Let’s face it. In today’s world of computer lingo and terminologies you have to keep up with such as viruses, trojans, worms, spyware, adware, phishing, zero-day attacks, exploits, vulnerabilities and so on and so on, do we really need to add another one to that list describing another piece of software that will ‘own’ our computer if installed? Should we pay the same amount of attention to it as we do to the other malware types in that we just know they are bad and we need to get rid of it once they are in our systems? What’s so special about this class of malware that it deserves it’s own article? Well, ladies and gentlemen, I announce to you the king of all malware, rootkits! OK, so you were probably expecting some awesome cool name to go with the malware considering its one of the most feared computer infection today, but I assure you that by the time you finish reading what I have to say about it, you’ll no longer doubt its name!
The term rootkit is actually two separate words with different meanings. The term ‘root’ comes from the Unix/Linux world where the user account ‘root’ has the privilege to do basically anything on the system. This can be compared to the default Administrator account in Windows systems. If you have access to the root account, then well, you ‘own’ the system! The term ‘kit’ comes from that fact that if someone (yes, including you) wanted to become a hacker, they could simply do so even with limited knowledge in computer systems by simply building their own viruses and other malware from downloaded kits created by other more advanced hackers. These amateurs are known as script kiddies in that they rely mainly on thees pre-built kits to create the majority of their malware. Below is a sample screenshot of a malware kit. As you can see, all the script kiddie has to do is select a few options and who they want to target and they can simply compile the malware together with a click of a button all without writing one line of code.
User Mode and Kernel Mode
Now that we have a better understanding of the term, it should be easier to see what a rootkit can do. If I can get some type of rootkit installed into your system, than I basically own your entire system. Now you’re probably wondering what’s so different with this rootkit than any of the previous other malware types? Good question because the answer is: a whole lot! One of the major difference is that with a rootkit, it can run in your system in the kernel mode. In a nutshell, there are two modes that your computer operates in: user mode and kernel mode. Anything that you do as a logged in user is done in user mode. In this mode, your running software and processes is only granted a limited set of memory area to work in. For example, software A has its own resources like its own memory locations in RAM, and its own process and threads. Software B also has the same privileges but of course, different resources such as a different memory locations and so on. Technically, neither software A or software B are allowed to collide into each other in user mode. They are in terms, restricted in their own sandbox. With processes and software running in kernel mode, the operating system assumes that everything running in that mode is trusted software and therefore, has unrestricted access to all memory locations (can therefore access software A and software B) and can run whatever instruction set it wants to. As you can see, it is much more attractive for hackers to inject their code into the kernel mode rather than user mode because of unrestricted access to the entire system.
What Can Rootkits Do to My System?
So now you’re probably wondering just what in the world is allowed to run in kernel mode? Well, your drivers do! Remember them? They are the software that allows you and therefore your computer system, to access the thousands of physical devices out there in the market. Remember, simply plugging in a hardware device doesn’t just magically work. Even a simple device such as a USB thumb drive requires a driver to allow your system to interact with it. Devices such as your hard drive and video card will most likely have their drivers run in kernel mode. If you recall, your actions as a user is run in the restricted user mode. So if you think about it, how are you allowed to save files and data to the hard drive if the driver operating it is run in the kernel mode? Very simple. They make system calls to perform the privileged action. Of course this all happens in a split of a second and in the background so you’ll never even know it happened.
Alright so now it’s time to get to the juicy part. How it all works and what a rootkit can accomplish in your system!
I apologize if you are confused at this point but it’s imperative I explain all of this due to the destructive nature of rootkits so please don’t get discouraged! Although it is not necessary or required to understand all of this in details, it’s important none the less that you get a general idea of what’s happening in your system and how the attack works.
- Disable your antivirus software
- Exclude its malicious files from being scanned
- Infect your most used and trusted tools
- Hide opened ports when using the netstat tool
- Install a backdoor into your system
- Capture keystrokes
- Sniff your network for valuable data being passed around
That list is by no means exhaustive. You should however begin to see the results of having a rootkit in your system. Once you have a malicious rootkit installed, your entire system is compromised and cannot be trusted. That system is no longer in your control. The information that some of your most trusted tools relay back to you cannot also be trusted because a rootkit can hide/conceal some of them or even add their own to it which will throw you off tracks. For example, scanning your system with your antivirus of choice is a good strategy when dealing with viruses and Trojan horses but with a rootkit in the picture, it could hide or disguise itself from the antivirus tool because it has more privileges. Therefore, your antivirus software will turn a blind eye to it and report back to you that everything is just fine.
Fortunately, there are a couple of tools freely available to detect these evil rootkits. The unfortunate news is that they, like many other security tools, cannot be trusted 100% to get the job done. As far as rootkits are concerned, my personal advice is that if any of these tools find any traces of any rootkits in your system, research them on the web and see if there is a way to remove it. If not, then I would just flat out reformat my entire hard drive and start over. I have heard stories where even that is not enough. There are rootkits that embed themselves in the motherboard themselves by hiding in the BIOS and other firmwares. Yes, I know, it’s certainly scary because it’s certainly possible. Although the chances of that happening to you is next to none, keep that in mind the next time you think about someone telling you that doing just a simple virus scan is all it takes to root out all the malware in your system!
It should be no surprise by now that I have once again mentioned another tool by Sysinternals. This time, they have a tool called RootkitRevealer which will aid in our cause. Visit their page for more information on rootkit information.
1. You can download RootkitRevealer from here.
2. As indicated on their website, you should launch RootkitRevealer from a privileged account and you should next close all applications that you are currently running. Once done so, you can start the application. Simply then hit the Scan button to proceed with the rootkit scan. It is imperative that you DO NOT touch or do anything with your system while the scan is taking place!
3. RootkitRevealer is a highly complex piece of scanner so don’t expect to be able to interpret the output of the scan by yourself. Save the logfile by going into File -> Save. Next head over to the Sysinternals online forum board, go into the RootkitRevealer section and paste your log so that other professionals can take a look at it. If your scan with RootkitRevealer reveals entries, do not panic yet! Have the professionals look over the log before making any other assumptions.
2. Once again, close all applications before running the tool. To start the scan, simply run the tool and hit the Scan button. If it finds any rootkits, it will try and attempt to remove them. Once again, pray that it doesn’t!
1. You can download Anti-Rootkit from here. However, it seems as if you need to register first before you are allowed to download the tool. No problem. Now is the perfect time to try out disposable email services described here if you do not want to give out your real email address to Sophos. Once done so, you will then need to give them some information before being able to download the software. In my honest opinion, I don’t feel like giving them any sort of personal information just to download and use the tool so it’s up to you how to proceed here…*wink wink*
2. Alright, once you’ve finally downloaded the Anti-Rootkit tool, once again, close all applications before proceeding with the scan. Simply allow it to scan all three locations (checked by default) and hit the Start Scan button.
In the End…
Alright, I know this is another long blog entry but it’s only necessary to alert you of the dangerous class of malware known as rootkits. Although having them in your system isn’t the end of the world, you have to think about what information may have been compromised due to that infection. Remember also that when a rootkit manages to sneak in to your kernel mode, they have the keys to your entire kingdom. Worst of it all is that you probably don’t even have a clue that its there in the first place! Rootkits are not only devastating in their payload but they are very sneaky in nature as well. Because of their unrestricted access to your system, they are allowed to do anything and hiding and concealing information from you is what they do best. Therefore, your entire system is now compromised and cannot be trusted. I hope reading this will alert you about the dangers of blindly installing drivers from unknown and unsigned sources as well as other types of random software in nature.