What is a Rootkit?

Rootkits can be named the most technically sophisticated form of malicious code (malware) and one of the most difficult to discover and eliminate. Of all types of malware, probably viruses and worms get the most publicity because they are generally widespread. Many people are known to have been affected by a virus or a worm, but this definitely does not mean that viruses and worms are the most destructive variety malware of. There are more dangerous types of malware, because as a rule they operate in stealth mode, are difficult to detect and remove and can go unnoticed for very long periods of time, silently gaining access, stealing data, and modifying the files on the victim’s machine.

An example of such a stealthly enemy are rootkits — a collection of tools that can replace or change executable programs, or even the kernel of the operating system itself, in order to gain administrator-level access to the system, which can be used for installing spyware, keyloggers and other malicious tools. Essentially, a rootkit allows an attacker to gain complete access over the victim’s machine (and possibly to the whole network the machine belongs to). One of the known uses of a rootkit that caused significant loss/damage was the theft of the source code of Valve’s Half-Life 2: Source game engine.

Rootkits are not something new — they have been around for years, and are known to have effected various operating systems (Windows, UNIX, Linux, Solaris, etc.). If it was not for one or two mass occurrences of rootkit incidents (See the Famous Examples section), which drew public attention to them, they might have again escaped awareness, except by a small circle of security professionals. As of today, rootkits have not unleashed their full destructive potential since they are not as wide-spread as other forms of malware. However, this can be of little comfort.

Rootkit Mechanisms Exposed
Similar to Trojan horses, viruses and worms, rootkits install themselves by exploiting flaws in the network security and operating system, often with no user interaction. Although there are rootkits that can come as an e-mail attachment or in a bundle with a legitimate software programs, they are harmless until the user opens the attachment or installs the program. But unlike less sophisticated forms of malware, rootkits infiltrate very deep into the operating system and make special efforts to disguise their presence — for instance, by modifying system files.

Basically, there are two types of rootkits: kernel level rootkits and application level rootkits. Kernel level rootkits add code to or modify the kernel of the operating system. This is achieved by installing a device driver or a loadable module, which alters system calls to hide the presence of an attacker. Thus, if you look in your log files, you will see no suspicious activity on the system. Application level rootkits are less sophisticated and generally are easier to detect because they modify the executables of applications, rather than the operating system itself. Since Windows 2000 reports every change of an executable file to the user, it makes it more difficult for the attacker to go unnoticed.

Why Rootkits Pose a Risk
Rootkits can act as a backdoor and are usually not alone in their mission — they are often accompanied by spyware, trojan horses or viruses. The aims of a rootkit can vary from simple malicious joy of penetrating somebody else’s computer (and hiding the traces of foreign presence), to building a whole system for illegally obtaining confidential data (credit card numbers, or source code as in the case of Half-Life 2).

Generally, application level rootkits are less dangerous and easier to detect. But if the program you are using to keep track of your finances, gets “patched” by a rootkit, then the monetary loss could be significant — i.e. an attacker can use your credit card data to purchase a couple of items and if you don’t notice suspicious activity on your credit card balance in due time, it is most likely that you will never see the money again.

Compared to kernel level rootkits, application level rootkits look sweet and harmless. Why? Because in theory, a kernel level rootkit opens all doors to a system. Once the doors are open, other forms of malware can then slip into the system. Having a kernel level rootkit infection and not being able to detect and remove it easily (or at all, as we will see next) means that somebody else can have total control over your computer and can use it in any way he or she pleases — for instance, to initiate an attack on other machines, making the impression that the attack originates from your computer, and not from somewhere else.

Detection and Removal of Rootkits
Not that other types of malware are easy to detect and remove, but kernel level rootkits are a particular disaster. In a sense, it is a Catch 22 — if you have a rootkit, then the system files needed by the anti-rootkit software are likely to be modified and therefore the results of the check cannot be trusted. What’s more, if a rootkit is running, it can successfully modify the list of files or list of running processes that anti-virus programs rely on, thus providing fake data. Also, a running rootkit can simply unload anti-virus program processes from memory, causing the application to shutdown or terminate unexpectedly. However, by doing this it indirectly shows its presence, so one can get suspicious when something goes wrong, especially with software that maintains system security.

A recommended way for detection of the presence of a rootkit is to boot from an alternative media, which is known to be clean (i.e. a backup, or rescue CD-ROM) and check the suspicious system. The advantage of this method is that the rootkit will not be running (therefore it will not be able to hide itself) and the system files will not be actively tampered.

There are ways to detect and (attempt to) remove rootkits. One way is to have clean MD5 fingerprints of the original system files to compare the current system files fingerprints. This method is not very reliable, but is better than nothing. Using a kernel debugger is more reliable, but it requires in-depth knowledge of the operating system. Even the majority of system administrators will rarely resort to it, especially when there are free good programs for rootkit detection, like Marc Russinovich’s RootkitRevealer. If you go to his site, you will find detailed instructions how to use the program.

If you detect a rootkit on your computer, the next step is to get rid of it (easier said than done). With some rootkits, removal is not an option, unless you want to remove the whole operating system as well! The most obvious solution — to delete infected files (provided you know which ones exactly are cloaked) is absolutely inapplicable, when vital system files are concerned. If you delete these files, chances are that you will never be able to boot Windows again. You can try a couple of rootkit removal applications, like UnHackMe or F-Secure BlackLight Beta, but do not count on them too much tobe able to remove the pest safely.

It might sound like shock therapy, but the only proven way to remove a rootkit is by formatting the hard drive and reinstalling the operating system again (from a clean installation media, of course!). If you have a clue where you got the rootkit from (was it bundled in another program, or did somebody send it to you via e-mail?), don’t even think of running or isntalling the source of infection again!

Famous Examples of Rootkits
Rootkits have been in stealthy use for years, but only up until last year when they made their appearance in news headlines. The case of Sony-BMG with their Digital Right Management (DRM) technology that protected unauthorized CD copying by installing a rootkit on the user’s machine provoked sharp criticism. There were lawsuits and a criminal investigation. Sony-BMG had to withdraw their CDs from stores and replace the purchaced copies with clean ones, according to the case settlement. Sony-BMG was accused of secretly cloaking system files in an attempt to hide the presence of the copy-protection program that also used to send private data to Sony’s site. If the program was uninstalled by the user, the CD drive became inoperable. In fact, this copyright protection program violated all privacy rights, employed illegal techniques that are typical for this kind of malware, and above all, left the victim’s computer vulnerable to various strains of attack. It was typical for a big corporation, such as Sony-BMG, to go the arrogant way first by stating that if most people didn’t know what a rootkit was, and why would they care that they had one. Well, if there had been no guys like mark Roussinovich, who was the first to ring the bell about Sony’s rootkit, the trick could have worked and millions of computers would have been infected — quite a global offense in the alleged defense of a company’s intellectual property!

Similar to the case with Sony, but when it was not necessary to be connected to the Internet, is the case of Norton SystemWorks. It is true that both cases cannot be compared from an ethical or technical point of view because while Norton’s rootkit (or rootkit-like technology) modifies Windows system files to accommodate the Norton Protected Recycle Bin, Norton can hardly be accused of malicious intentions to restrict user’s rights or to benefit from the rootkit, as is the case with Sony. The purpose of the cloaking was to hide from everybody (users, administrators, etc.) and everything (other programs, Windows itself) a backup directory of files users have deleted, and that can later be restored from this backup directory. The function of the Protected Recycle Bin was to add one more safety net against quick fingers that first delete and then think if they have deleted the right file(s), providing an additional way to restore files that have been deleted from the Recycle Bin (or that have bypassed the Recycle Bin).

These two examples are hardly the most severe cases of rootkit activity, but they are worth mentioning because by attracting attention to these particular cases, public interest was drawn to rootkits as a whole. Hopefully, now more people not only know what a rootkit is, but care if they have one, and be able to detect and remove them!