Rootkits are among the most dangerous tools in a malware developer’s toolbox. They can be easily added to malware in order to gain unauthorized, privileged access to a system as well as achieve stealth and persistence. While not all rootkits are used for malicious purposes, we’ll focus on those that are.
Origin of the term ‘rootkit’
The term rootkit can be broken down into two parts. The ‘root’ part can be traced to its origins in UNIX and UNIX-based operating systems. In these environments, the root refers to an account with administrative privileges. Anyone who has root-level access can do pretty much anything on the system.
Because the ability to have unrestricted privileges can be dangerous in the hands of a bad actor, or even a beginner, most modern-day UNIX-based operating systems like MacOS, Red Hat, and Ubuntu disable the root account by default and just issue regular user accounts. A regular user account will have a minimal amount of privileges.
As for the ‘kit’ in rootkit, it’s an abbreviation of the word ‘toolkit’. This particular toolkit, which is used by malware developers, typically consists of programs, scripts, and other pieces of code. So, a rootkit is a malicious toolkit used to gain privileged access and establish stealth and persistence.
Although the term rootkit has UNIX origins, it’s now commonly used in the Windows world. In fact, a large majority of the rootkits currently in circulation are Windows based.
How a rootkit works
In most cases, the rootkit itself doesn’t do any damage. Rather, its main function is to keep the malware (which is the one that does the damage) from being detected. It’s able to do this by hiding characteristics normally generated by programs when they’re installed or running on a system.
As soon as malware establishes residence on a system, its existence can often be given away by several indicators, such as:
- The presence of accompanying files
- The generation of certain processes (which, in Windows, can be seen in the Task Manager)
- The creation of certain registry keys
- CPU or disk space utilization
- And many others
Most security tools designed to detect malware, like say an antivirus, will monitor the system for any irregularities involving these indicators. The job of the rootkit is to tamper with the parts of the system that show these indicators so that the malware will appear invisible. For example, the rootkit may hide the malware’s files, its processes, or even its registry keys (in the case of Windows-based rootkits).
Types of Rootkits
In the Windows environment, rootkits are often classified into two types:
- User mode rootkits – These are rootkits operating in user space a.k.a. Ring 3, which is also where applications run.
- Kernel mode rootkits – These are rootkits operating in kernel space a.k.a. Ring 0. Generally speaking, these types of rootkits are the more dangerous (and more difficult to develop), as they are able to acquire the highest level of privileges in the OS.
Rootkits employ several cloaking techniques. But one particular technique used by user mode rootkits to hide malicious software is IAT hooking. The IAT or Import Address Table is a table where applications look up the addresses of pertinent functions found in DLLs (Dynamic-Link Libraries).
A rootkit would typically alter (or ‘hook’) certain addresses so that those addresses would then point to the malware’s malicious code. So, when an application calls a hooked function, what would instead be executed would be the malicious code. Now, if that application were a virus scanner and the hooked function was supposed to support the malware detection process, the result of that scan would understandably be tainted. It would, for instance, omit the malware from the results.
Kernel mode rootkits also employ a similar API hooking technique. In this case, the API hooking technique is targeted at another lookup table known as the System Service Dispatch Table or SSDT. The SSDT runs in the kernel memory, where it stores addresses that point to system call functions.
Similar to what a user mode rootkit would do with an IAT, a kernel mode rootkit would tamper with the SSDT so that system calls would be diverted to the malware’s code. Again, if the original system call had something to do with malware detection, this SSDT hooking technique would remove the malware from the results.
Because rootkits are exceptionally good at hiding malware, they’re a serious threat to any system. Once they get installed, it can be very difficult to detect and, in turn, remove them. Some experts even suggest a total re installation of the operating system.
As with most things, the best way to counter rootkits is through prevention rather than detection and remediation. Rootkits are most commonly installed via social engineering techniques or through malware droppers, so defensive countermeasures should be aimed at these particular threat vectors.