What is a Rootkit?

Here’s an uncomfortable thought: right now, your computer could be full of viruses and harmful software, or even be part of a bot net that performs click fraud or cyber-attacks on a large scale! If this were actually the case, you’d probably know nothing about it. After all, in most cases a rootkit will give the user a false sense that everything’s working correctly. It works like a virtual invisibility cloak that secretly hides criminal hacker activities going on in the background. But if you understand the risks and how rootkits operate, you can protect yourself more effectively. So, read on for essential information about rootkits.

A rootkit doesn’t refer to a single piece of malware. Instead, it’s a whole collection of different harmful programs that exploit a security vulnerability to implant themselves in a computer and provide hackers with permanent remote access to it. A key characteristic of rootkits is that they can hide themselves and other malware from virus scanners and security solutions, meaning the user has no idea they’re there.

Depending on the level of authorization a rootkit has propagated itself on, it can even grant extensive administrative rights to the hacker (this is referred to as a kernel mode rootkit), which gives them unrestricted control of the computer.

The first rootkits appeared in the early 1990s, when they still only targeted Unix-like operating systems such as Linux. They typically comprised modified versions of standard software, such as “ps” (a Unix command that opens a list of all ongoing processes) and “passwd” (to change the user’s password). The term was also coined during this time: “Root” refers to the administrator for Unix systems and “kit” represents the “set of tools” it contains. The combined term “rootkit” thus describes a repertoire of software tools that enables a hacker to gain root rights to a computer (for kernel mode rootkits explicitly).

Meanwhile, however, rootkits exist for a variety of operating systems. The name “rootkit” still makes sense for Windows and other operating systems, since many rootkits penetrate the kernel or root of the system, where they then become active.

Although all sorts of different rootkits exist, their general mode of operation is always the same. Even the process for infiltrating a system follows the same pattern.

A rootkit infection usually precedes a certain form of social engineering. Cyber criminals exploit the weakest point of any security system – the human component. By influencing or deliberately deceiving their victims, hackers are often able to get hold of access data and passwords. They use them to then log onto a computer and install a rootkit.

However, there are also other ways to implant a rootkit – for example using drive-by downloads on an infected website, when downloading software from an insecure source or by clicking on a link or attachment in a phishing email.

Another method is for a cyber-criminal to leave a USB stick containing a rootkit lying around in a public place. An unsuspecting finder may then decide to take home the storage device, connect it to their computer out of curiosity – and hey presto, the rootkit is implanted. So-called evil maid attacks work similarly. Here, the hacker installs the rootkit on an unattended computer themselves. This approach gets its name from a possible scenario, whereby a cleaning maid may infect the laptops of many hotel guests in this way.

Once in a system, the rootkit hides its existence. To do so, it manipulates processes that programs and system functions perform to exchange data. During a scan, for example, an anti-virus program thus only receives falsified information in which any signs of the rootkit are removed. For this reason, it is often impossible even for professional anti-virus software to detect the malware via their signatures or heuristics.

The rootkit subsequently creates what is known as a “backdoor”, which enables the hacker to use an exposed password or shell to receive remote access to the computer in the future. The rootkit is then tasked with concealing each login by the hacker as well as any suspicious activity.

This allows the attacker to install additional software such as a keylogger, uncover keyboard entries using spyware, steal data or (depending on the level of authorization) change system settings. Rootkits are frequently used to combine infected computers as part of bot nets that are mobilized for phishing or DDoS attacks.

For obvious reason, rootkits are also known as “stealth viruses”, although they do not fit the definition of a virus. But how do rootkits differ exactly from other types of malware?

• Virus: A virus attaches itself to an executable file or program (and is distinguished by its .exe format). Although it replicates itself autonomously, it’s not able to spread further on its own, but usually only with the help of people or other programs.
• Worm: This term refers to a special sub-class of computer virus that can spread independently using a system’s data transmission functions.
• Trojan horse: This isn’t a virus but malware – i.e. a harmful program that disguises itself as a useful application. Hackers use Trojan horses to create a backdoor in a system.
• Rootkits: The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.

Rootkits vary primarily in the method used to hide malware processes and hacker activities. Kernel and user mode rootkits are employed most often. The dangerous software toolsets are constantly further developed by cyber-criminals, making it increasingly difficult for users to protect themselves.

When people talk about rootkits, they are usually referring to this type. Kernel mode rootkits implant themselves in the kernel of an operating system. This part of the system is often called “Ring 0” and it possesses the computer’s highest level of authorization, thus enabling deep access to all hardware components and any alterations to system settings. This means a hacker gains full control of the entire system if they manage to place a rootkit here.

These rootkits replace parts of the kernel with their own code. In the case of Unix-like operating systems, this normally occurs using loadable kernel modules – abbreviated to LKM rootkits. For Windows systems, the kernel is in contrast manipulated directly simply by installing new system drivers. Regardless of the method: The kernel mode rootkit can exploit this starting point to feed the computer’s virus protection falsified information from the bottom up. This kind of rootkit is therefore especially difficult to detect and remove. Due to its complexity, these rootkits are also comparatively rare.

In contrast to the kernel mode rootkit, this type only operates at a computer’s user level where all executable programs are also located. Since this area has the lowest authorization level for the CPU (Ring 3), user mode rootkits may only provide the hacker with limited access to the computer. However, this means that they’re also less complex and are used more frequently than kernel mode rootkits, especially on Windows systems.

User mode rootkits conceal themselves by capturing and manipulating the data exchange between the operating system and the installed virus and security programs. To do so, they use the methods of DLL injection and API hooking, where a dedicated code library (dynamic link library, or DLL) intervenes in the data exchange and redirects the functions of certain application programming interfaces (APIs) to the rootkit. This way, it can delete its traces from process lists like Windows Task Manager.

Besides both of these types, there are another two kinds of rootkits – but they are considered to pose relatively little danger:

• Application rootkit: The original and also most primitive type of rootkit. It replaces system programs with its own modified versions, making it really easy to detect. For this reason, it is rarely used by hackers anymore.
• Memory rootkit: These rootkits can only exist in the RAM and are thus removed as soon as the system restarts.

Like many other kinds of malware, rootkits are constantly being further developed. This has resulted in “bootkits” for example – a form of kernel mode rootkit specialized in replacing a computer’s bootloader in order to deactivate the security mechanisms of an operating system. Smartphones are also increasingly infected (especially those with Android operating systems) – typically after downloading an insecure app. These are called “mobile rootkits”.

In 2006, a research group from the University of Michigan became the center of attention when they presented their Project SubVirt – a rootkit based on a virtual machine and thus named VMBR (virtual machine-based rootkit). These kinds of machines are normally used to run multiple different operating systems on the same computer (for example, Linux and Windows). With the help of this technology, the VMBR is able to move an operating system into a virtual environment and thereby operate covertly. However, just one year later, researchers from Stanford University claimed that they could detect such VMBRs without any problems.

It seems no further ground-breaking rootkit innovations have emerged since then – but this by no means suggests that the risks have reduced. For instance, the RIG exploit kit was expanded in the form of an additional rootkit called CEIDPageLock in 2018. This infiltrates Windows operating systems via system drivers and takes control over the internet browser. It then redirects the user to fake websites where data is stolen for various criminal purposes. Computers primarily in China are currently affected (as of August 2018). But experts anticipate that the malware will spread beyond its borders in the future.

By now, there are rootkits for a wide range of operating systems. Below are two examples of rootkits that pose a threat to Windows systems:

• TDSS aka Alureon (discovered in 2007) – also classified as a Trojan horse, which illustrates just how fluid the boundaries between these two types of malware are. The rootkit manipulates the Windows registry, for example, in order to disable Task Manager and the update function as well as any existing anti-virus programs and subsequently creates a bot net.
• ZeroAccess (discovered in 2011) – another Trojan horse with rootkit attributes. It infects the master boot record (MBR) as well as a random system driver and then deactivates the Windows Security Center, Windows Defender and the firewall. Once this has occurred, the computer is used for a bot net operated for Bitcoin mining and click fraud.

But such highly criminal intentions are not always behind rootkits. For example, CD emulators employ the technology in order to outsmart anti-piracy measures. Whether this is still legal or open to criminal prosecution often depends on the purpose and scope of use.

When it comes to anti-piracy, it’s not only consumers who cross the line of what is legally acceptable with rootkits. The Japanese electronics corporation Sony was embroiled in scandal in October 2005, when it emerged that the extended copy protection (XCP) had been concealed on various music CDs of the manufacturer using a rootkit. The corporation had wanted to prevent the illegal copying of discs by doing this, but the malware also transmitted information about the private listening behavior of Sony’s customers, representing a violation of common data privacy laws. The corporation also received particularly strong criticism because the rootkit also hid itself from anti-virus programs and created openings for hackers to exploit for their own purposes.

Similar cases – such as the Settec case or the EA computer game “Spore” of 2008 – raise fears among IT experts that rootkits will in future be used by not only hackers, but also increasingly by major corporations.

Since stealth concerns the specialist field of a rootkit, it’s generally difficult or almost impossible to detect and remove the malware. Nevertheless, there are some measures you can take for your protection:

The security measures against rootkits are essentially the same as for other prevalent types of harmful software:

• Use security programs on your computer.
• Maintain your system with regular updates.
• Develop an awareness for common forms of fraud online, for example phishing.
• Use strong passwords.

Moreover, there are some more specific tips on how to prevent rootkit infections:

• Advice for casual computer users: Use your administrator account as seldom as possible – particularly when you’re surfing the internet. That’s because it has far fewer protective measures than conventional user accounts. Since the user account also has limited rights, the damage in the event of a rootkit infection would be limited.
• Advice for pros: To prevent a rootkit from infecting your BIOS and thereby becoming undeletable, you can insert a physical write protection such as a jumper on the motherboard.

Most anti-virus programs search for known rootkits on the basis of their signatures or analyze unusual events like file deletion in order to identify unknown malware. The problem with this: unless a poorly programmed kernel mode rootkit draws attention to itself with constant blue screens, rootkits tend not to provide any clues at all that they have infiltrated the system.

And, since increasingly advanced rootkits are being developed, it’s also becoming more and more difficult to detect them. However, there are now technical tools specially targeted at rootkits, such as a rootkit scan. This is a function already included in some security software and is also available in the form of dedicated programs. These include Sophos Anti Rootkit as well as the Rootkit Remover by Bitdefender, both of which can be obtained free of charge.

Such a rootkit scan can also be executed using a boot CD. This launches the computer outside the installed operating system, meaning the rootkit remains inactive and – with a little luck – it can be detected by a virus scanner on the CD.

Unfortunately, there is still no 100%-reliable way to remove a rootkit from a computer. Even the hit rate of professional scanning software, such as those from AntiVir, Kaspersky and Microsoft, leave a lot to be desired in numerous test reports. For this reason, the German Computerbild magazine recommends using at least three of these programs in combination, for example.

As some rootkits can hide deep within the BIOS, however, even this method can’t provide absolute certainty. There is often no choice, therefore, but to cleanse the data carrier and completely reinstall the operating system in order to definitively remove stubborn malware.

Rootkits are an especially stubborn threat and can give criminals full control over your computer. But recognizing the threat is the first step in the right direction. The most important precaution is – as often the case – to prevent infiltration of the system. After all, rootkits can only be detected with difficulty, and removing them is even harder. There’s often no other option but to reinstall the system.

However, at the “Black Hat” conference in January 2006, attendees were warned of rootkits that could even survive hard drive wipes unscathed – for instance, by manipulating the ACPI (advanced configuration and power interface) responsible for a computer’s energy management or by implanting itself in the BIOS. As long as no reliable solution is found to the problem, rootkits are likely to remain a threat as highly complex tools employed by cyber-criminals.