What is a rootkit, how does it work and how to remove it?

The term “rootkit” can be associated with viruses or attacks on devices for computer users and is usually associated with malware – and for good reason. Rootkit is the most dangerous type of malware, and in addition very clever – you won’t even notice that you have it on your computer. Therefore, many people are not at all aware of the existence of this type of threat and of infecting their device. Find out what a rootkit is, how to remove it, and whether you can protect against rootkits.

What is a rootkit?

The definition of rootkit combines two words: “root” and “putty”. Unix refers to itself as “root”, which means a user who has full, unrestricted access to the system. A “putty” is simply a set of tools. The combination of these words means extremely dangerous software that allows a hacker to gain remote and permanent access to the infected computer and the installation of various tools on it. Their purpose is usually to steal data, and the user usually has no idea that he has lost control of his own device – so the threat posed by rootkits cannot be underestimated.

Rootkit avoids detection, acting similarly to keyloggers – it tries to nest as deep as possible in the system and cleverly hides from anti-virus programs and other security. It usually behaves like a backdoor, creating cyber criminals “invisible doors” to the victim’s system, which can not only install additional components in it, but also remove them. The most common tools in rootkits are:

  • theft modules – intercepting passwords, credit card details, online banking information
  • bots for attacks on DDoS
  • keyloggers (mechanisms for capturing keyboard keystrokes);
  • functions capable of circumventing and disabling security systems.

Rootkit malware must be designed for a specific system. And so for Windows you can distinguish such active rootkits as: Necurs, Alueron, ZeroAccess or TDSS. Nowadays, rootkits can attack any system – MacOS, Solaris, FreeBSD and other more or less known solutions.

The conclusion is one: today no system guarantees 100% security.

Use of rootkits

 

Rootkit itself is not dangerous, but it never occurs on its own. The rootkit package always contains an additional malicious program. The rootkit’s task is to block any attempts to detect the intruder. Currently, rootkits are mainly used for internet attacks, but there are also tool rootkits that allow you to bypass anti-piracy protections, among other things.
Rootkits are a particularly popular solution among computer gamers who, for example, create a virtual disk with a pirated version of the game, bypass the need to insert original CD media into the drive.

Rootkits can be used for: 

  • create backdoors,or invisible doors to the system, through which a hacker can remotely control the attacked device. This allows you to bypass authentication mechanisms, allowing unauthorized access and e.g. data theft or falsification
  • malware,i.e. malware that is designed to steal sensitive data, passwords, etc. these are the most common keyloggers and viruses
  • use the attacked computer or network for further attacks on other devices, bypassing the hacker’s computer. Often the attacked computer is referred to as a “zombie computer”. In principle, any device connected to the Internet can be transformed into zombies.
    These types of attacks are primarily carried out on a group of computers infected with malware (botnet). This allows remote and invisible for users to carry out attacks related to e.g. spam, sending links, fraudulent clicks (click fraud) or DDoS attacks. For the latter zombies is ideal – DDoS is massive attacks from multiple computers against a single unit, which prevents its proper functioning, taking over all the free resources (memory, processor time) of the attacked computer.

Rootkits – as we mentioned – are not bad in themselves and are often used for legitimate – or a little less legal, but beneficial from the user’s point of view – actions, that is, they are consciously installed by the owner of the device. Most often, such rootkits are used for:

  • digital rights management (DRM) – rootkits in this form create a security system e.g. music files, videos and games that allow only legitimate buyers to use them

Good to know

The first DRMs were very makeshift, m.in consisted of abruptly interrupting the game asking for the introduction of text from the paper manual. Usually, the owners of pirated versions of such instructions did not have. However, times have changed and ways to counter piracy too – it’s a great war between security producers and hackers (the creators of so-called swords – crackers and pirates).

Unfortunately, the balance of winnings tilts to the side of cyber criminals. Game developers have focused so much on security that they have forgotten about ordinary users. And so the security of the Russian StarForce not only guard the legality of the game itself, it takes control of the entire computer of the player. Thus, they prevent the execution of any illegal activities – not only related to the game. These practices caused a strong wave of opposition among gamers, m.in. French game developer UbiSoft terminated its cooperation agreement with StarForce.

An interesting case study is also an example of one of the games of the company Electronic Arts – “Spore”. Its original version upped a protection system called SecuROM. It wasn’t as dangerous as StarForce, but it brought a lot of unpleasant surprises to users. The game required the use of the original cd and forced network activation – the fact that network security is the most effective, however, it makes sense only for games that actually use this network fully. “Spore” used the internet to a very small extent. However, the problem was deeper – you could only create one user account and activate it once. And within your account, the game could be installed up to 3 times.

This meant that it was not possible to install simultaneously on pc and laptop, and 3 operating system reinstalls completely excluded the possibility of reinstalling the game. It turned out that these methods hit users the most – hackers for nothing had these protections and the illegal version of the game “Spore” went online even before its official release. Although the manufacturer waived most of the restrictions a few weeks after the debut of the game, it did not fix the negative feedback of users.

  • detection of attacks e.g. honeypot – these are traps that pretend to be a system, a single service or a local network. Their purpose is to intercept and inform about attempts to gain unauthorized access to data. Honeypots come in less and more extensive versions – the latter can even record and monitor the behavior of an attacker using multiple IP addresses. It’s a great tool for early detection of attacks, protection against malware and vulnerabilities
  • improvements to virtual drive emulators – these are popular commercial programs such as Alcohol120% or Daemon Tools. They are used to defeat the security associated with illegal copying of e.g. games. They break, among others, safedisc and securom systems
  • malware detection – good quality antivirus software uses rootkits to protect against malware. It works on the principle of capturing system activity and protecting against uninvited guests. Antivirus processes are not hidden, but you cannot complete them yourself
  • detection of fraud in games e.g. through Warden or GameGuard. This is the so-called anti-cheat software – anti-cheating in games

Know Before You Go

One of the latest scandals concerns Valorant released by Riot Games and its anti-cheat system “Vanguard”. Users have discovered that this rootkit starts with the start of the operating system and works even when the game is not enabled, and worse – it has administrator privileges!
This means that it can potentially collect all user information, but it also creates a backdoor. Riot Games explained this by ensuring that Vanguard is thoroughly checked for vulnerabilities and that it does not 100% collect user information. According to the manufacturer, “Vanguard” is a great form of fighting cheaters. However, if it turns out that the driver exposes players, Riot Games will withdraw it and develop a completely new mechanism. The second thing is whether this solution actually works – because, however, cheaters, despite its presence, are doing quite well.

  • anti-theft – on laptops you can install software in the type of rootkit, which is based on bios. With it, it is possible to monitor the location of the laptop, remotely turn it off and delete data
  • bypassing microsoft product activation – this is most common for Windows and Microsoft Office suites

The latest rootkits are no longer just aimed at computers and laptops, but also at mobile devices – especially those based on Android. Most often they are associated with attractive applications that can be downloaded from untrusted sources.

What are the types of rootkits?

There are several types of rootkits, but to understand them well, you need to take a closer look at the so-called protection rings. Simply put, they describe the privilege levels of the operating system architecture. The levels consist of 4 circles. The smallest or lowest, but the most privileged level is the “0” ring, which contains the kernel of the system that controls the entire computer. Above is the ring “1”, followed by the ring “2” – in them are placed all drivers e.g. from the video card.

The last highest level with the lowest privilege is ring “3”, which includes applications that you use, such as Microsoft Office, CorelDraw, and Photoshop. It is worth noting that ring “0” also rules anti-viruses located at the highest “3” level, which often do not even reach the level “1”.

Rootkits can be aimed at any level, but the most difficult ones to detect will aim at the kernel of the system. There are also hybrid rootkits – that is, those that simultaneously hit, for example, the user level and the kernel level of the system.
Before you get to specific levels, you need to pay attention to Persistent Rootkits and Memory-Based Rootkits:

 

  • “Intrusive” rootkits have a distinctive name due to their presence called every time the operating system starts. They are usually stored as code and a program on disk or registry. They run in the background and are not visible in the list of processes and services of the system. This is the most common type of rootkit, mainly due to the fact that they do not require specialized code and are very easy to distribute
  • In-memory rootkits work in your computer’s cache. They are actually disposable – they activate only once and disappear when the system is restarted. That’s why it’s much harder to detect them

User level rootkits – ring “3”

Rootkits at this level work together with other applications. They can use very different installation methods, but they are all designed to capture and modify standard API processes (application programming interfaces, that is, commands that the operating system uses to communicate with programs).
For example, they can inject a dynamic library (in Windows, a file with .dll extension, in MacOS X – .dylib) into other processes.

What does that mean?

A dynamic library connects to an executable program, but only when it is executed. Rootkit, installed in this way, can perform any target process – to spoof it (hide a running process or file on the system).

An example of this is a vulnerability in Windows called the Import Address Table. IAT is the part of .dll file that is responsible for pointing to library functions as well as other .dll. The rootkit boot code uses one of the most commonly used functions in one of the system libraries, overwriting it.
This starts instead of the specified function. However, to continue to remain unnoticed, it also executes the requested command. Win32’s most vulnerable libraries were Kernel32.dll, Gdi32.dll and User32.dll. When it comes to Windows API – Advapi32.dll.

 

Another example would be overwriting the memory of the selected application – but this is possible when you gain the appropriate access permissions.
The rootkit can use different injection mechanisms:

  • intercept messages
  • going through security vulnerabilities
    debuggers
  • application extensions – an example is Windows Explorer, which contains public interfaces that can also be modified with extensions by third parties
  • capture and modify the API

The user level is often a place for the rootkit to replace standard programs with Trojan versions. This allows you to mask the presence of malware and gain access to data.

Examples of user-level rootkits include Aphex, Hacker Defender, or Vanquish.
HackerDefender is one of the most popular rootkits. It is usually transferred together with other malware, e.g.: a Trojan of the genus CWS. Its presence on your computer may suggest the sudden disappearance of programs such as m.in. HiJackThis (HJT – malware removal program) or the impeded operation of anti-viruses. HackerDefender comes in several versions and can even be… buy on the network in a commercial version – tailored to your needs and capabilities.

 

Hypervisior level rootkits – ring “2” and “1”

 

At the hypervisor level (virtualization process management tools) the rootkit supports the original operating system as a virtual machine. This allows it to intercept processes such as those that call hardware (external screen, printer, router, network adapter, etc.) by the operating system. Rootkits have the advantage over hypervisors that they don’t have to charge before the system starts – they can be there before the system is promoted to a virtual machine.
A level 1 rootkit doesn’t need to make kernel changes – that doesn’t mean it can’t be affected. An example would be the apparent differences in cpu clocking, which allows you to discover the presence of a rootkit at the same time.

Examples of hypervisor-level rootkits: “SubVirt” is a lab rootkit developed by Microsoft and the University of Michigan. It was based on a VMBR virtual machine;” Blue Pill” – rootkit with keylogger. This is the project of Joanna Rutkowska, who wanted to prove that it is possible to create a rootkit completely invisible. The inspiration for the name was the film Matrix.
Firmware and hardware rootkits

In ring 2 and 1, it is worth mentioning the firmware rootkits (firmware, permanently installed in the device) and hardware. They do not directly attack the system only the code that is responsible for operating the hardware (network card, hard disk, router). Such a rootkit can also be aimed at the BIOS code. For firmware, the integrity of the code is usually not checked, which for hackers is an open invitation to action.

Kernel-mode rootkit – level “0”

Ring “0” is the level with the highest privileges in the operating system. Rootkits aimed at the very heart of the system work by adding code or completely replacing part of the operating system (this applies to both the kernel and device drivers).

Kernel-level rootkits are the most dangerous because they have unlimited access to all computer resources. At the same time, they are some of the most difficult to write. Even a slight error in the code leads to a disruption of system stability, and this is a short way for an authorized user to discover the rootkit.
The first widely distributed kernel-level rootkit was written for Windows – NT 4.0. It was published in 1999 in Phrack magazine by Greg Hoglund.
Rootkits aimed at the kernel are the most difficult to detect and remove. Mainly because they operate at the same level as the operating system and are able to modify or even remove all, even the most trusted operations of the system – including tampering with antivirus software. The presence of a rootkit in the “0” ring makes sure that no part of the system is safe.

In Windows, the rootkit can change the data structures in the kernel by using Direct Kernel Object Manipulation (DKOM), which are responsible for logging and auditing. With this modification, the rootkit returns false information to the system e.g. about the existence of the process.
Another method is to hook up the rootkit under the System Service Descriptor Table (SSDT – an array of system process descriptors). The array contains the addresses of the currently running operating system functions.

This solution is deeper than the IAT running in the “3” ring because it can run on the entire system, not just on a single library. For example, a rootkit in this model might attack NtQueryDirectoryFile in an Ntoskrnl.exe file and hide folders and files on the file system. The rootkit can also mask by modifying the gateway between user mode and kernel mode.
For Linux rootkit, the kernel appears as LKM – loadable kernel modules. It works just like in Windows – it can modify the system call table.

Bootkits

Bootkits deserve a special place on the system kernel threat list. They can attack boot code e.g. Master Boot Record (MBR), VBR (Volume Boot Record) or boot sector ( hence their name “bootkity”). This method allows you to attack the entire disk encryption systems.

Evil Maid Attack – This bootkit attack targets unattended computers. They are for the hacker what hotel rooms with valuable customer luggage left behind for a rogue maid. Bootkit replaces a legitimate boot module with a module controlled by a cybercriminal. Malware loaded in this way persists in the kernel by going into protected mode when the kernel is loaded. This allows it to take control of the kernel. A hacker takes about 4 minutes to implant malware into such an unprotected system.

How does the rootkit install and hide?

The paths of installing the rootkit are actually two: it can be done automatically or manually. The first case does not require much action on the part of the hacker. However, the second engages the attacker to a much greater extent. First, he must access the victim’s computer, e.g. by exploiting security vulnerabilities or breaking a password thanks to m.in. phishing (phishing by impersonating, for example, banking institutions) and only make an installation.
The rootkit hides its presence after installation and at the same time retains permanent access to all components of the system. This means that a hacker can modify all the software installed on the device – including all antivirus and security programs (adding, for example, rootkit as a security exception).

Most often, rootkits exploit vulnerabilities, they can also hide in Trojans, deceiving a user who thinks he is installing harmless and useful software. Rootkit can get to your computer using unsafe links to infected sites, suspicious emails with modified attachments, installing programs and applications from unknown sources, and using USB sticks.

Hackers exploit human curiosity and leave pen-drives or flash cards in public places such as cafes, office buildings, hotels. In most cases, the finder will connect the found data carrier to his computer, thus infecting his own device.
Some rootkits the user installs fully consciously, for example, to monitor the work of employees. Others come with commercial software in the pay-per-install (PPI) system. This works similarly to affiliates, but payment for promotion is made after installing additional software, which often hides the rootkit.

A large part of the installation methods have already been described above – when analyzing rootkit types. You must remember that the rootkit very often creates an encrypted and completely invisible file system in which it hides copies of infected files or other malware (kernel level). In addition, it can modify standard security tools and anti-viruses, making it even more elusive.

How to detect rootkit?

It’s incredibly difficult to detect a rootkit – precisely because it can effectively hide from all threat detection programs and even modify them. This is directly related to the levels at which the rootkit and the program designed to find it work.

If the rootkit operates at a level with greater privileges than the program looking for it, there is virtually no chance of success of such searches – provided, of course, that the rootkit correctly uses its permissions.

Searching for rootkit on an already infected system at the kernel level, practically does not bring any results. Any rootkit detectors will only be able to discover those that have been corrupted, misspelled, or run at lower levels than the kernel detection software.

For rootkit detection, the most common use is:

  • behavioural methods – i.e. comparing patterns of harmful behaviour with system behaviour. There may be changes in CPU utilization times or between API queries. Some rootkits have a very large impact on these changes, so this method is one of the easier to perform, but at the same time one of the most false results;
    After the Windows security update, the Alureon rootkit caused a system crash – this update revealed an error in the design code, allowing it to be detected
  • signature scanning – used by anti-viruses to detect malware. Malicious codes extracted by researchers are added to the database and the anti-virus – scanning the disk – looks for the signatures known to it (which are in the database). Therefore, scanning signatures is only effective for already marked rootkits
  • difference scanning (cross-comparison) – compares raw, unspoithled data with potentially infected content returned by the API. Typically, you compare binary writes on a disk with copies of them in memory or the Windows registry with the corresponding physical structures of the disk. However, some rootkits can discover this way of searching and match the scan results, making them impossible to detect

The scandal previously described involving Sony BMG was detected by RootkitRevealer precisely thanks to the cross-comparison.

  • hook-up of an alternative and proven system – this is by far the best method of detecting rootkits at the operating system level. It requires you to shut down your computer, connect a trusted media such as USB or CD-ROM, which has a boot system, and review the drive that we suspect of being infected. The effectiveness of this technique is due to the inactivity of the rootkit during the search – if the infected computer is not running, the rootkit also remains dormant
  • full analysis of virtual memory dump or system kernel dump – it is very difficult to carry out, but effective – a large part of rootkits can not hide. However, some hypervisor-level rootkits may detect an attempt to dump memory
  • integrity check – to verify that modules in the application installation folder are not modified or corrupted. A module is classified as corrupted if its digital signature given by the software publisher is invalid. This allows you to discover unauthorized code changes in libraries on disk. However, this method is only effective for changes that were made after the application was installed.

How do I remove the rootkit?

You can try to track down the rootkit yourself and use manual ways to remove it, which unfortunately are very time consuming and require specialized knowledge. Fortunately, many well-known and popular anti-viruses have been equipped with anti-rootkit systems.

We can recommend solutions used by Bitdefender however, if your antivirus program is unable to remove the threat, you can use programs specifically targeted at rootkits. An example of such a program for Windows is the aforementioned Rootkit Revealer or other systems were not left unseeded. For Linux and MacOS, chkrootkit and rkhunter (for UNIX) were created, among others.

The problem, however, will always resemble the eternal struggle between good and evil. The more effective the rootkit detection program, the more their developers focus on changing the code to become elusive again.

Rootkits that attack the most important element of the system – the kernel – are virtually impossible to remove or this process is very, very complicated. It usually ends up erasing the entire disk and having to reinstall the operating system, necessarily from a trusted source.

As operating systems evolve, rootkits are given more and more attention. Thus, mandatory kernel-level driver marking has been implemented in Windows 64-bit. This procedure is aimed at making it more difficult to implant foreign code at the highest level of the system. Microsoft has also created rootkit removal tools: Microsoft Windows Malicious Software Removal Tool – it scans your computer before you start the system; Windows Defender Offline – creates a special environment even before the system starts, trying to detect the presence of rootkits.

Ways to protect against rootkits

It is not known from today that “prevention is better than cure” and this applies not only in health prevention, but also in the protection of computer and mobile equipment. The developers of the system software themselves also remembered this.

In 2009, the University of North Carolina, in collaboration with Microsoft, created an anti-rootkit for hypervisor levels – “Hooksafe“. Its task was general protection against rootkits that aim even at the kernel of the system.
With the advent of Windows 10, a new feature has appeared: “Device Guard”, which uses virtualization processes to provide independent, external protection against rootkits.

However, there is no more effective way than a good antivirus with anti-rookit like Bitdefender.

Rootkits are cunning and to defend against them, you need to pay attention to your online behavior:

  • Avoid suspicious pages, open insecure links and attachments from emails from unknown senders
  • Watch out for free programs, especially pirated versions of games, music and movies available on the web
  • As soon as they appear, perform system updates
  • Don’t give full access to your device to all apps you install – often you don’t need it
  • Use a firewall, antivirus, and rootkit scanners
  • Perform safety tests from time to time
  • Try to use dual authentication systems

The rootkit problem is not reserved only for selected groups of users – it targets virtually all of us. That’s why it’s so important to keep both laptops and desktops and mobile devices safe. No one wants to be peeping. And the more you know about a potential threat, the easier it will be for you to defend against it.

 

The history of rootkits – so where did they come from?

 

The history of rootkits began in the 80s of the last century. Actually, it can be said that their template was created by Ken Thompson working at Bell Labs, who was also one of the creators of unix.

In 1972, UNIX was rewritten from B to C, invented by Thompson. Thus, the UNIX kernel worked in C. Ken Thompson in 1983 presented an exploit – a program that exploits existing software bugs – that was designed to be able to m.in. log on to the system without revealing malicious code, that is, when compiling a request into C. This happened through a modified compiler – a program that automatically translates the source language code into the same code in another language.

The modified compiler detected an attempt by the user to compile (translate) a command issued to UNIX and generated changed code. The code accepted the password entered correctly by the user and at the same time an additional “backdoor” password provided by the hacker.

Additionally, the modified compiler had a direct impact on all updates to the original compiler and inserted the same exploits into it. Browsing the logon source code and the updated compiler code did nothing at all – malicious code was invisible and still captured information. The rootkit works on a similar basis to this exploit.
And so the first documented virus on IBM-PCs running on DOS (1986) – Brain – used this technique of hiding. It attacked the boot sector by intercepting attempts to read it and redirected it to the location where a copy of the original boot sector was stored. It spread through unsecured floppy disks.

Of course, the flowing time favored the development of ways of masking viruses in DOS, among other things, by capturing information at the lowest levels of the disk – INT 13H BIOS – by interrupting the connection in order to hide unauthorized modification of files.

The rise of rootkits has contributed to the outbreak of many scandals on a global scale. One of them was the discovery in 2005 by software engineer Mark Russinovich of rootkit in Extended Copy Protection software by First 4, published on CDs by Sony BMG. One of the elements of the software was a music player, and the program itself was aimed at protecting against copying and digital copyright management.

Russinovich then developed a rootkit detection tool, RootkitRevealer, which discovered on one of his computers that the music player was installing along with a rootkit restricting the user’s access to the CD. Overall, this was the first event on such a large scale that significantly raised users’ awareness of the dangers of rootkits. Although Sony BMG released an update quite quickly to uninstall the rootkit, it was counterproductive.

Users were even more vulnerable to attacks. In the US, there has even been a collective lawsuit against Sony BMG. Another example is the high-profile scandal, called Greek Watergate. It concerned the illegal eavesdropping of more than 100 mobile phones operating on the Vodafone Greece network, mainly used by top government officials. The eavesdropping process began around August 2004 and lasted until March 2005, but the authors of the wiretapping were not identified. The rootkit attacked Ericsson’s AX telephone exchange here.

The software was able to monitor process activity, data flow and had access to passwords and logins. Its presence was detected only by an error in the rootkit update, which blocked the ability to send SMS. Vulnerabilities reported en masse to Ericsson revealed the presence of illegal eavesdropping software along with a rootkit and hidden blocks of data with a list of monitored phone numbers.

Summary

Overall, it can be said that rootkits have evolved similarly to spyware. First, rootkits were identified as a separate class of malware. Subsequently, there was a lot of media hype, which contributed to a huge number of anti-rootkit tools and products and a noticeable response from the antivirus industry. Today, both rootkits and spyware have entered the mainstream of malware and are not generating so much excitement. However, the concept of circumventing system functions to hide something is still used, and threats implementing stealth techniques are bound to emerge.