Rootkits are a fast-emerging security threat which can hide malware from conventional security tools. So how do they do this, and what can you do about them?
Copyright © 2005 Virus Bulletin
Powerful Windows rootkits are a potential problem for PC users in the future. Rootkits can hide files, processes and services belonging to malicious files such as backdoors and keyloggers which can later be used to gain access to everything on the system. Typically, rootkits penetrate personal computers and servers via viruses or vulnerabilities. After the rootkit is installed, conventional security products including anti-virus and spyware programs are unable to detect them or the files they are hiding.
Rootkits are an increasingly common 'stealth' technique used by malware authors to conceal their dark handiwork and intentions. Put simply, they are specialised toolkits that can hide malicious programs - whether they be viruses, Trojans, spyware, keyloggers and so on - from detection by conventional anti-virus and anti-spyware tools. Think of a rootkit as a cloaking device for malware, the kind that allows a hacker to move around your computer with complete impunity, undetected and unchallenged, doing as he pleases.
It is believed that this invisible form of malicious code will become a growing problem in the future. At the 2005 RSA security conference in San Francisco, Microsoft Corporation and security industry experts all expressed their concerns about the rising problem related to rootkits. To give one example, the Windows XP operating system is unable to show files or processes deployed by many rootkit programs. This leaves the user or administrator unaware of their presence. These types of stealth spyware program are believed to have been involved in some high-profile industrial espionage cases.
Since a rootkit can hide its presence on your system for a longer time than conventional malware, it is almost certain that ultimately it will be able to take your most confidential data. There are a number of different rootkits available on the market: some are feature-rich and include such functionality as the ability to log keystrokes, create secret backdoors and alter system log files, as well as offering administrative tools to prevent detection. Others are just tools to hide third-party files.
So, as is the case with many modern malware exploits, a PC or network could be fully protected against conventional malware with the latest in AV software, yet still unwittingly become infected with a rootkit - and therefore, completely vulnerable to attack. What's more, you may not even realise the attack is happening until it is too late and you have suffered loss of valuable data and money.
So where do rootkits come from? Rootkits originally came from the *NIX world where the purpose of an attack was to give the attacker the control level of an administrator or 'root' - hence the name - and keep that access for as long as possible.
In the beginning, rootkits were mainly replacements for system tools. For example, the login program would be replaced by a modified version that stored the username and password combinations or the 'ls' tool that is used to list directory contents would be replaced by a rootkit version that would not print out certain file names.
Naturally enough, the malware community quickly found a window for exploits from rootkits, which led to the creation of integrity checking tools such as TripWire [ 1 ]. Such programs were designed to detect these first-generation rootkits by alerting the user to the modification of any system file.
Later generations of rootkits are, however, far more advanced in their range and functionality and have the ability to load themselves as kernel-loadable modules, thus avoiding detection by integrity checks.
Following the evolution of the PC market since Unix days, the latest generation of rootkits targets Windows-based machines. Nowadays there are a number of malware programs that use rootkits to hide from conventional detection, including the CoolWebSearch, Win-Spy, PC Spy, ActMon, ProBot SE, Invisible Keylogger and Powered Keylogger spyware programs. Some viruses themselves use rootkits to avoid detection and happily deliver their payloads, including Maslan and Padodor.
In addition to viruses and direct hacking via rootkits, there are several variants of backdoor Trojans, like SDBot and RBot, which incorporate the computer into a botnet that can be used by malicious people to send spam, perform denial of service attacks and all the other types of exploit for which we typically see botnets being used.
The sophistication and speed with which rootkit techniques are now being applied to spyware and viruses may highlight the growing influence of organised online criminal groups in their bid to develop stealthy, invasive software, as opposed to the typical '15 minutes of fame' exploits performed by geeks and script kiddies. Whatever the ultimate reason, the intention is clear - to circulate malware into the online community which does not register on the users' security radar.
Rootkits have many entry paths to their intended host: they can be planted on a system by a hacker through an unpatched vulnerability, arrive as an attachment or as a download URL in an email. Once activated, the rootkit can be used to hide backdoors and tools that help the hacker maintain access to the hacked computer. This computer can later be used to attack other computers in the same network. Most crucial, however, is the fact that the rootkit will hide the hacker's tracks from current security software.
Having gained access to a computer hacked with a rootkit, the intruder is free to interact with network resources, files and systems with either the same or sometimes even higher privileges than the legitimate user. And if, for example, they gain access to an administrator's username and password, then they have all the keys to the kingdom - with the potential to cause widespread damage.
How do rootkits enable all this? Well, that depends on the type of rootkit that is being used. There are two types: user-mode rootkits and kernel-mode rootkits. To understand how they hide themselves in a system, let's look at how these two pieces of malware differ.
User-mode rootkits. A user-mode rootkit typically intercepts API calls in the system and modifies their output to hide files, registry keys and processes. A good example of this is a product called 'Golden Hacker Defender' sold openly on the Internet by its author, which also incorporates a Trojan that includes a built-in hidden door.
Kernel-mode rootkits. A kernel-mode rootkit, on the other hand, can be even more powerful than a rootkit running in user-mode. It can still filter the output of system API calls, similar to that of a user-mode rootkit, but it can also do much more. A common technique to hide a malware process is to remove the process from the kernel's list of active processes. As the kernel does not use this list to actually run the process (that is handled through the kernel scheduler) it's a very effective way of concealing the processes run by a hacker in your system.
Whichever way the rootkit operates, the goal is to stay hidden from security scanners. As most rootkits are also able to intercept the queries that are passed to the kernel and filter out the queries generated there, in effect, they are able to clean up any trace of their own activities. The result is that the typical footprints of a program, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the OS registry, are invisible both to administrators and to all types of detection tool - even intrusion detection systems (IDS).
This ability of rootkits to clean log files and erase evidence of the actions it performs can make a hacker truly a 'ghost in the machine'. There are also tools for hiding the files and processes that the intruder may place on the system and even to hide port and protocol connections.
Some security pundits say that rootkits do not pose a significant problem, since more and more systems are effectively protected from outside intrusion which means it is difficult for a rootkit to be planted on a machine in the first place through the normal routes of infection. While this is true to some extent, no modern-day company would want to risk having an invisible backdoor into their network that could be accessed without any warning and used for any number of malicious purposes.
As the whole malware-writing scene is shifting quite rapidly towards an economic model where virus writers and botnets are available for hire at the right price, it is no surprise that you can buy your own version of a rootkit. Authors such as Holy Father (Hacker Defender) and Aphex (AFX Rootkit) both have custom undetected versions of their rootkits available for sale.
On the Hacker Defender website, a customer can select which rootkit detection programs he/she wants to buy 'undetection' from, where each application and version is bought separately. Or the customer can just simply buy the Gold or Silver version, which comes with undetection for the most common detection systems.
Spy applications such as ProAgent 2.0 even come with a one-year warranty where the buyer will get a new undetected version if any of the security vendors adds detection for your customized version. But as a lot of the rootkits are open source, an attacker doesn't even need to pay for an undetected rootkit: with some basic programming skills he/she can just recompile it and thereby avoid detection.
So if, once they are installed, rootkits can evade conventional security tools, what can you do if you do discover you are harbouring a rootkit infection? Until recently, the prognosis was not good.
Although there have been some techniques for detecting rootkits, they are intended only for very IT-literate users who are conversant with code and all the other tricks of the trade: they certainly are not plug-and-play. What's more, they do not remove or quarantine rootkits. The standard advice for rootkit removal is to 'repave' - an innocent-enough-sounding euphemism which stands for completely scrubbing all data, applications and the operating system from the infected machine, and then reinstalling from scratch.
Repaving is simply not an option for most computer users who have stored all of their most precious material for safe-keeping in one repository. And if it is the case that more than one PC in a company is infected, the prospect of repaving multiple machines is still less attractive with all the attendant loss of business that follows.
However, new tools to help manage and contain the rootkit problem are emerging. Tools like SysInternals' RootkitRevealer [ 2 ] and F-Secure's BlackLight [ 3 ] technology are able to scan a machine and detect hidden rootkit files. Some of them can even eliminate the files by renaming them, even though some people think that the only solution to remove a rootkit is to reinstall the system completely.
But, while these applications will detect rootkits, it will not be until these detection capabilities are built into existing anti-virus and anti-spyware applications, with centralized management, that users and corporations will be protected fully from the growing rootkit threat.
 TripWire: http://www.tripwire.com/
 SysInternal's RootkitRevealer can be downloaded from http://www.sysinternals.com/Utilities/RootkitRevealer.html
 A beta version of F-Secure's BlackLight Rootkit Elimination Technology is available free of charge from http://www.f-secure.com/blacklight/