Rootkit Infections

rootkit is a software program designed to provide an intruder with administrator access to a computer without being detected. Its purpose is almost always malicious.

A rootkit provides the intruder with administrative privileges, the highest level of permission that a user can have. The administrator has total freedom within the computer system, which means that he or she can install and uninstall programs, delete files, and change configuration settings, among other activities.

How you get infected by a rootkit

There are several ways in which your computer can become infected with a rootkit. They can come wrapped in email attachments or bundled with programs you download. You can become infected just by visiting a malicious site. Rootkits can also be loaded from a disk or USB drive by a malefactor who obtains access to your computer for just a few minutes.

Once a rootkit has been installed, it will create a backdoor, a hidden method for obtaining access, so that the intruder can re-enter your computer at will. This is usually done with a daemon, a type of program that runs unobtrusively in the background waiting to be activated by the occurrence of a specific event such as a particular intruder attempting entry through a specific port.

To break into a computer that follows good security practices and successfully install a rootkit takes skill and patience. Doing so however can be rewarding for malefactors as they can collect sensitive data, such as financial information, user names and passwords, and so on. Rootkits can also be used to send spam messages.

How rootkits are hidden

The success of a malicious rootkit depends on its ability to remove any traces of its existence and activities.

For example, a rootkit can modify system logs so as that all references to its insertion, to log-ins by the intruder and to the running of programs by the rootkit are either not recorded or are deleted.

A rootkit can hide by replacing standard system utilities, such as findlsnetstatpasswdps and who, with modified versions.

For example, a modified version of ls, which is used to list files, might not display the files that the intruder wants to keep hidden. A modified version of ps, which shows the processes currently being run, might be not display processes launched by the rootkit.

Types of rootkits

Rootkits can be classified into three different types, depending on the level at which they operate: application level, kernel or BIOS.

In application level rootkits, genuine executable files that form part of an application are replaced with modified executable files.

The kernel is the core of the operating system. With kernel level rootkits, a portion of the kernel code is replaced with modified code. When this happens, systems calls, ie requests made by the software that’s running for a service performed by the kernel, can be replaced by modified requests.

BIOS stands for ‘basic input output system’. BIOS is a small program that controls a PC’s hardware from the moment the computer’s power is turned on until the main operating system takes over. A BIOS level rootkit is installed within the BIOS. It is much more difficult to detect and remove than rootkits at the other two levels.

Currently, almost all rootkit infects are at the first two levels. BIOS rootkits are not very prevalent yet but they are expected to become more common in the future as BIOSs become more complex and are redesigned for easy updating.

How rootkits are detected

Rootkits, by their very nature, can be very difficult to detect, and you can never be sure that any rootkits present in your system have been detected or that suspected rootkits have been wholly eliminated.

The basic problem with trying to detect rootkit infections is that, where the operating system may have been affected (as with a kernel level rootkit) it cannot be trusted to find illegitimate modifications of its own components.

Detection can take a number of approaches. Anti-virus software can search for behavioural signatures that indicate the presence of a rootkit. In difference-based detection, the expected results of a test operation are compared with the actual results. In integrity checking, original program code can be compared with the latest code to see if unexplained changes have been made.

Most of these techniques only detect application level rootkits. Extracting a copy of the contents of the kernel and performing a forensic analysis offline can detect kernel level rootkits because, being offline, the rootkit cannot take any measures to cloak itself.

How to remove a rootkit

A number of security-software vendors offer tools, usually as part of a suite of anti-virus software programs, to automatically detect and remove rootkits. Examples include Windows Malicious Software Removal Tools.

But most of these tools can only detect and remove some rootkits, and will fail against well-written kernel-level rootkits.

Thus, many experts believe that the only reliable way to remove rootkits is by re-installing your operating system and applications. Doing so is considered safer, simpler and quicker.

However, this too is not a 100% sure thing. Because BIOS level rootkits are stored on a memory chip rather than on a hard drive, they can survive the complete reformatting of your hard disk that occurs when you re-install your operating system. The only real solution to a BIOS level infection is to replace the hardware.

If you are a typical computer user, you will probably find that detecting and removing rootkits is very difficult and presents a daunting task. And indeed it can be.

Expert help – your best bet, if you suspect that you have been infected by a rootkit, is to use an online computer maintenance and repair company who can (with your permission) enter your system and run a series of checks to determine whether you have a rootkit and, if so, remove it. The cost should not exceed €25 for both detection and removal.