The Biggest Trends in A Guide To Rootkits
The Biggest Trends in A Guide To Rootkits
Rootkits can be named the most technically sophisticated form of malicious code (malware). One of the most difficult to discover and eliminate. All types of malware, viruses, and worms get the most publicity. Generally, they are widespread and many people know to have been affected by a virus or a worm. This does not mean that viruses and worms are the most destructive malware variety. There are more dangerous types of malware. As a rule, they operate in stealth mode and are difficult to detect and remove. It can go unnoticed for very long periods. The stealing data and modifying the files on the victim’s machine.
An example of such a stealth enemy is rootkits. A collection of tools that replace or change executable programs. Or the kernel of the operating system itself to gain administrator-level access to the system. Which can be used for installing spyware, keyloggers, and other malicious. A rootkit allows an attacker to gain complete access to the victim’s machine. (Possibly to the whole network the machine belongs to). One of the known uses of a rootkit to cause considerable damage was the theft of the source code of Half Life-2.
Rootkits are not something new – they have been known for decades. They are known to have affected various operating systems (Windows, UNIX, Linux, Solaris, etc.). If it was not for one or two mass occurrences of rootkits (See the Famous Examples section). Which draws public attention to them, they might have again escaped from being known. Except for a small circle of security professionals. As of today, rootkits have not unleashed their bad potential and are not as widespread. As viruses but this can be of little comfort.
Rootkits Mechanism Exposed
Similar to Trojan horses, viruses, and worms, rootkits install themselves by exploiting flaws in the network security. The operating system itself and often no action on the user side is necessary. Although there are rootkits that come as an e-mail attachment. With a legitimate software program and are harmless until the user opens the attachment or installs the program. But unlike less sophisticated forms of malware. Rootkits infiltrate the operating system very deeply. Make special efforts to disguise their presence – for instance by modifying system files.
There are two types of rootkits: kernel and application level. Kernel-level rootkits add code to or modify the kernel of the operating system. This is achieved by installing a device driver or a loadable module. Which alters system calls to hide the presence of an attacker. Thus, if you look at log files, you will see no suspicious activity on the system. Application-level rootkits are less sophisticated. And generally, are easier to detect because they change the executables of applications. Rather than the operating system itself. Since Windows 2000 every change in an executable file is reported to the user. Thus, making it more difficult for the attacker to go unnoticed.
Why Rootkits Pose a Risk
Rootkits can act as a backdoor and usually, they are not alone in their mission. They are often accompanied by spyware and trojan horses. Or viruses and the aims of a rootkit can vary from simple malicious joy of penetrating. Somebody else’s computer (and hiding the traces of foreign presence). The building of a whole system for obtaining confidential data. The (credit card numbers, or the source code as in the case of Half Life-2).
Generally, application-level rootkits are less dangerous and easier to detect. But if the program you are using to keep track of your finances, gets “patched” by a rootkit. Then the monetary loss could be significant – i.e., an attacker can use your credit card data to buy a couple of items. If you don’t notice suspicious activity on your credit card balance in due time. It is most likely that you will never see the money again.
Compared to kernel-level rootkits, application-level rootkits look sweet and harmless. Why? Because in theory, a kernel-level rootkit opens all doors to a system. Installing other malware, for instance for theft of financial data, is pretty easy. Having a kernel-level rootkit and not being able to detect and remove it easily. (or at all, as we will see next) means that somebody else is having total control over your computer. This can use in any way he or she pleases – for instance, to start an attack on other machines. Making the impression that the attack originates from your computer, not from somewhere else.
Detection and Removal of Rootkits
Not those other types of malware are easy or fun to detect and remove but kernel-level rootkits are a particular disaster. In a sense, it is a Catch-22 – if you have a rootkit. Then the system files needed by the anti-rootkit software are likely to be modified. So, the results of the check cannot be trusted. What is more, if a rootkit is running? It can modify the list of files or list of running processes that anti-virus programs rely on. Thus, providing fake data. Also, a running rootkit can unload from memory. The processes of the anti-virus program, caused it to shut down. By doing this it indirectly shows its presence. So, one can get suspicious about something going wrong.
A recommended way to detection of the presence of a rootkit is to boot from an alternative media. Which is known to be clean (i.e., a backup, or rescue CD-ROM), and check the suspicious system. (So, it will not be able to hide) and the system files will not tamper.
There are ways to detect and (attempt to) remove rootkits. When in doubt about having a rootkit. Compare the current system files' fingerprints with the clean ones. This method is not very reliable but is better than nothing. Even the majority of system administrators will rarely resort to it. Especially when there are free good programs for rootkit detection. Like Marc Russinovich’s RootkitRevealer. Go to his site and you will find detailed instructions on how to use the program.
After you detect a rootkit on your computer, the next step is to get rid of it (easier said than done). And now comes even the trickiest part – with some rootkit removal is not an option. Unless you want to remove the whole operating system as well! The most obvious solution – to delete infected files (provided you know which ones exactly are cloaked) is inapplicable. When vital system files are concerned. If you delete these files, chances are that you will never be able to boot Windows again. You can try a couple of rootkit removal applications. Like UnHackMe or F-Secure BlackLight Beta but do not count too much that they will be able to remove the pest safely.
It might sound like shock therapy, but the only proven way to remove a rootkit is by formatting the hard drive and reinstalling the operating system again (from a clean installation media, of course!). If you have a clue where you got the rootkit from (was it bundled in another program. Or did somebody send it to you via e-mail), don’t even think of running the source of infection again!
Famous Examples of Rootkits
Rootkits have been existing for decades until last year. They became prime-time news. The case of Sony-BMG with their Digital Right Management (DRM) technology. Which protected unauthorized CD copying by installing a rootkit on the user’s machine provoked sharp criticism. There were lawsuits and criminal investigations. Sony-BMG had to withdraw their CDs from stores and replace the sold copies with clean ones. Sony-BMG was accused of cloaking system files in an attempt to hide the presence of the copy-protection program. That was also used to send private data to Sony’s site. If the program was uninstalled by the user, the CD drive became inoperable. This copyright protection program violated all privacy rights. Employed illegal techniques that are typical for this kind of malware. And above all left the victim’s computer vulnerable to different hacker attacks. A big corporation, Sony-BMG tried to go the arrogant way first by stating. If most people didn’t know what a rootkit was, why would they care that they had one? Well, if there had been no guys like mark Russinovich, who was the first to ring the bell about Sony’s rootkit. The trick could have worked and millions of computers would have been infected – quiet. A global offense in the alleged defense of a company’s intellectual property!
The case with Sony, when it was not necessary to be connected to the Internet to get a fresh supply of rootkits, is the case of Norton System Works. Indeed, both cases cannot be compared from an ethical. Or technical point of view because of Norton’s rootkit (or rootkit-like technology). Modifies Windows system files to accommodate the Norton Protected Recycle Bin. Norton can hardly be accused of malicious intentions to restrict users’ rights. Or to enjoy the rootkit, as is the case with Sony. The purpose of the cloaking was to hide from everybody (users, administrators, etc.). Everything (other programs, Windows itself) has a backup directory of files users have deleted. That can later from this backup directory. The function of the Protected Recycle Bin was to add one more safety net against quick fingers. First, delete and then think if they have deleted the right file(s). Providing an additional way to restore files that have been deleted from the Recycle Bin. (Or that has bypassed the Recycle Bin).
These two examples are hardly the most severe cases of rootkits’ activity. They are worth mentioning because by attracting attention to the particular case. The public interest was drawn to rootkits as a whole. Hopefully, now more people not only know what a rootkit is but care if they have one!
Related Posts:
How To Do With Your Mistakes – Let Them Humble You
The maker discusses the advantages of silicone and encourages building in-house brands overseas.
The Guide to A Lot More Information About Processes on Your Computer.