Rootkit Prevention – Understanding Rootkits and the Role They Play in Malware Attacks
If your data center tells you they need to re-install the operating system onto one of your servers, there’s a good chance it’s due to a rootkit. Malicious rootkits are one of the most dangerous tools that cybercriminals use. They enable malware authors to easily add stealth, persistence, and privilege escalation to already malicious programs. Once infected by a rootkit, it’s very difficult for even the most skilled security experts to remove them, and completely re-installing the OS is often the only way to get rid of them.
Rootkits are not only challenging to remove, they are also very difficult to spot, and require advanced malware detection technologies to do so.
Rootkit prevention—understanding rootkits, how they operate, and what they’re intended to do—is key to detecting malicious attempts to install them. While not all rootkits are malicious, most are, and it’s these malicious ones that we’ll focus on in this post.
Origin and Mission of Rootkits
Rootkits have been around since the 1990s, and they have continued to evolve in sophistication and numbers. Today, they are readily available on the black market to help even novice authors dramatically strengthen their malware.
The term rootkit originates from “root” in UNIX-based operating systems, which is the most privileged administration account in the system. With root-level access, uses can do virtually anything on the system. As for the “kit” in rootkit, it’s just an abbreviation of the word “toolkit.”
Although the term was instigated in UNIX environments, it is now applicable to all operating systems, including Windows and Mac OS X. The majority of rootkits in circulation today are Windows-based.
In most cases, apart from modifying the operating system, a rootkit by itself doesn’t do any damage. Instead, a rootkit’s main function is to keep the malware that it’s linked to from being detected. The malware does the actual damage.
Rootkits are primarily used to:
- Establish or enhance stealth, making it very difficult for security analysts and most antimalware products to detect the malware the rootkit is designed to protect
- Conceal other malware that cybercriminals may subsequently install as part of a sustained attack
- Enable persistence, allowing the malware to survive reboots and removal attempts by antimalware and other tools
- Provide an attacker with ongoing full access, often via backdoors
- In some cases, escalate the privilege level in which the malware operates
- Appropriate the compromised machine as a zombie computer or member of a bot
In a nutshell, a rootkit is a toolkit used to add privileged access, stealth, and persistence to a malicious program. Rootkits are typically used to hide malware like keyloggers, spyware, adware, data exfiltration, spam distribution, or to provide privileged access to unauthorized individuals.
Multiple Types of Rootkits
Rootkits are available for every major operating system, including UNIX, Windows, Android, Mac OS X, and iOS. While most rootkits today target Microsoft Windows operating systems, security administrators need to diligently defend all systems from these malicious toolkits.
Experts often classify rootkits by what part of the system they inhabit, such as the kernel, user space, hypervisor, firmware, and even the hardware. Most rootkits will target either the kernel, or the user application space.
- User-mode rootkits – These are rootkits operating in user space, also known as “ring 3.” This is where applications typically run.
- Kernel-mode rootkits – These rootkits reside in kernel space, also known as “ring zero.” Kernel mode rootkits are more dangerous than user-mode rootkits because they have the highest level of privileges in the system.
How Rootkits are Installed
Attackers want unlimited access, so one of their primary goals is to gain control over processes that execute with top-level privileges. Since loadable kernel modules in UNIX/Linux systems, and device drivers in Windows environments generally execute with the same privileges as the operating system itself, it’s common for rootkits to replace these legitimate modules and drivers with malicious versions. This class of rootkit provides the attackers with unrestricted privileges and access.
Rootkit infections are frequently due to insecure passwords on root or administrator accounts. Rootkits generally breach the system by utilizing root or administrator account privileges long enough to upload and replace core system files with modified versions. Backdoor access is then established, ensuring that the perpetrators will have access even if the security staff changes the root or administrator password. All traces of the invasion and system modifications are then removed, including log file entries, temporary caches, name changes, etc.
How Rootkits Hide Themselves
Once installed, rootkits are difficult to detect because they try to remove all evidence of their presence. The only visible symptoms typically are an unusually slow system, and strange network traffic. Unfortunately, with today’s high-speed CPU’s and high bandwidth networks, users or administrators may not even notice the additional CPU or network activity.
Rootkits establish stealth by erasing artifacts that programs normally generate when they’re installed, or when they execute. When any program, including malware, is installed, monitoring tools can usually detect its existence by the presence of multiple indicators, like:
- New files
- Additional services or processes
- New or modified registry keys
- Unexpected changes in disk or storage utilization
- New user accounts, or changes to account privileges
- User applications or processes running with root or administrator privileges
- Entries in system logs
Antimalware tools monitor the above and many other entities for anomalies. If found, it’s a good indicator that there’s malware present. The rootkit’s aim is to modify the system components that show these indicators so the malware remains undetected. For example, a rootkit may hide the malware’s files, processes, and in the Windows environments, even its registry keys. Another common practice is for the rootkit to create a hidden, encrypted filesystem where it hides other malware or original copies of the files it has encrypted. The rootkit may even restore the original files when the malware is not active.
IAT and SSDT Hooking to Hide Malicious Software
In Windows machines, IAT Hooking is one technique that user-mode rootkits use to hide malicious software. The IAT, or Import Address Table, is a table where applications look up the addresses of functions they need to run. IAT Hooking occurs when a rootkit alters the addresses in the table so it points to malicious code instead of the legitimate function.
Cybercriminals use IAT hooking in various ways, one of which is to fool antimalware tools. For example, consider an antimalware program that calls a function that normally returns a list of all running services. A sophisticated rootkit will alter the table so it points to a function that’s part of the rootkit itself. However, this version of the function removes all malicious processes from the list. As a result, the antimalware program won’t see the malware that is in fact executing.
Kernel-mode rootkits employ similar methods, altering what’s known as the SSDT, or System Service Dispatch Table. Here again, calls to legitimate software are replaced with calls to rootkit code that hides the presence of the malware.
There are a number of rootkits available in the wild—too many to enumerate here. But to provide a general idea of what’s out there, here’s a brief description of three notable ones.
TDSS: At one time, experts believed TDSS to be responsible for the second largest botnet in the world. The malware, enabled by TDSS targeted personal data like credit card numbers, online bank accounts, passwords, social security numbers, and other personal information. Law enforcement successfully took down much of the botnet. However, it is still available and actively used.
ZeroAccess rootkit: Responsible for the ZeroAccess botnet. This malicious code consumed the CPU and other resources of infected machines while it mined for bitcoins and committed click fraud—spamming the machine’s owner with ads. Researchers estimated that the ZeroAccess botnet had compromised up to 2 million PCs. Microsoft took down much of the botnet in 2013, unfortunately, ZeroAccess resurfaced shortly thereafter.
Necurs: This rootkit is behind one of the biggest malicious networks in the world—the Necurs botnet. It has more than 6 million zombie machines tied to it, and is responsible for spreading massive amounts of Locky ransomware spam as well as the Dridex financial malware. The Necurs rootkit protects the malware that enslaves a PC to the botnet, making sure the infection cannot be removed. Necurs is an active botnet, and the cybercriminals behind it are still actively trying to grow it.
Preventing Rootkit Infections
Rootkits pose a very high level of risk to enterprises everywhere. As such, information security professionals need to understand rootkit-related risks, and implement effective defense mechanisms.
As with most things, the best way to counter rootkits is through prevention rather than detection and remediation.
A successful risk management strategy includes putting multiple systems in place to combat the threats, including appropriate system configuration, strong authentication, patch and configuration management, and the latest malware detection solutions. Because rootkits are so proficient at hiding themselves, organizations need to implement extremely strong antimalware technologies.