Rootkits

From Computing and Software Wiki

Revision as of 19:05, 10 April 2009 by Elesc (Talk)
Jump to: navigation, search

Rootkits are software which provide remote access to resources without the owner's knowledge. Rootkits are available for many different operating systems including Windows, Linux, Mac OS and others. Rootkits can have both malicious and legitimate uses. Law enforcement and child protection programs use various forms of rootkits to monitor the use of a system. Rootkits have become most known for their application with malicious intent. Hackers can use rootkits to take control of a users computer and use it for any intents they wish.

Contents

How a Rootkit works

How a rootkit avoids detection

Rootkits work by hijacking different levels of a computer system. For example a rootkit existing on the kernel level will intercept a call to open() and execute its own code. Rookits avoid detection in a similar manner. As seen in the figure to the right a rootkit will avoid detection by intercepting system calls to list directories. A virus scanner will make an operating system call to list the files in a particular directory whose actual contents include; Good.exe, Good.exe, Bad.exe, and Bad.exe, where the Bad.exe files are the rootkit executables. The rootkit will intercept the system call and return only the Good.exe files, therefore the virus scanner will have no knowledge of the existence of the rootkits, as they were implemented in the operating system level.

Types of Rootkits

User-Mode

User-Mode rootkits are given administrative privileges on the computer they run on. They are able to modify any files and resources and will start whenever the computer boots. User-Mode rootkits are the easiest to be detected by rootkit detection software.

Kernel-Mode

Rootkits running in kernel mode run at the same level as the operating system. The rootkit is integrated into the operating system and is concealed behind operating system application programming interfaces. Kernel level rootkits disguise themselves by interrupting system calls and returning expected information concealing their presence. Kernel level rootkits often experience stability issues as they are operating at the OS level they generally bring down the entire system if they fail.

User/Kernel Hybrid

Hybrid rootkits attempt to combine both the stealthy aspects of kernel level and the stability of user level rootkits. This style of rootkit in one of the most common in existence currently.

Firmware Level

Firmware level rootkits are very difficult to detect and remove. Firmware rootkits hide themselves in the firmware of the hardware components of the system. Firmware rootkits are able to reinstall themselves on booting. Certain hard disk rootkits have been found that are capable of reinstalling themselves after a complete system formatting and installation. <ref>http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/</ref>

Virtual Level

Virtual level rootkits attempt to emulate hardware through the use of software. They operate in a manner similar to virtualization software such as VMWare. Virtual level rootkits are very complex to create and as such there have been limited known virtual level rootkits found running. <ref>http://www.eecs.umich.edu/virtual/papers/king06.pdf</ref>

Examples

Sony BMG

Sony made headlines in late 2005 when it was discovered that they were using a rootkit to hide their Digital Rights Management (DRM) software designed to prevent music piracy on users computers. The Sony code would hide under the Operating System level and would secretly send data back to Sony concerning activity on the users computer. The Sony rootkit left large security holes in the windows operating system, hackers could easily create patches for the sony root kit that would allow them to gain control of the users system. The incident resulted in lawsuits against sony and resulted in them having to pull CDs which contained the rootkit off the shelves.

Other Examples

Other examples of rootkits with a malicious intent include; NTRootkit, HackerDefender, AFXRootkit, FURootkit, these are among the most prevalent today. Rootkits are often embedded in other forms of malware, rookits have been found to be included known malware including; Backdoor-CEB, AdClicker-BA, W32/Feebs, Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm.

Detection

As seen from the above descriptions, rootkits can be very difficult to detect. Some naive rootkits usually at the user-level can be detected using a basic signature verification, however for rootkits at the kernel level or lower this approach is often ineffective as was discussed above.

Removal

References

See Also

Malware

External Links

All about rootkits

Wikipedia: Rootkit

--Elesc 14:02, 9 April 2009 (EDT)

Personal tools