RootKits | What Are They?
Rootkits are programs that are used to hide the fact that a system’s security has been compromised. Rootkits must be inserted manually by an attacker and will normally replace system files and executables. The rootit will then hide the fact that the attacker has modified files and folders and any other malicious software that the attacker has installed. Rootkits may also provide a backdoor login to the system which will allow attackers to login to the system when a particular login combination is entered.
The first rootkits were developed for Unix systems to allow users to maintain administrative, or root access to a system. If the user could replace some of the system’s login files, they could maintain access to the system. In order to install the rootkit, the attacker must first compromise the physical security of the system in some way.
Common rootkits are used to hide processes, files, blocks of memory, network connections or Windows registry entries from other programs that the system administrator may use to detect those files, for example, from antivirus software. The backdoor entrance generated by the rootkit allows the attacker to connect to the system and control it at any time. For example, a typical rootkit may be one that generates and maintains a command line interface with administrative privileges as soon as an attacker connects to a certain port of the computer. Dangerous tools such as tools for denial-of-service attacks, sniffers and keyloggers which could greatly compromise the integrity and privacy of the user. Virus developers have also made extensive use of rootkits to hide virus applications from the user and from antivirus programs. The hiding capabilities of rootkits may also be used to hide attempted break-ins to the computer, utility programs and system tampering.
Types of rootkits
• Hardware/Firmware rootkits – These rootkits manifest themselves on hardware such as ROMs or in devices which use firmware such as embedded devices. They can allow attackers to access devices such as credit card machines, ATMs and cause monetary losses.
• Hypervisor level rootkit – This type of rootkit is designed as a hypervisor to the computer, and any operating system is loaded as a guest on a virtual machine. Thus all hardware calls made by the original operating system are handed to the hypervisor rootkit, making it very easy for it to hide attacks and to allow backdoor access.
• Boot loader level rootkits – Boot loader rootkits, also known as Bootkits, replace boot sector files and load at startup. This allows the attacker to control the operating system of the computer and extract details of all the user’s actions.
• Kernel level rootkits – These rootkits replace files from the kernel of the operating system itself, allowing almost unlimited access to attackers. It may also replace kernel-level device drivers, allowing an unprecedented level of device control for the attacker as well.
• Library level rootkits – These replace patches, hooks and system calls of the operating system, so that the library functions of the operating system can be controlled by the attacker.
• Application level rootkits – Application level rootkits replace user application files and run along with that application, modifying its behavior.
Rootkit detection can be normally done by antivirus programs that provide rootkit detection. However, once a rootkit is found, there is no sure-fire way to remove it except by backing up all files and formatting the computer. Even though many antivirus programs provide rootkit removal for inexperienced users, system administrators tend to simply format their hard disks whenever a rootkit is detected.