A rootkit is a type of computer malware that is created to hide programs or other computer processes from detection from both users and antivirus software programs. Once installed, a rootkit will typically obtain administrator or higher-level permissions on the infected computer. Although rootkits originated with the UNIX operating system by providing root access to the software components installed with the malware (the kit portion of the name), they have since been developed to provide potentially rogue actors with access to computers running the Windows and Mac OS X operating systems.
How Are Rootkits Installed?
The two primary methods a rootkit can be installed are manually by a malicious actor after gaining root or admin access to the targeted computer or automatically via software. Rootkits typically gain access to a computer by leveraging a known vulnerability in an operating system, web browser, instant messaging client, etc. or by cracking the end-user’s password. After gaining access to the computer, the rootkit will use the administrator access to hide its installation and make modifications to installed antivirus software to prevent it from being detected or removed.
History of Rootkits
The first time a computer virus was documented targeting a personal computer, was the Brain virus in 1986. The virus would redirect attempts to view or read the boot sector to a copy of the original boot sector saved in an alternative location on the hard drive. As time went on, the cloaking methods for the DOS operating system would start using interrupt calls (INT 13H BIOS specifically) to hide their presence and their modification of OS files similar to how a rootkit works today.
The Brain virus was not the original rootkit; however, as the term became associated with malware targeting the UNIX operating system. On UNIX, “admin” access is referred to as “root” access while the malicious payload of the malware is referred to as the “kit.” The first documented case of a rootkit was actually written by Steven Dake and Lane Davis in 1990 on behalf of Sun Microsystems for the SunOS UNIX OS. Later, Ken Thompson who was working for Bell Labs at the time and was one of the original authors of UNIX exploited the Unix C compiler in the public distribution of the OS that is now considered equivalent to a rootkit.
The first documented rootkit for the Windows NT and newer operating systems was found in 1999. It was a Trojan virus called NTRootkit and was created by Greg Hoglund. This was followed-up by the rootkit, HackerDefender in 2003 and a number of subsequently developed rootkits since then. Even Mac OS X is susceptible to rootkit attack starting in 2009! The Stuxnet worm; however, was the first publicly documented rootkit to target logic controllers in 2010.
Not Just Hackers Have Used Rootkits!
It’s not just malicious hackers and teenagers who have been caught using rootkits! At the height of the music industry’s war on digital media piracy in 2005, Sony BMG published music CDs that contained digital rights management software (Extended Copy Protection) created by the First 4 Internet company. Although the software included a free music player, it also contained a rootkit which limited the end-user’s ability to access the CD. The presence of the rootkit was discovered by the author of RootkitRevealer, Mark Russinovich. Once her publicly alerted consumers to the presence of the rootkit, other rogue users started taking advantage of the vulnerability it created on consumer’s computers to conduct additional malware attacks. As a result, Sony BMG had to deal with a significant public relations scandal and recalled the CDs containing the rootkit.
What are the Types of Rootkits?
There are five types of rootkits that exist in the wild at the time of this writing based on the level of computer security the malware uses to obtain privileged access to the computing system. These include user-mode, kernel mode, bootkits, hypervisor level, and those targeting hardware/firmware. Some rootkits can make use of hybrid combinations of these types that include attacking the user and kernel mode on the targeted computer.
User Mode Rootkits
A user-mode rootkit operates in the outer run of computer security on the targeted computer. This variant will use vulnerabilities in various APIs on the targeted computer to install itself to include infecting .DLL files on Windows and .dylib files on Mac OS X. As a result, they are able to execute within the infected computer process or overwrite the memory of the targeted application. User-level rootkits will also monitor any programs that attempt to update or patch the infected computer process and prevent this action to ensure they remain active on the targeted computer.
Kernel Mode Rootkit
A kernel mode rootkit obtains the highest-level of access on the targeted computer by replacing parts of the core operating system and device drivers. The majority of OS’s support kernel-level device drivers which provide a means for the rootkit to infect the system. Kernel-level rootkits can infect just about any computer operating system to include Windows, Mac OS X, Linux, and UNIX. Although harder to author, kernel mode rootkits are extremely difficult to detect and subsequently remove because of the security level they operate. Once installed, the malware can subsequently modify Windows kernel data structures to help cloak itself using the direct kernel object modification exploit. If found and removed, many rootkits will do sufficient damage to an operating system to necessitate a reload of the OS to regain full system functionality.
A variant of the kernel level rootkit is called the bootkit. This version is designed to attack a fully encrypted system. In many cases, the bootkit will fully replace the boot loader of the computer. It will then persist on the computer after the OS kernel has been loaded. One example of this type of rootkit is the Stoned Bootkit which loads a compromised boot loader. This boot loader intercepts the end-user’s passwords and encryption keys to further infect the targeted computer. A newer version of the Bootkit variant is the Alureon rootkit that targets the Windows operating system. Alureon attacks 64 bit Windows OS’s by removing the requirement for driver signing through modification of the master boot record on the computer.
Hypervisor Level Rootkit
Sometimes academics demonstrate proof-of-concept projects in order to “help” operating system and other software authors fix security issues. The hypervisor level rootkit is one of these cases, where researchers have publicly demonstrated the ability of a rootkit to exploit hardware virtualization features. Once installed on the target computer, this type of rootkit will host the operating system as a virtual machine allowing it to intercept all hardware calls made by the originally installed OS. The hypervisor rootkit does not have to modify the kernel of the OS in order to subvert it in this example. One of the academic examples of this type of rootkit is the SubVirt laboratory rootkit that was developed in coordination between the University of Michigan and the Microsoft Corporation in 2009.
A hardware-level rootkit typically leverages device firmware to create a footprint on a hard drive, system BIOS, or network card. Since firmware is not typically analyzed by rootkit detection software, this type of rootkit can be very difficult to detect. One of the first publicly acknowledged instances of a hardware-level rootkit was in late 2008 in Europe. In this case, a group of criminals were able to infect a large number of credit-card reading machines. These machines would transmit customer credit card details when swiped at legitimate businesses to the rogue actors for criminal use. Since then, firmware-level rootkits have been developed which can survive the reinstallation of the operating system.
How Do You Detect Rootkits?
Most rootkits are hard to detect because they are designed to avoid detection by most major antivirus programs. Another issue with determining if your computer has been infected with a rootkit is if the operating system has been subverted, you can’t really trust it to locate unauthorized modifications to the kernel or other device drivers. For many, you can’t even trust viewing the list of running computer processes on the computer for the rootkit can hide itself from being viewed. As a result, some of the common methods to detect rootkit infection include: running a different antivirus program on the computer designed to find rootkits, using an alternative OS, behavior-based rootkit detection methods, difference scanning, signature scanning, and computer memory dump analysis. Kernel-level rootkits pose an even harder challenge to detection, and may require analysis of the OS System Call Table to locate the hooked functions the rootkit is leveraging.
How Do You Remove a Rootkit?
Unlike much of the computer malware in the wild today, manual removal of a rootkit can prove too challenging to accomplish for most computer end-users. There are a number of computer security applications on the market today; however, which can detect and remove some of the rootkits that have been discovered. Even the Microsoft Malicious Software Removal Tool has been updated to locate and remove some classes of rootkits (if the rootkit is not designed to make the tool ineffective!). Many of the tools designed to find and remove rootkits will access the raw file system of the computer directly vice using file system API’s to identify the potential existence of a rootkit. Some computer security experts believe that you should simply backup important information and reinstall the operating system where rootkit infection has occurred!
One of the free rootkit detection tools on the market in beta at the time of this writing is produced by Malwarebytes.
Steps to Remove a Rootkit Using the MalwareBytes Anti-Rootkit Tool
Step 1 – Download the Malwarebytes Anti-rootkit tool to your computer’s desktop.
Step 2 – Unzip the downloaded file to a folder on the computer’s desktop or other convenient location on your computer.
Step 3 – Double click the folder to view the unzipped contents. Then, run the mbar.exe file by double clicking the file.
Step 4 – Accept the default prompts on the subsequently launched application wizard to update the anti-rootkit file definitions. Then, allow the program to scan the computer for potential rootkit threats.
Step 5 – Select the “Cleanup” menu button after the anti-rootkit program finishes running if you are prompted to do so. Make sure you have already backed up important files on your computer since the program is still in beta if the rootkit cleanup removes key operating system or other files on your computer.
Step 6 – Allow the computer to shut down when the cleanup process is completed.
Step 7 – Restart the computer and conduct another scan with the Malwarebytes Anti-Rootkit tool to make sure the initial cleanup doesn’t reveal additional threats on your computer. If it does located more threats, repeat the cleanup process.
Step 8 – If no additional threats are located on your computer, you will want to verify the computer is operating normally. To do so, verify the following: You can access the Internet, Windows Firewall is operational, and Windows Update is functional.
Step 9 – If you notice addition issues with your computer (to include those listed in Step 8), you will want to run the fixdamage tool that is included with the Malwarebytes Anti-Rootkit tool.
Step 10 – Restart your computer and verify that it is working correctly.
Step 11 – If you encounter any issues with the Malwarebytes Anti-Rootkit tool, contact the Malwarebytes support shop to obtain additional assistance with your computer.