware.

Neon Samurai
Neon Samurai

I'm a little surprised I left it off my list. Usually Search&Destroy and Hijack This go side by side when I see tool lists. I guess it's been a while since I've been booted over to the win32 side; issues with RAM and stability put a bunch of projects on hold along with gaming on the win32 side. I don't think I've even had my win32 VM booted up recently other than a quick check last patch tuesday. The only other machine I've had to hunt on recently is the folks old win2k but I don't get time infront of it too often these days; I know where I'm taking the latest Hijack This for a test drive though. ;) Thanks for the reminder, I have to go over my win32 tools and update all the versions.

Neon Samurai
Neon Samurai

Adaware, CCLeaner, Search & Destroy, Bazooka.. they all focus on different bits of mess to clean up. I'm not surprised that the rootkit specific tools do the same though I hadn't conciously put that into words before you mentioned it; it was just a given feeling until then. That reminds me, I have to check for an updated verison of Bazooka.. when I originally stumbled across it, there where advantages. It scans very quickly and comprehesively but only scans providing links to directions on manually removing what it finds. I used to use it after the other cleaners to confirm they other's had found everything it was aware of. IceSword is pretty heavy software to deal with. It's more of a low level system tool to use in combination with manual removal rather than a higher level utility that handles the detailed work for you. It seems to be an important tool to keep handy unless another tool has overtaken it in terms of detection. I've been lucky enough to not require that level of malware hunting yet and sadly, time limitations prevent me from doing so for personal recreation.

Michael Kassner
Michael Kassner

J and Neon, After my research, I've come to the conclusion that different rootkit cleanup applications focus on different types of rootkits. User-mode is the only type of rootkit, that I'd consider an exception. I look for the application to shut down as much of the Windows process as possible. that way the rootkit has less opportunity to hide or morph. As for IceSword it got is moment of fame, by being able to detect HackerDefender, it initially was the only one that could. IceSword is not for the faint of heart either, as far as I know it only detects the rootkit. You need to use other means to remove the rootkit.

Neon Samurai
Neon Samurai

it wasn't me. I've been lucky enough to not require rootkitotomy level surgery with the more recent verieties available. IceSword is the program I tend to see referenced in the various security related textbooks that consume a large part of my home library though I saw your comment earlier about not trusting it fully.

JCitizen
JCitizen

for putting up with the less experienced among us. I value yours and everyone else's input here at TR. I haven't compiled anything yet, but after puting together this new BART PE package I got the other day, I will be on the road at least.

Jaqui
Jaqui

rkhunter = rootkit hunter. chrootkit = check rootkit. both are tools for keeping the system clean of rootkits. and, as security software, keeping them current is a good thing. The issue Neon and I were talking about is the best way to keep them current. for an IT Pro, build from source code. about a minute to compile per system and it can be scripted to save typing the build options repeatedly. for an end user, the distribution package manager, as long as the distro keeps them fairly well up to date. That last can be a failing, the packages are kept up to date by volunteers, so it may not be as current as it should be.

JCitizen
JCitizen

convincing myself that I know what you and Jaqui are talking about. Maybe it's the Reservatrol I've been taking; or that Holiday Inn Express I stayed at last night! =)

Neon Samurai
Neon Samurai

the verb rather than the alias of course.. The company choice will filter down to the home user. For home desktops, Mandriva is still doing what I want while Debian does my servers now. If debian dropped the all KDE is a dependency for any KDE and all GNOME is a dependency for any Gnome it would be my desktop also or at least in serious testing to figure out what it doesn't do easily that I want. (VMware has no .deb.. only tarball and .rpm.. boo!.. Debian has a fix for that though) For the tech people who are doing company protection, get teh rkhunter and chkrootkit tarball so you have the latest release verified against the MD5's when you download. For the home user who needs almost up to date, pick a distro that updates it's security related packages promptly. In that area, I actually need to do a little research to see how long a new version of rkhunter remains outside the repositories. Another option is to get the latest tarball and make it into a .rpm or .deb for your clients. The tar.gz to deb process seems pretty simple, the rpm process can't be much more complicated. The down side is you don't get the tested for compatability stuff you get with an official repository. Sorry, I was focusing more on the application for admin rather than the distribution for user in my previous response.

Jaqui
Jaqui

you mean you can't memorise a simple 255 character pass phrase? ~blink~ ;)

Jaqui
Jaqui

we are the ones who have to pick a "distro" for use, the non it pros will tend to pick the same distro if they want the same os at home, so a distro with good updates of basic security packages is something we should look for. We ARE picking for non it pros when we make our choice.

Jaqui
Jaqui

I can get the full spec for what a Unix or Unix-like operating system has to meet easily. MS doesn't have any such spec, nor do they even try to meet any such spec. [ several ISO specs apply to OS and Application Security they should meet and don't ] the Unix and Unix-like spec: http://www.unix.org/ :D freely available to all.

Neon Samurai
Neon Samurai

On a Windows machine without an AD controller behind it, it's just easier to set your user account to admin status. Every time I've tried to build a standalone maintaining admin and user level tasks seporately, something just doesn't work. I'm guilty on the other platforms too. I've always got one of my local terminals su to root. Remote machines I work with through SSH which I purposfully deny root login on but once I'm into the user layer, I go to su root there also. I've conciously chosen SUE risk over sudo or external breach risks; if they get my user account, they still gotta get root after that. I'm far too used to working in root and being aware of what I'm doing though. For other users on my system, I'd make use of sudo aliased with just the basic admin commands required. My root password is only memorable with a password manager too.

Neon Samurai
Neon Samurai

It's intimate enough that I can feel a frightfully subtle change in performance and it's probably over-cared for in general. Like most, it's easier to just do a urpmi rkhunter and carry on. With the package distros though, your limited to when the maintainers get too providing the update. It may be a very short window but it's still longer than pulling the source from the original developer site. Check your MD5s and use an already trusted machine to download it initially when adding it to a fresh install. Granted, we're talkign about the security types who should have no issue with a simple "make && make install".. I don't personally like to dirty my distro with non-distro packages but it's one of the programs I'd consider. It's also recommended to have it installed on read-only media in the same way one would cook tripwire's databse to a mounted CD rather than writable storage.

Michael Kassner
Michael Kassner

Windows doesn't have a lock on rootkits. I'm also guilty of logging on as admin more often than not, just for the convenience. If I understand correctly, MS is going to have a super user log on eventually (other than the power user).

Jaqui
Jaqui

that we aren't dismissing the issue, as a lot of people do. the Unix and Unix-like operating systems may have better security model, but the priviledge escalation exploits are where they are most vulnerable, since that is the model used for admin tasks. the SUDO [ user password ] model being the most vulnerable, as most users will not have a strong password, and will use the same password for every login they can.

Jaqui
Jaqui

if working with a binary distro, I would use the binaries supplied, then get the sources. every action taken without having the tools installed and run is an action with the potential of a breach. using a from source distro, you have the latest sources already if you were planning on installing the tools. Most people don't want to source build apps, so the package manager is how / where they would do the install / updates. The better distros do not ignore updates to chrootkit and rkhunter in their regular system.

Michael Kassner
Michael Kassner

I appreciate this, as I mentioned I'm a Linux weenie.

Neon Samurai
Neon Samurai

I've made a habit of chkrootkit and rkhunter. If one wants to be completely up to date, it's also best to get them directly from the project sites as tar.gz so your dealing with latest signatures. Once a week if needed or not, chkrootkit && rkhunter then update your tripwire settings for any new and validated changes from the previous week.

Editor's Picks