Rootkits – A New Malware Trend

Yet another new term has been recently circulating in the media: Rootkits. What sounds to non-experts like something you would buy in a gardening shop, has in fact nothing to do with agriculture. The term actually comes from the Unix world, where “root” is the user with the highest possible level of access privileges, similar to the “Administrator” in Windows. Rootkits have already existed for the Unix/Linux family for some time, but the trend has now also reached the already besieged Windows users.  However, in the truest sense of the word, let us begin at the root of the matter.

As already mentioned, users with “root” / “Administrator” privileges have unrestricted access to the operating system. This makes it all the more interesting for attackers and ill-intentioned programs to gain and retain access to these rights. It is a fact that every change, and every access to the system can be recognized in some manner, either through a date change in a file, a log file entry or a new running process, the possibilities are endless. As a clever attacker, I naturally prefer to remain undetected and still retain access to my victim.

So what do I do? – I invent the Rootkit.

A Rootkit should therefore have the access rights of an attacker. This occurs by covering the tracks created in the operating system, so that the true administrator cannot even detect the intruder. There are basically two different types of Rootkit. While “Kernel Rootkits” usually add their own code (and sometimes their own data structures) to parts of the operating system core (the “Kernel”), so-called “Usermode Rootkits” are especially targeted to Windows.

“Usermode Rootkits” are either started as a program in the normal manner during system startup, or injected into the system by a so-called “Dropper”. The exact methods possible are relatively numerous and depend heavily on the operating system used – while Rootkits under Windows manipulate especially the basic functionality of Windows DLL files, in Unix systems a complete application is often replaced.

Once started, the Rootkit carries out the task it was designed for – the elimination of traces in the operating system. Here also, the variations are as numerous as the possibilities used to detect an intruder. To cite a very simple example: Windows has a built-in function responsible for listing the contents of folders. The Rootkit can modify this basic function (“API”) so that the name of the file containing the Rootkit is never displayed – and this file suddenly becomes invisible to the normal user. Through manipulation of other Windows APIs, not only files and folders can be hidden, but also active programs, open network communication ports that are being used, or registry keys. Of course, these are only a few of many camouflage measures used by Rootkits.

We now come to a fact that may at first seem to be somewhat of a paradox: Rootkits in themselves are not dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether this is normal software, or damaging programs such as Backdoors is irrelevant.

A nice example of this is a CD copy protection system from the company Sony BMG, which was analyzed in detail at the end of 2005. The Windows specialist Mark Russinovich discovered that simply using a CD protected with this system caused a piece of software to be automatically installed, without the approval of the user, which did not appear in the process list and could not be deinstalled, i.e. it hid itself from the user. This copy protection software was originally intended to prevent a music CD purchaser from reading the audio data in any manner and then possibly illegally redistributing it.

If not earlier, then since this faux pas from Sony BMG Rootkits have gained greatly in popularity. In this case, the Rootkit itself and not the hidden copy protection software, actually presented an indirect danger. Creative programmers could use the basic functionality of the Sony BMG Rootkit installed on a computer to hide their own (damaging) software. In this case, in an already questionable and aggressive copy protection system, Sony omitted the security precautions necessary to ensure that only their own files could be hidden. This system allows any attacker to hide their own damaging software with the help of the Sony Rootkit, simply by using particular variables.

Sony escaped the entire story with a black eye. The music CDs with the aforementioned copy protection were exchanged free of charge in a recall campaign. To the present day, the final legal consequences of this mistake are still not clarified and many customers in the USA have already threatened lawsuits.

However interesting this may be, a much greater danger is presented by so-called “Hybrids”. A Hybrid is generally described as a cross between two or more types of Malware, e.g. a Virus with a Worm. A very prominent example of a Worm-Virus Hybrid was the Magistr Worm that caused mischief a few years ago. Naturally conceivable in principle, and partially already present, are Rootkit Hybrids that enhance an already existing pest with the camouflage capability of a Rootkit. Several such Rootkit Hybrids are already known. The Trojan Optix Pro, for example, has already possessed Rootkit functions for several years in order to hide its presence in an infected PC. Worms too, such as the recent new Bagle variants, make use of Rootkit techniques to hide their presence.

It is likely that we will read and hear much more about Rootkits in the near future. One can view this as normal “Security Evolution”, where increasing protection by security programs and sealed security holes force an increase in the creativity of the attackers. The detection and blocking of Rootkit technology presents a difficult task because, depending on the creator, an already installed Rootkit can also hide from virus scanners and other disinfection systems. On the other hand, infected systems must be first detected and analyzed so that appropriate signatures and behavior patterns can be created – which are of little help in the next attack by the next generation of pests.

The well-known Emsisoft Anti-Malware system, with its Malware-IDS (Intrusion Detection System), uses a completely different approach. The innovative Malware-IDS is used to recognize access to relevant system functions and offer the ability to prevent this. This makes Emsisoft Anti-Malware completely independent of signatures and puts it in a position to effectively defend against the latest Rootkits. The benefits of this forward thinking architecture have already been shown by the fact that, over one year ago, the execution of then almost unknown Rootkits were successfully hindered by Anti-Malware systems.

Have a Great (Malware-Free) Day!