Malware: What are rootkits?
Introduction
Those looking to take advantage of computer users dream of being able to access computer systems of others without being detected. Couple that with elevated privileges, and you have yourself a veritable attacker’s fantasy. That is probably why so many attackers and cybercriminals rely on rootkits to make their dreams come true.
This article will detail what rootkits are, their components, levels of rootkits, how rootkits spread and what rootkits can do to a computer system, as well as some of the different types of rootkits kicking around computer systems these days. Those who are not well versed in Unix will get a little historical perspective on the name as well. Welcome to Rootkits 101!
What should you learn next?
What is a rootkit?
Those new to malware are probably scratching their heads wondering what a rootkit is, and probably why it is has a name like “rootkit.” A rootkit is a piece of software that has two functions: to provide privileged access and to remain undetected. Not all rootkits are malware, but this article will focus on those with malicious intent.
The word “rootkit” is a combination of the component words “root,” from Unix/Linux meaning “privileged access,” and “kit” referring to tool kit. Easy enough, right?
Components of rootkits
Rootkits have three common components:
- Dropper: Droppers are the file or program that install the rootkit. Sometimes it’s an executable program (for example, when it is contained in a suspicious email attachment), or it can be a file that is triggered once opened (for example, a Word or PDF document)
- Loader: This is the malicious code that launches when the dropper is initiated. The loader takes advantage of system vulnerabilities and coordinates the rootkit to load with the system. The vulnerabilities it exploits depend on the level the level the rootkit is on
- Rootkit: The rootkit itself, which needs the components above to function
Rootkit levels
Just a few sentences ago, I referred to rootkit levels. What I meant was that the level the rootkit actually rests on in the computer. Below is a list of these levels, on a scale of increasing privileges:
- Level 3 – Applications
- Level 2 – Device drivers
- Level 1 – Device drivers
- Level 0 – Kernel
Infections on these levels escalate in severity until it gets to the kernel level, which some may consider the holy grail of rootkit levels. Once it gets to level 0, the rootkit infection becomes the hardest to remove. This is compounded by the fact that most if not all antivirus solutions do not have full access to level 1 and lower.
How rootkits spread
For a rootkit to spread within a computer, it must be installed or injected. There are three different ways that rootkits can be injected on a computer clandestinely:
- Piggybacking: This is where the rootkit is bundled with seemingly genuine software. The user has supplied administrator credentials, allowing the rootkit to be installed as surely as the genuine software is
- Blended threat: This is where the rootkit takes advantage of several vulnerabilities on the computer it is intended to affect and uses the loader component to perform this action
- Infected mobile apps
How rootkits work
Malware leaves behind telltale signs of its presence, including:
- Process generation
- Presence of strange accompanying files
- The appearance of certain suspicious registry keys
- Changes in disk space utilization and CPU
Part of the job of rootkit is to monitor infected computers for these telltale signs. If they exist on the infected computer, the rootkit will alter the parts of the computer system that show these signs in order to keep the malware invisible to the computer user.
Different types of rootkits
There are four different types of rootkits, categorized based on their method of infecting computers.
Kernel mode rootkit (KMR)
KMRs insert themselves into the kernel of the infected computer. Kernels are a central component of operating systems that control operations between applications and hardware. This type gives the highest level of privileges to attackers, but it is also the riskiest: if the KMR code fails, the intended infected computer will crash.
User mode/application
This type is referred to as application rootkits because they operate where applications normally run. These are the easiest to deploy but also pose less risk to the user than other types.
Firmware
Firmware rootkits play particularly dirty in that they embed themselves in the computer’s firmware. This means they can remain hidden for a longer period of time, since the firmware is not regularly inspected for code integrity. Hard drives, network cards and routers are commonly the target for this type.
Bootkits
This is another sticky situation for the computer user because this type infects the master boot record that is activated during a system startup. Bootkits are more persistent than other rootkit types because they can turn on after the user initiates a defensive restart. Compounding the problem is the fact that IT departments do not regularly scan the master boot record.
Conclusion
Rootkits represent two things — a smoke screen for attackers to maintain persistent attack campaigns and a nightmare for the computer user. This type of malware will hide the actions of malware from monitoring eyes and can grant elevated privileges to attackers to further their campaigns.
However, despite their danger, rootkits are not the end of the world. Those worried about infection should tighten up their security and take a more “paranoid,” or defensive, posture to their activity on the computer. This is the best way to help ensure that your computer does not fall victim to rootkits and become another cybercrime statistic.
FREE role-guided training plans
Sources
- How Does Rootkit Work?, SolarWinds MSP
- Rootkit – the (Nearly) Undetectable Malware, Heimdal Security
- ROOTKIT: WHAT IS A ROOTKIT?, Veracode
- An Introduction To Rootkits, Defence Intelligence Blog
- Rootkit, Imperva