What is a Rootkit?

[flowerpot]

A rootkit is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.

 

The word "rootkit" came to public awareness in the 2005 Sony CD copy protection scandal, in which Sony BMG music CDs surreptitiously placed a rootkit on Microsoft Windows PCs when the CD was played on the computer. Sony provided no mention of this in the CD or its packaging, referring only to security rights management measures.

 

The term "rootkit" (also written as "root kit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain "root" on the system without the system administrator even seeing them.

 

Generally now the term is not restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows, regardless of the existence of a "root" account in the operating system.

 

A rootkit is often used to hide utilities. These are often used to abuse a compromised system, include so-called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse [citation needed] is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks. A major use for rootkits is allowing the programmer of the rootkit to see and access user names and log-in information for sites that require them. The programmer of the rootkit can store unique sets of log-in information from many different computers. This makes the rootkits extremely hazardous, as it allows trojans to access this personal information while the rootkit covers it up.

 

Rootkits are not always used to attack and gain control of a computer. Some software may use rootkits to hide from 3rd party scanners to prevent detection or tampering. Some emulation software and secure software are known to be using rootkits. A recent example where a rootkit was used on commercial CDs for digital rights management purposes is the 2005 Sony CD copy protection controversy.

 

Detecting

 

There are inherent limitations to any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. Some rootkits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. Rootkit detectors which run on live systems currently only work because rootkits have not yet been developed which hide themselves fully.

 

The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls (which are supposedly doctored by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference the presence of a rootkit infection can be assumed. Rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished.

 

Security vendors envision a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defense may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses the detection and elimination of rootkits will be an ongoing struggle between the creators of the tools on both sides of this conflict.

 

There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform there are many free detection tools such as Blacklight. Another Windows detector is RootkitRevealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from--so in essence, they remove the differences between the two listings, and the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. These features are now included in the latest release of Rkdetector and Rootkit Revealer so now there is no need to rename.

 

As always, prevention is better than cure. If the integrity of the system install disks is trusted, cryptography may be used to monitor the integrity of the system. By "fingerprinting" the system files immediately after a fresh system install and again after any subsequent changes made to them (e.g. installing new software), the user or administrator will be alerted to any dangerous changes to the system's files. In the "fingerprinting" process a cryptographic hash function is used to create a fixed-length number which is dependent on every bit of data contained in the file being "fingerprinted". By calculating and comparing hash values (the "fingerprint") of files at regular intervals, changes not made by any intended user of the system can be detected.

 

Removing

 

There is a body of opinion that holds this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch. "I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt this is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat. This is so even if the rootkit is very well known and can be removed 100%."

 

There is a way to delete a rootkit using another filesystem driver when the system is online. Rkdetector v2.0 implements a way to wipe hidden files when the system is running using its own NTFS and FAT32 filesystem driver. Once erased and after a system reboot, rootkit files will not be loaded because data contained is corrupted.

 

....Taken from the ever insightful Wikipedia....