What is a Rootkit?

Here’s an un­com­fort­able thought: right now, your computer could be full of viruses and harmful software, or even be part of a bot net that performs click fraud or cyber-attacks on a large scale! If this were actually the case, you’d probably know nothing about it. After all, in most cases a rootkit will give the user a false sense that everything’s working correctly. It works like a virtual in­vis­ib­il­ity cloak that secretly hides criminal hacker activ­it­ies going on in the back­ground. But if you un­der­stand the risks and how rootkits operate, you can protect yourself more ef­fect­ively. So, read on for essential in­form­a­tion about rootkits.

A rootkit doesn’t refer to a single piece of malware. Instead, it’s a whole col­lec­tion of different harmful programs that exploit a security vul­ner­ab­il­ity to implant them­selves in a computer and provide hackers with permanent remote access to it. A key char­ac­ter­ist­ic of rootkits is that they can hide them­selves and other malware from virus scanners and security solutions, meaning the user has no idea they’re there.

Depending on the level of au­thor­isa­tion a rootkit has propag­ated itself on, it can even grant extensive ad­min­is­trat­ive rights to the hacker (this is referred to as a kernel mode rootkit), which gives them un­res­tric­ted control of the computer.

The first rootkits appeared in the early 1990s, when they still only targeted Unix-like operating systems such as Linux. They typically comprised modified versions of standard software, such as “ps” (a Unix command that opens a list of all ongoing processes) and “passwd” (to change the user’s password). The term was also coined during this time: “Root” refers to the ad­min­is­trat­or for Unix systems and “kit” rep­res­ents the “set of tools” it contains. The combined term “rootkit” thus describes a rep­er­toire of software tools that enables a hacker to gain root rights to a computer (for kernel mode rootkits ex­pli­citly).

Meanwhile, however, rootkits exist for a variety of operating systems. The name “rootkit” still makes sense for Windows and other operating systems, since many rootkits penetrate the kernel or root of the system, where they then become active.

Although all sorts of different rootkits exist, their general mode of operation is always the same. Even the process for in­filt­rat­ing a system follows the same pattern.

A rootkit infection usually precedes a certain form of social en­gin­eer­ing. Cyber criminals exploit the weakest point of any security system – the human component. By in­flu­en­cing or de­lib­er­ately deceiving their victims, hackers are often able to get hold of access data and passwords. They use them to then log onto a computer and install a rootkit.

However, there are also other ways to implant a rootkit – for example using drive-by downloads on an infected website, when down­load­ing software from an insecure source or by clicking on a link or at­tach­ment in a phishing email.

Another method is for a cyber-criminal to leave a USB stick con­tain­ing a rootkit lying around in a public place. An un­sus­pect­ing finder may then decide to take home the storage device, connect it to their computer out of curiosity – and hey presto, the rootkit is implanted. So-called evil maid attacks work similarly. Here, the hacker installs the rootkit on an un­at­ten­ded computer them­selves. This approach gets its name from a possible scenario, whereby a cleaning maid may infect the laptops of many hotel guests in this way.

Once in a system, the rootkit hides its existence. To do so, it ma­nip­u­lates processes that programs and system functions perform to exchange data. During a scan, for example, an anti-virus program thus only receives falsified in­form­a­tion in which any signs of the rootkit are removed. For this reason, it is often im­possible even for pro­fes­sion­al anti-virus software to detect the malware via their sig­na­tures or heur­ist­ics.

The rootkit sub­sequently creates what is known as a “backdoor”, which enables the hacker to use an exposed password or shell to receive remote access to the computer in the future. The rootkit is then tasked with con­ceal­ing each login by the hacker as well as any sus­pi­cious activity.

This allows the attacker to install ad­di­tion­al software such as a keylogger, uncover keyboard entries using spyware, steal data or (depending on the level of au­thor­isa­tion) change system settings. Rootkits are fre­quently used to combine infected computers as part of bot nets that are mobilised for phishing or DDoS attacks.

For obvious reason, rootkits are also known as “stealth viruses”, although they do not fit the defin­i­tion of a virus. But how do rootkits differ exactly from other types of malware?

• Virus: A virus attaches itself to an ex­ecut­able file or program (and is dis­tin­guished by its .exe format). Although it rep­lic­ates itself autonom­ously, it’s not able to spread further on its own, but usually only with the help of people or other programs.
• Worm: This term refers to a special sub-class of computer virus that can spread in­de­pend­ently using a system’s data trans­mis­sion functions.
• Trojan horse: This isn’t a virus but malware – i.e. a harmful program that disguises itself as a useful ap­plic­a­tion. Hackers use Trojan horses to create a backdoor in a system.
• Rootkits: The rootkit is con­sidered to be a type of Trojan horse. Many Trojan horses exhibit the char­ac­ter­ist­ics of a rootkit. The main dif­fer­ence is that rootkits actively conceal them­selves in a system and also typically provide the hacker with ad­min­is­trat­or rights.

Rootkits vary primarily in the method used to hide malware processes and hacker activ­it­ies. Kernel and user mode rootkits are employed most often. The dangerous software toolsets are con­stantly further developed by cyber-criminals, making it in­creas­ingly difficult for users to protect them­selves.

When people talk about rootkits, they are usually referring to this type. Kernel mode rootkits implant them­selves in the kernel of an operating system. This part of the system is often called “Ring 0” and it possesses the computer’s highest level of au­thor­isa­tion, thus enabling deep access to all hardware com­pon­ents and any al­ter­a­tions to system settings. This means a hacker gains full control of the entire system if they manage to place a rootkit here.

These rootkits replace parts of the kernel with their own code. In the case of Unix-like operating systems, this normally occurs using loadable kernel modules – ab­bre­vi­ated to LKM rootkits. For Windows systems, the kernel is in contrast ma­nip­u­lated directly simply by in­stalling new system drivers. Re­gard­less of the method: The kernel mode rootkit can exploit this starting point to feed the computer’s virus pro­tec­tion falsified in­form­a­tion from the bottom up. This kind of rootkit is therefore es­pe­cially difficult to detect and remove. Due to its com­plex­ity, these rootkits are also com­par­at­ively rare.

In contrast to the kernel mode rootkit, this type only operates at a computer’s user level where all ex­ecut­able programs are also located. Since this area has the lowest au­thor­isa­tion level for the CPU (Ring 3), user mode rootkits may only provide the hacker with limited access to the computer. However, this means that they’re also less complex and are used more fre­quently than kernel mode rootkits, es­pe­cially on Windows systems.

User mode rootkits conceal them­selves by capturing and ma­nip­u­lat­ing the data exchange between the operating system and the installed virus and security programs. To do so, they use the methods of DLL injection and API hooking, where a dedicated code library (dynamic link library, or DLL) in­ter­venes in the data exchange and redirects the functions of certain ap­plic­a­tion pro­gram­ming in­ter­faces (APIs) to the rootkit. This way, it can delete its traces from process lists like Windows Task Manager.

Besides both of these types, there are another two kinds of rootkits – but they are con­sidered to pose re­l­at­ively little danger:

• Ap­plic­a­tion rootkit: The original and also most primitive type of rootkit. It replaces system programs with its own modified versions, making it really easy to detect. For this reason, it is rarely used by hackers anymore.
• Memory rootkit: These rootkits can only exist in the RAM and are thus removed as soon as the system restarts.

Like many other kinds of malware, rootkits are con­stantly being further developed. This has resulted in “bootkits” for example – a form of kernel mode rootkit spe­cial­ised in replacing a computer’s boot­load­er in order to de­ac­tiv­ate the security mech­an­isms of an operating system. Smart­phones are also in­creas­ingly infected (es­pe­cially those with Android operating systems) – typically after down­load­ing an insecure app. These are called “mobile rootkits”.

In 2006, a research group from the Uni­ver­sity of Michigan became the centre of attention when they presented their Project SubVirt – a rootkit based on a virtual machine and thus named VMBR (virtual machine-based rootkit). These kinds of machines are normally used to run multiple different operating systems on the same computer (for example, Linux and Windows). With the help of this tech­no­logy, the VMBR is able to move an operating system into a virtual en­vir­on­ment and thereby operate covertly. However, just one year later, re­search­ers from Stanford Uni­ver­sity claimed that they could detect such VMBRs without any problems.

It seems no further ground-breaking rootkit in­nov­a­tions have emerged since then – but this by no means suggests that the risks have reduced. For instance, the RIG exploit kit was expanded in the form of an ad­di­tion­al rootkit called CEIDPa­ge­Lock in 2018. This in­filt­rates Windows operating systems via system drivers and takes control over the internet browser. It then redirects the user to fake websites where data is stolen for various criminal purposes. Computers primarily in China are currently affected (as of August 2018). But experts an­ti­cip­ate that the malware will spread beyond its borders in the future.

By now, there are rootkits for a wide range of operating systems. Below are two examples of rootkits that pose a threat to Windows systems:

• TDSS aka Alureon (dis­covered in 2007) – also clas­si­fied as a Trojan horse, which il­lus­trates just how fluid the bound­ar­ies between these two types of malware are. The rootkit ma­nip­u­lates the Windows registry, for example, in order to disable Task Manager and the update function as well as any existing anti-virus programs and sub­sequently creates a bot net.
• ZeroAc­cess (dis­covered in 2011) – another Trojan horse with rootkit at­trib­utes. It infects the master boot record (MBR) as well as a random system driver and then de­ac­tiv­ates the Windows Security Center, Windows Defender and the firewall. Once this has occurred, the computer is used for a bot net operated for Bitcoin mining and click fraud.

But such highly criminal in­ten­tions are not always behind rootkits. For example, CD emulators employ the tech­no­logy in order to outsmart anti-piracy measures. Whether this is still legal or open to criminal pro­sec­u­tion often depends on the purpose and scope of use.

When it comes to anti-piracy, it’s not only consumers who cross the line of what is legally ac­cept­able with rootkits. The Japanese elec­tron­ics cor­por­a­tion Sony was embroiled in scandal in October 2005, when it emerged that the extended copy pro­tec­tion (XCP) had been concealed on various music CDs of the man­u­fac­turer using a rootkit. The cor­por­a­tion had wanted to prevent the illegal copying of discs by doing this, but the malware also trans­mit­ted in­form­a­tion about the private listening behaviour of Sony’s customers, rep­res­ent­ing a violation of common data privacy laws. The cor­por­a­tion also received par­tic­u­larly strong criticism because the rootkit also hid itself from anti-virus programs and created openings for hackers to exploit for their own purposes.

Similar cases – such as the Settec case or the EA computer game “Spore” of 2008 – raise fears among IT experts that rootkits will in future be used by not only hackers, but also in­creas­ingly by major cor­por­a­tions.

Since stealth concerns the spe­cial­ist field of a rootkit, it’s generally difficult or almost im­possible to detect and remove the malware. Nev­er­the­less, there are some measures you can take for your pro­tec­tion:

The security measures against rootkits are es­sen­tially the same as for other prevalent types of harmful software:

• Use security programs on your computer.
• Maintain your system with regular updates.
• Develop an awareness for common forms of fraud online, for example phishing.
• Use strong passwords.

Moreover, there are some more specific tips on how to prevent rootkit in­fec­tions:

• Advice for casual computer users: Use your ad­min­is­trat­or account as seldom as possible – par­tic­u­larly when you’re surfing the internet. That’s because it has far fewer pro­tect­ive measures than con­ven­tion­al user accounts. Since the user account also has limited rights, the damage in the event of a rootkit infection would be limited.
• Advice for pros: To prevent a rootkit from infecting your BIOS and thereby becoming un­deletable, you can insert a physical write pro­tec­tion such as a jumper on the mother­board.

Most anti-virus programs search for known rootkits on the basis of their sig­na­tures or analyse unusual events like file deletion in order to identify unknown malware. The problem with this: unless a poorly pro­grammed kernel mode rootkit draws attention to itself with constant blue screens, rootkits tend not to provide any clues at all that they have in­filt­rated the system.

And, since in­creas­ingly advanced rootkits are being developed, it’s also becoming more and more difficult to detect them. However, there are now technical tools specially targeted at rootkits, such as a rootkit scan. This is a function already included in some security software and is also available in the form of dedicated programs. These include Sophos Anti Rootkit as well as the Rootkit Remover by Bit­de­fend­er, both of which can be obtained free of charge.

Such a rootkit scan can also be executed using a boot CD. This launches the computer outside the installed operating system, meaning the rootkit remains inactive and – with a little luck – it can be detected by a virus scanner on the CD.

Un­for­tu­nately, there is still no 100%-reliable way to remove a rootkit from a computer. Even the hit rate of pro­fes­sion­al scanning software, such as those from AntiVir, Kaspersky and Microsoft, leave a lot to be desired in numerous test reports. For this reason, the German Com­pu­ter­bild magazine re­com­mends using at least three of these programs in com­bin­a­tion, for example.

As some rootkits can hide deep within the BIOS, however, even this method can’t provide absolute certainty. There is often no choice, therefore, but to cleanse the data carrier and com­pletely reinstall the operating system in order to defin­it­ively remove stubborn malware.

Rootkits are an es­pe­cially stubborn threat and can give criminals full control over your computer. But re­cog­nising the threat is the first step in the right direction. The most important pre­cau­tion is – as often the case – to prevent in­filt­ra­tion of the system. After all, rootkits can only be detected with dif­fi­culty, and removing them is even harder. There’s often no other option but to reinstall the system.

However, at the “Black Hat” con­fer­ence in January 2006, attendees were warned of rootkits that could even survive hard drive wipes unscathed – for instance, by ma­nip­u­lat­ing the ACPI (advanced con­fig­ur­a­tion and power interface) re­spons­ible for a computer’s energy man­age­ment or by im­plant­ing itself in the BIOS. As long as no reliable solution is found to the problem, rootkits are likely to remain a threat as highly complex tools employed by cyber-criminals.