Rootkits are a fast-emerging security threat which can hide malware from conventional security tools. So how do they do this, and what can you do about them?
If your PCs have been behaving a little oddly – CPU lights flashing away when users are not doing anything, free space on hard drives disappearing – yet your anti-virus and anti-spyware tools haven't found any malware, then there's a possibility that your systems have been infected by a rootkit.
Rootkits are an emerging 'stealth' technique used by malware authors to conceal their handiwork and intentions. Put simply, they are toolkits which can hide malicious programs – viruses, trojans, spyware, keyloggers and so on – from detection by conventional anti-virus and anti-spyware tools. Think of rootkits as a cloaking device for malware, making it almost impossible to detect using current security products.
Rootkits can also hide a hacker's presence on your systems and help them gather confidential data. There are many different rootkits available, but most include tools to log keystrokes, create secret backdoors for hackers, and alter system log files and administrative tools to prevent detection.
The upshot is, your PC or network could be fully protected against conventional malware, yet still be unwittingly infected with a rootkit – and therefore, completely vulnerable to attack. What's more, you may not even realise the attack is happening.
Roots of rootkits
So where did rootkits come from? They've been in the Unix world for around 15 years, where their purpose is to give the user the control rights of an administrator or 'root' – hence the name. This latest generation, however, targets Windows-based machines. Malware that uses rootkits to hide from conventional detection includes the Win-Spy, PC Spy, ActMon, ProBot SE and Invisible Keylogger spyware programs, and viruses including Maslan and Padodor.The sophistication and speed with which rootkit techniques are being applied to spyware and viruses may highlight the growing influence of organised online criminal groups in developing stealthy, invasive software, as opposed to geeks and script kiddies. Whatever the reason, the intention is clear – to circulate malware which does not register on users' security radar.
Rootkits can either be planted on a system by a hacker, or can arrive in an infected email to infiltrate a PC or network. Once activated, the rootkit will maintain access to the hacked computer and help in attacking other computers and – crucially – will hide the hacker's tracks from current security software.
While accessing a hacked computer with a rootkit, the intruder can interact with network resources, files and systems with the same privileges as the legitimate user. And if they get an administrator's username and password, they have the keys to the shop with the potential to cause widespread damage.
Ghost in the machine
How do rootkits enable this? Unlike conventional viruses, Trojans and backdoors that operate on a user or application level, rootkits interact directly with the operating system kernel – if you like, the heart of Windows. This allows the rootkit to perform on a deeper level and evade detection by firewalls, anti-virus and anti-spyware software which typically look for tell-tale clues at application level.
In particular, some rootkits are able to intercept the queries that are passed to the kernel and filter out the queries it generates – in effect, the rootkit cleans up any trace of its own activities. The result is that the typical footprint of a program, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the OS registry, are invisible both to administrators and to all types of detection tools – even intrusion detection systems (IDS).
This ability of rootkits to clean log files and erase evidence of actions can make a hacker truly a 'ghost in the machine'. There are also tools for hiding the files and processes that the intruder may place on the system and even to hide port and protocol connections. Some security pundits say that rootkits do not pose a significant problem, as more and more systems are effectively protected which means it's difficult for a rootkit to be planted on a machine in the first place. While this is true to some extent, no company would want to risk having an invisible backdoor into their network that could be accessed without any warning and used for any number of malicious purposes.
So if rootkits can evade conventional security tools, what can you do if you find a rootkit infection? Until recently, the prognosis was not good.
Although there have been some techniques for detecting rootkits, they are aimed at very IT-literate users: they certainly aren't user friendly. What's more, they do not remove or quarantine rootkits. The standard advice for rootkit removal is to 'repave' – an innocent-sounding euphemism for completely scrubbing all data, applications and OS from the infected machine, and reinstalling from scratch.
Repaving is simply not an option for most computer users, and if more than one PC in a company is infected, the prospect of repaving multiple machines is still less attractive.
However, new tools to help manage and contain the growing rootkit problem are starting to appear and nip the threat of this form of attack in the bud. And all without scrubbing the machine's hard drive and starting all over again.
The author is senior technical consultant for F-Secure.