Rootkits

Posted: June 9, 2016

Short bio

The term “rootkit” comes from “root kit,” a package giving the highest privileges in the system. It is used to describe software that allows for stealthy presence of unauthorized functionality in the system. Rootkits modify and intercept typical modules of the environment (OS, or even deeper, bootkits).

Rootkits are used when the attackers need to backdoor a system and preserve unnoticed access as long as possible. In addition, they may register system activity and alter typical behavior in any way desired by the attacker.

Depending on the layer of activity, rootkits can be divided into the following types:

Usermode (Ring 3): the most common and the easiest to implement, it uses relatively simple techniques, such as IAT and inline hooks, to alter behavior of called functions.

Kernelmode (Ring 0):  the “real” rootkits start from this layer. They live in a kernel space, altering behavior of kernel-mode functions. A specific variant of kernelmode rootkit that attacks bootloader is called a bootkit.

Hypervisor (Ring -1): running on the lowest level, hypervisor, that is basically a firmware. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware, but with the environment altered by a rootkit.

The rule states that a rootkit running in the lower layer cannot be detected by  any rootkit software running in all of the above layers.

History

The concept of modifying system functionality, on which modern rootkits have grown, appeared in 1980. Viruses implemented at that time were not only patching programs but also modifying system interrupt tables and memory to remain undetected by antivirus software.

When the memory model used by Windows changed, userland programs were isolated from the core system functionality. It set back the virus authors for some time; they no longer could alter system behavior. But slowly, workarounds started emerging.

In 1999 an NTRootkit appeared. It was the first malicious rootkit dedicated to Windows NT. 2009 brought on the scene the first rootkit for Mac OS X and in 2010 the infamous Stuxnet (targeting PLC devices) was discovered.

The first corporation known to create and distribute it’s own rootkit was Sony Entertainment. In 2005, they launched a hidden campaign of spreading Sony BMG Rootkit. Their motive was to protect their copyrighted publications by interrupting the process of coping them. When CDs published by SONY were played on a PC, a rootkit was installed in the background. From that moment, it kept watching how the user accessed Sony CDs and was breaking any attempts of making a copy. The full plot has been disclosed and badly affected the company’s reputation.

In 2006, a Polish researcher named Joanna Rutkowska presented at Black Hat conference on new type of rootkit, a hypervisor level called BluePill.

In 2008, a credentials-stealing Trojan called Sinoval (aka Torpig) used a rootkit module Mebroot to hide its malicious activities, circumventing antivirus software.

In 2015, another company, Lenovo, was caught distributing rootkits reinstalled on their machines. Their role was to automatically download dedicated software, not taking into consideration user’s will.

Common infection method

Depending on type of rootkit, infection methods are various. Usermode rootkits are often part of other types of malware, and they are carried by typical infection vectors, including spam campaigns and exploit kits.

Fortunately, the most dangerous types are also harder to install.

Bootkit can sneak into the machine while booting a system from an infected drive.

Sometimes rootkits can also be installed manually by third parties, performing “evil-maid” attacks. In such cases, a trained person (i.e. member of professional company like Hacking Team) is sent to install a rootkit on an unattended machine.

However, as the history shows, sometimes the infection carrier is a fully legitimate software program. (The optimistic part is that, so far, the activities performed by those rootkits were not that dangerous.)

Associated families

  •  NTRootkit
  • Sony BMG Rootkit
  • GameGuard (rootkit distributed with commercial games)
  • Mebroot (spread along with Sinowal malware)
  • Blue Pill, SubVirt (hypervisor level rootkits, written as a proof-of-concept)

Remediation

Rootkits (especially the low lever types) are very difficult to detect. Casual users may never even notice that they have been infected, and removing the threat manually is almost impossible. This type of malware may even hide from typical antivirus programs. Only specialized anti-rootkit software can help in such cases. However, it may also not give 100% protection from unknown rootkits, written by professionals, basing on custom and novel ideas. That’s why sometimes reinstalling the full system is necessary. (Still, it may not help in case of UEFI rootkits.)

Whenever we suspect that we have a rootkit, it is better to detach the disk and perform forensics operations when the system is not running.

Aftermath

Malicious rootkits are the most dangerous type of malware. They may stay in the system for a long time, carrying on their mission without being noticed. During this time, the user is exposed to any type of malicious activities planned by attackers. Usually, their actions are related to hiding espionage modules or altering system behavior in a way unwanted by the user.

However, it’s worthy to note that the rootkit technologies are applied not only by cybercriminals and spies, and not always they have malicious intentions. Some emulation software, such as Deamon Tools and Alcohol 120%, also use similar techniques.

Avoidance

The first line of defense is reducing the surface of attack by using a modern operating system that implements countermeasures against rootkits. For example, 64-bit editions of MS Windows require all kernel-level drivers to be signed in order to prevent unauthorized code from sneaking in.

Never use bootable devices from unknown sources. Also after downloading a bootable CD/DVD, you should check control sums to be sure that the mirror server was not infected.

It is highly recommended to put a password on BIOS to prevent the evil maid attack.

An important part of the defense system is anti-rootkit software.

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language