Rootkits

27 July 2005

Rootkits have been around for over 10 years, and known by other names before that. They are suites of small programs that exploit your system in a way that can be next to impossible to detect and even harder to remove if one finds its way on to your system. The name comes from what it does—it gives the attack administrator access to the Root Directory of your system allowing the program to rewrite the kernel hiding itself and any other programs it may load in you system. There are two basic types of Rootkits: Application and Kernal.

An Application rootkit is one that basically recreates program files with augmented bogus ones.

A Kernel rootkit is one that can actually write code to your Operating System's kernel allowing it to exist on your PC without a trace. See, usually you can spot these malicious programs by viewing your Processes from within your Task Manager, looking for suspicious CPU usage and shutting it down. Well, with a kernel rootkit this is all masked so there is no entry in your processes or in your programs file—the program according to your system it doesn't exist. Rootkits attempt to collect data from your system and transmit back to the attacker. Not only does the Rootkit encrypt this data, but can wait and "piggyback" on known programs such as an email message to access the Internet unbeknownst to your firewall.

Rootkits are distributed similar to viruses, through an Operating System's known security hole, downloaded with other programs, or any other common infection techniques. Rootkits do not attempt to redistribute themselves like a virus does however. The focus behind most viruses is to infect as many systems as possible, look for passwords or use your system as a SPAM platform. Rootkits or more about quality and less about quantity, your typical rootkit isn't looking for another host it just wants to gets its money's worth out of the one it has under its thumb. It will continually run scans on itself to ensure it is still running unnoticed in the system and re-infect an area of the system if it needs to.

Once infected a rootkit can actually install other worms, or any malicious code to perform functions, using the benefit of total concealment. This is a "Blended Attack" and is possibly one of the worst scenarios you and your PC could be in. On top of everything else, this type of infection, or attack can go on for great lengths of time—longer than your typical virus. If the rootkit is working your machine will think nothing is wrong, while lurking in the background unseen programs carry out their insidious duties.

There has been silent defensive preparation for the rootkit. Microsoft, for example, has not only acknowledged the threat back in February of this year, but has also bought a new anti virus company and plans to include rootkit detection and removal capabilities. Other protection software manufactures (i.e. Sysinternals, F-Secure) are also starting to include rootkit detection to their line of software. The only problem is that the rootkit creators in this arena have the definite upper hand leaving the protective software manufacturers playing catch-up.

As of now there are few options for detecting and removing these rootkits. Microsoft is growing so concerned about the potential threat that it has announced that it will release a rootkit detection and removal kit in it's Windows AntiSpyware application. The best defense may be having a firewall in place, updated antivirus/spyware and the rootkit detection programs. If you do become compromised the only thing you can do is to make absolute sure that you got rid of the rootkit is to completely reformat your hard drive. No good news in that department, and as these become more prevalent as time goes on one can only hope that the utility software companies can stay in front of this nemesis.

There are a couple of free programs out there, most in beta form, that will run a scan on your system. I recommend you download one and give it a whirl, get used to it, watch for updates, and include it in the regular security check that I know all of you do a few times every month.

F-Secure Backlight
http://www.f-secure.com/blacklight/

Microsoft Strider GhostBuster Rootkit Detection Overview
http://research.microsoft.com/rootkit/

Sysinternals RootkitRevealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Stay safe out there.

~ Chad

Chad Stelnicki