Rootkits: Malware's best friend - Windows' worst enemy

Introduction

Over the past couple of years, there's been a lot of talk about rootkits. Rootkits are a particularly dangerous form of malware because they can hide their presence on the host Operating System (OS) and, using stealth technologies, enable malicious activity by spyware and other more obvious forms of malware while remaining undetected. Once a rootkit has gained access to a PC, it's very hard to track them down and get rid of them.

Background

The term "rootkit" (a kit for obtaining a "root", or administrator, access to the target system) originated in the UNIX world, where "root" system access implies the highest level of system control privileges, available only to administrators. UNIX rootkits enabled hackers to escalate the level of access to the "root" account and essentially do whatever they wanted on the system, controlling that machine and threatening any other systems that may be connected to it.

In recent years, rootkits have invaded the Windows world, where they are recognized (and feared) for their ability to hide portions of the file system, registry entries and other internal objects from discovery by the operating system. Working in the background, rootkits can continue to act with impunity until the system is completely reformatted-or equally crafty technology is brought to bear against them.

The second part of the word, "kit", tells us that collections of program samples exist that anyone can obtain either for free or for a fee and adapt for use alongside their own malware to cloak that program's activities. Sometimes rootkits are distributed in an open-source format, meaning that even mediocre programmers can easily modify the existing rootkit code; for example, to avoid detection by anti-virus software that is looking for virus signatures, since the rootkit would hide the virus's signature.

What can a rootkit do?

By itself, a rootkit is quite innocuous. If it's not programmed to perform malicious activity, it can provide additional functionality for any type of software. Legitimate uses of rootkit technology might include, for example, an anti-virus vendor shielding anti-virus binaries from potential virus attacks by not revealing them to the OS. This may well have been the original concept behind Symantec's idea to use rootkit-like features in its SystemWorks suite. However, the company was forced to quickly issue a patch to remove the rootkit because of concerns that a malicious program might exploit this technique to hide itself. Sony's latest Digital Rights Management software recently also suffered the same problem; in fact, in this case, hackers did find ways to install a Trojan and make it undetectable using the DRM software as cover.

The reason rootkits are so dangerous, of course, is because malicious programs can use them to hide any file, process, folder, or registry keys from detection by an anti-malware program. This makes it almost impossible for a security scanner to repair the damage once a system has been infected. Sophisticated rootkits even install invisible services and drivers that can transmit personal data to hackers or hijack the computer for botnet attacks, phishing and spam distribution purposes.

Types of rootkits

Rootkits are known to exist in four types, arranged here in order of sophistication:

Virtualized
Virtualized rootkits are almost impossible to detect because they have very low-level access to the OS kernel. Rootkits of this type modify how the machine initiates the Operating System when it starts. As a result, they can create a virtual environment, causing the computer to regard the rootkit as a host operating system that's running the original OS as a guest. As a result, the host system-the virtualized rootkit in this case-has almost total control over the computer. It can make any changes it wants to the way running processes or directory listings are enumerated on the guest OS by intercepting any hardware calls made inside the guest. The SubVirt experimental rootkit recently produced with the support of Microsoft is an example of this type of rootkit.

Kernel level
Kernel level rootkits modify the kernel of the OS so that the entire system comes under the control of the rootkit. This is not an easy task, but once accomplished, the rootkit can perform any type of activity on the PC without being detected. This not only compromises the security of the machine but also will have a drastic impact on system stability and future viability.

Library level
Library rootkits commonly patch, hook or replace system calls with versions that hide information about the attacker. These instances may modify how a legitimate program behaves by making it perform additional functions that it is not authorized to do, such as opening up a new connection and transmitting confidential data using the access permissions of the legitimate program.

Application level
Application level rootkits replace binary files from legitimate applications with malicious files; they can also hijack legitimate programs and perform malicious acts on their behalf. This type of rootkit patches a legitimate program so that it can perform additional, mostly illegitimate operations.

Detection and removal

Rootkits must be proactively combated, before they can actually infiltrate the system, otherwise removing them is much harder. As always, common precautionary measures to prevent rootkit infection include the use of fully updated anti-virus and anti-spyware software, the application of the latest 'patches', and a properly configured software firewall. All users should also make sure they have some basic familiarity with Windows security.

There are a couple of dedicated programs that can detect whether a rootkit is present on a system: RootkitRevealer and IceSword. Another promising product that aims to pre-empt a rootkit from getting onto the targeted machine is SocketShield, which complements firewalls by monitoring traffic streams for exploit drive-by downloads that usually come in the form of a rootkit.

These programs use different techniques to locate rootkits, but both have proven effective in dealing with recent instances of rootkit samples. However, there are always newer and more clever examples of malware coming over the horizon, so everything remains a cat-and-mouse game, and what catches today's threats may not catch tomorrow's.

If you are confident to do so, or have a friend or colleague who will do this for you, it is helpful to boot from a different operating system (through a USB drive, CD-ROM or external hard drive) every so often and run a virus scan in conjunction with a scan by one of the above-mentioned programs to make sure your computer stays rootkit-free.

Conclusion

Rootkits can cause serious damage to a system and, if allowed to take hold, can force you to completely reformat your computer. However, sensible security precautions, properly patched operating systems and applications, and up-to-date security software will go a long way towards preventing rootkits from gaining access to your system.

Source : This article originally appeared in Agnitum - Security Insight
Copyright © 2006, Agnitum