Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
Rootkits were so named because they allowed an intruder to become a root user (ie, the system administrator) of a Unix system. Since then, similar software has been developed for other operating systems, and the term rootkit has been broadened to include any software that surreptitiously alters an operating system so that an unauthorized user can take arbitrary control of the system.
In 2005, Sony BMG caused a scandal by including rootkit software on music CDs that, in an attempt to enforce DRM, inadvertently opened a backdoor that allowed root access to anyone aware of the rootkit's installation. The scandal raised the public's awareness of rootkits, while the public relations fallout for Sony was compared by one analyst to the Tylenol scare.
A rootkit which hides utility programs, usually does so to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access at will. A simple example might be a rootkit which hides an application that spawns a command processing shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to run as though it were started by a privileged user (including the root user) and to carry out functions normally reserved for the superuser.
Many other utility tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems with which the compromised system communicates, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system (or network) instead of the attacker's. Tools for such attacks can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam distribution. A major malicious use for rootkits is to allow the rootkit's programmer to see and access user names and log-in information of systems requiring them. Collection of such information from many systems (thousands or more) is easily possible. This makes rootkits even more hazardous, as it allows trojans to access this personal information while the rootkit covers it up.
It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is that they make it possible to hide malware from PC users and antivirus programs. Numerous source code samples for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various trojans or spyware programs etc.
However, rootkits are not always used to attack and gain control of a computer. Some software may use rootkit techniques to hide from 3rd party scanners to detect tampering or attempted breakins, for example in a honeypot. Some emulation software and security software is known to be using rootkits. Alcohol 120% and Daemon Tools are commercial examples of the use of non-hostile rootkits.
Rootkit is a term now somewhat loosely applied to cloaking techniques and methods.
Kernel rootkits can be especially difficult to detect and remove because they operate at the same level as the operating system itself, and are thus able to intercept or subvert any operation made by the operating system itself. Any software, such antivirus software, running on the comprised system is equally easily subverted. In a situation such as this, the whole system can no longer be trusted. One response in such a case is to perform system offline analysis from a second 'trusted' system by mounting the hard drive of the infected system as a secondary resource without executing anything on the untrusted volume, while another is to format the disk and re-install from trusted media.
The best, and most reliable, method for rootkit detection is to shut down the computer suspected of infection, and then check its secondary storage by booting from an alternative medium (e.g., a rescue CD-ROM or USB flash drive). A non-running rootkit cannot actively hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed. Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run.
Security software vendors have attempted a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during scanning, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. Since anti-virus products are almost never entirely capable of catching all viruses in public tests, this approach may be doubted on past behavior. But this combined approach may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses, the detection and elimination of rootkits will be an ongoing struggle between tool creators on both sides of this conflict.
There are several programs available to detect rootkits. On Unix-based systems, three of the most popular are chkrootkit, rkhunter and OSSEC. For Windows, there are many free detection tools such as Sophos Anti-Rootkit, F-Secure Blacklight, Hypersight Rootkit Detector or Radix Anti-Rootkit Another Windows detector is RootkitRevealer from Microsoft (formerly Sysinternals) which detects rootkits by comparing results from the OS against expected results obtained by bypassing the operating system and analysing the raw underlying structures in the file system (cross-checking). However, some rootkits started to add RootkitRevealer to a list of files it does not hide from, so in essence, they remove differences between the two listings, and the detector doesn't report them (most notably the commercial rootkit Hacker Defender Antidetection). Rootkit Revealer has apparently fixed this problem as they stated on their official page: "The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.
Another method is to compare content of binaries present on disk with their copies in operating memory — however some valid differences can be introduced by operating system mechanisms (e.g., memory relocation or shimming), but some can be very likely classified as system call hooks introduced by a running rootkit (System Virginity Verifier). Zeppoo is another software product which detects rootkits under Linux and UNIX systems.
As always, prevention is better than cure, for being certain you have removed a rootkit typically involves re-installation of all software. If the integrity of the system install disks is trusted, cryptography can be used to monitor the integrity of the system. By "fingerprinting" the system files immediately after a fresh system install and then again after any subsequent changes made to the system (e.g., installing new software), the user or administrator will be alerted to any dangerous changes to the system's files. In the fingerprinting process a message digest is used to create a fixed-length "digest" dependent on every bit in the file being fingerprinted. By calculating and comparing message digest values of files at regular intervals, changes in the system can be detected.
Detection in firmware can be achieved by computing a cryptographic hash of firmware and comparing hash values to a whitelist of expected values, or by extending the hash value into TPM (Trusted Platform Module) configuration registers, which are later compared to a whitelist of expected values. Code that performs hash, compare, and/or extend operations must itself not be compromised by the rootkit. The notion of an immutable (by a rootkit) root-of-trust, if implementable, ensures that the rootkit does not compromise the system at its most fundamental layer. A method of rootkit detection using a TPM is described by the Trusted Computing Group
' "I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt there is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat [and reinstall]. This is so even if the rootkit is very well known and can be removed 100%." — Rootkit Question'
While most Anti-Virus and Malware Removal tools remain ineffective against rootkits, tools such as BartPE and other Preinstallation Environment(PE) or Live Distros allow users to boot their computer with a fresh (presumably) "un-rooted" copy of the operating system. This allows users to examine and replace affected system files and delete offending rootkits of most types while keeping the underlying systems intact. Since most rootkits hook system files needed at the lowest level of the OS, booting into Safe Mode will not usually allow removal of the rootkit process. In contrast, PE's do not rely on the infected underlying system structure but instead load a clean read-only copy of the Operating System allowing full control and detection of the rootkit. While most Administrators prefer a clean reinstall, a skilled Administrator using a PE can often delete and clean a rooted system if a reinstall is not a viable option.
In the case of the rootkit the payload may attempt to maintain the integrity of the rootkit (the compromise to the system) --- for example every time one runs the rootkit's version of the ps command, it may check the copies of init and inetd on the system to ensure that they are still compromised, "re-infecting" as necessary. The rest of the payload is there to ensure that the intruder continues to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or 'magic' environment variable settings which subvert normal access control policies of the uncompromised versions of the programs. Some rootkits may add port knocking checks to existing network daemons (services) such as inetd or the sshd.
A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general, a rootkit limits itself to maintaining control of one system.
A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromised account information back to the intruder through some sort of covert channel).
There are also hybrids. A worm can install a rootkit, and a rootkit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and are often conflated.
Most of the rootkits available on the Internet are constructed as an exploit or "proof of concept" to demonstrate varying methods of hiding things within a computer system and of taking unauthorized control. Since these are often not fully optimized for stealth, they sometimes leave unintended evidence of their presence. Even so, when such rootkits are used in an attack they are often very effective.
One man's fight against rootkits; Sony rootkit discoverer says there's no such thing as a good rootkit.(Mark Russinovich)(Interview)
Jun 26, 2006; Byline: Ellen Messmer When Mark Russinovich last October revealed how Sony BMG Music Entertainment was secretly using a...