What is a Rootkit?
A rootkit is malware used by hackers to gain access to, and control over, a target computer. Typically, they impact operating systems; however, in rare instances, a rootkit can infiltrate a manufacturing plant, becoming embedded in brand-new computers during their production.
In Unix, Linux, and other Unix-like operating systems such as macOS, the “root” is the superuser with administrative privileges. The “kit” part refers to the collection of software tools the threat actor uses to obtain root privileges, create a backdoor, and hide it from the operating system.
Although the first rootkits were created to attack Unix computers in the 1990s, today they are used to compromise systems running any of the common operating systems, including Windows, macOS, Linux, and Chrome OS.
How are Rootkits Installed?
USB drops are also a common method of attack. A selection of USB memory sticks laced with malicious software are placed in different locations where they will be found at lunchtime by the staff of the target company.
After lunch, of course, they plug the USB key into their computer to see if they can identify the owner. And that’s all it takes – infection initiated.
A typical rootkit infection process will start with a dropper. This is a small program that installs the loader. The loader might be contained within the dropper, but more often now, it is downloaded by the dropper. The loader then takes over and downloads the rootkit, which will be a selection of sophisticated, malicious programs.
Of course, a human can install a rootkit locally if they – or an accomplice – have physical access to the network. They can install a rootkit remotely if they have managed to compromise the network from the outside.
Much rarer, and yet they have been seen in the wild, are instances where the threat actors manage to compromise the “golden image” used to manufacture computers. This means the brand-new computer has the dropper installed, fresh from the factory.
Why are Rootkits so Effective?
Great efforts are taken by the threat actors to ensure rootkits can avoid detection by anti-malware and anti-virus endpoint protection suites. Also, rootkits are notoriously difficult to remove, with some rootkits able to persist inside the infected computer even after formatting – or physically replacing – the hard drive.
Because rootkits integrate with the operating system in such a way that they seem to be legitimate components of the operating system, and with unlimited administrative privileges, nothing stands in their way. They can do what they like on the compromised machine.
The more times you hack into a network, the more chance there is you will be detected. But that’s not the case if you have a private, undetectable backdoor. And that’s what a rootkit provides. A secret way in, with unlimited superuser powers.
Rootkits may either remove anti-virus software, appear “invisible” to anti-virus software, or prevent anti-virus software from inoculating the infected files. They are a very sophisticated attack.
- Install malicious software
- Read, copy, exfiltrate, or delete files
- Change system configurations
- Access and modify log files
- Log and monitor keystrokes
- Steal passwords
- Monitor user behavior
- Monitor network traffic
- Install a backdoor that gives the threat actor covert access when they next want to connect
5 Types of Rootkits
Various types of rootkits function at different levels within a computer system. The user space is where everyday applications operate under the supervision and restrictions set by the operating system. In this space, these applications are unable to access the computer’s memory used by other programs or directly engage with system-level functions.
Instead, they need to request the kernel to perform those functions on their behalf.
Kernel space is where the kernel – the heart of the operating system – runs. Only a few other, specially permitted, processes run in kernel space, such as kernel drivers.
1. User-Mode Rootkits
A user-mode rootkit uses vulnerabilities in system APIs on the targeted computer to install itself and to infect or modify system components, such as DLL files in Windows and DYLIB files in macOS. This means they can run in the memory space intended for the infected file, or they can overwrite that memory altogether and run in that poached RAM.
User-mode rootkits monitor the files and programs they have infected. If any process tries to patch, update, or inoculate those files, they are blocked from doing so, ensuring the rootkit persists on the compromised machine.
2. Kernel-Mode Rootkits
A kernel-mode rootkit achieves the highest level of access on the compromised computer by replacing or modifying parts of the operating system itself. Kernel-mode rootkits can infect just about any computer operating system, including Windows, macOS, Linux, and Unix.
Technical knowledge and programming experience of the highest order are required to write a kernel-mode rootkit. Unfortunately, rootkit “toolkits” are sold on the Dark Web to allow standard-grade programmers to produce their own rootkits.
Kernel-mode rootkits are notoriously difficult to detect and even harder to eradicate. Once installed, the malware will modify kernel data structures to cloak itself using techniques such as the “direct kernel object modification” exploit.
For example, in Windows, the list of running tasks is a kernel object. It is held in kernel space but can be referenced by the user-space Task Manager program. The rootkit will modify the data within the list in kernel space.
When the Task Manager requests the list from the kernel, it receives a doctored copy in which the rootkit is not listed. It’s invisible.
3. The Bootkit Rootkit
A bootkit is a variant of the kernel-mode rootkit intended to compromise even fully encrypted systems. The bootkit will modify or, more often, fully replace the boot loader of the computer. It performs the functions of the boot loader but persists in kernel space once the operating system kernel has been loaded. This allows it to capture end users’ login credentials and decryption keys.
Some rootkits override the need for drivers to be certified and signed by modifying the master boot record on the computer. This allows malicious drivers to hook into the kernel. Of course, the bootkit provides its own malicious kernel drivers. These multi-stage, multi-technique attacks are also called blended attacks.
4. Hypervisor-Level Rootkit
A proof of concept of a hypervisor rootkit was created in a joint effort by the University of Michigan and Microsoft. The hypervisor rootkit effectively virtualizes the operating system of the compromised machine and acts as the hypervisor, the software that allows virtualization to happen.
This means all of the system calls between the compromised operating system and the hardware must pass through the hypervisor rootkit. Because the compromised operating system is untouched, there is nothing for anti-virus software to detect. As far as that system is concerned, everything is running normally.
Whilst a hypervisor-level rootkit has been achieved in a lab by world-class experts. It has not yet been seen in the wild.
5. Hardware-Level Rootkit
A hardware-level rootkit uses memory in locations such as the Basic Input Out System (BIOS), the Unified Extensible Firmware Interface (UEFI), network cards, and graphics cards to plant copies of the dropper or sometimes the entire rootkit.
This makes detection unlikely and inoculation extremely difficult.
How Do You Know If You Have a Rootkit?
Your computer might be running slower than usual, or you might be experiencing lock-ups and crashes. Rootkits are software, and software has bugs. The more complex the code, the more bugs you’re likely to have. Because of the delicate, low-level activities that rootkits try to perform, if they have bugs, they can make your system unstable.
Rootkits are hard to detect because they can confuse and sidestep most major antivirus programs. And, if your operating system has been compromised, you cannot trust its responses to inquiries about unauthorized file modifications or changes to the kernel. Rootkits cover their tracks so well that reporting mechanisms often – inadvertently—lie on their behalf.
Because of these difficulties, other techniques must be used. These can include:
- Booting the machine from a “Live CD” into a different operating system and using a specialist rootkit detection package to scan the suspect machine
- Difference scanning is a technique where RAM-based images of files and their disk-based counterparts are either compared to each other or to reference copies of the files held elsewhere
- Integrity checking of the DLLs, drivers, and other key files
- Analysis of returned data from API calls to see whether they respond according to the specification
- Behavioral Analysis can involve network packet sniffing, CPU monitoring, and sequences of API calls
- Memory Dumps and Kernel Dumps can be searched for evidence of rootkits
In practice, a blend of several techniques is usually required, and it is often best to seek specialist assistance. Some of the newest, market-leading, end-point protection suites profess to be able to detect some rootkits, at least.
How Do You Remove a Rootkit?
Rootkit removal may well be beyond the average computer user or even the power user. Although there are rootkit-killer applications on the market, rootkits are often written to be aware of and to defeat these very applications. There’s no doubt rootkit killers work on some rootkits, however.
The Microsoft Malicious Software Removal Tool is capable of locating and removing some rootkits, but because it is one of the most famous tools, rootkits are often aware of it and written to evade it.
Most security experts I speak to agree the fastest, most cost-effective, and conclusive way to eradicate a rootkit is to boot the computer from a “Live CD,” format the hard drive, and re-install the operating system. Use the original, official installation media to re-install from. Then restore your backed-up data.