DeMISTIfying Infosec: Rootkit

March 8, 2016
By Katherine Teitler


The word "rootkit" originates from the word "root," which, in computer networking, refers to the top-level directory of a file system. Logging in as a "root user" with the highest level of administrative privileges, an attacker can install malicious software; access, copy, delete, or move files; change system configurations; gain access to most areas of the network, applications, and log files and keystrokes; steal passwords; spy on a computer user; monitor traffic; or install a backdoor that will allow the hacker easy entrée back into the system on subsequent visits. "Root" is the level of access, and "kit" refers to utilities, scripts, libraries, or other files that can be accessed once the system has been "rooted."

Installation of a rootkit is the direct result of an attack on a system, generally perpetrated through some other means of exploitation of a vulnerability in the operating system or application. Unlike viruses, rootkits do not propagate themselves; they are the third step in a blended threat which includes a dropper, a loader, and, finally, a rootkit itself.

Detection is extremely difficult since rootkits are specifically designed to thwart identification and eradication techniques and tools like behavioral-based methods, signature scanning, and memory analysis. As with most vulnerabilities, the best ways to ward off rootkits are to keep systems patched, scan for backdoors, don't open attachments from unknown sources, etc.

Some well-known examples of rootkits include:
• Lane Davis and Steven Dake – 1990. The earliest known rootkit for Sun Microsystems' SunOS.
• NTRootkit – 2008. One of first malicious rootkits for Window OS.
• Machiavelli – 2009. First rootkit targeting Mac OS X.
• Sony BMG copy protection – 2005. Sony BMG published and shipped a CD with a rootkit theoretically meant for digital rights management (DRM) to control licensed and copyrighted material. "Extended Copy" limited users' ability to access contents of the CD and Sony was publicly shamed for the endeavor.
• Greek Watergate – 2004-2005. A rootkit developed for Ericsson AXE telephone exchanges on the Greek Vodafone network, targeted at wiretapping the phones of members of the Greek government.
• Zeus – 2007. A credential-stealing Trojan targeted at banking information.
• Stuxnet – 2010. The first known rootkit, co-developed by the US and Israel, targeting an industrial control system.
• Flame – A rootkit developed jointly by US and Israel in 2012 used to spy on Iran's nuclear program.


prestitial ad