Someone once made the comment, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
That was in in 2005, when rootkits were an unknown menace for most users. Nowadays, that isn’t quite the case any more, as the number of rootkit infections have exploded in the last few years and lead to more media coverage. In any case, you know a malware has reached evil superstar status when it warrants its own ‘For Dummies’ book.
In the beginning (as in the late 1980s), rootkits were standalone toolkits that allowed hackers to gain root, or administrative access to a computer system (hence the name). Today, the term is usually used to mean programs, codes or techniques that are used to hide malware on an computer.
I’m not going to dwell much on their history or workings (though if you’re interested, Alisa Shevchenko over on Securelist has an excellent article on rootkit history). Instead, I’m going to focus on one particular aspect of rootkits that’s been irritating the daylights out of our Support and Analyst folks recently – why are they so difficult to remove?
Media reports tend to hype ‘rootkits’ as the next big evil in computing, but it’s a bit more complicated than that. For one thing, rootkit tools, coding or techniques aren’t strictly illegal, or even undesirable – perfectly legitimate commercial applications use them to the benefit of users. It also doesn’t help that security vendors don’t have a uniform approach to rootkits; some consider all rootkits as a type of malware, while others shade their evaluations depending on whether the rootkit-like behavior is in a commercial software (in which case, the program may just be potentially unwanted).
Personally, I find it more useful to think of rootkits as operating system controllers. Their entire purpose is to burrow deep into the operating system’s files and subroutines, latching onto and modifying specific processes to gain control over the system. The processes targeted will vary depending on the system and the rootkit in question, but the end result is the same – the rootkit is now in a position to direct the system’s actions for its own ends; it’s become the puppeteer to the computer’s marrionette.
Rootkits have been around a long time, but they only really became a major concern for most users when malware authors found ways to incorporate rootkits into their malicious programs. And for most security professionals, rootkits are considered one of the most troublesome threats to deal with.
A rootkit’s defining characteristic is that it has administrative access – its commands are accepted by the operating system as though they were its own. How this access is gained is another story – a separate trojan may exploit a vulnerability to gain access to a administrator account, or a worm might steal the necessary passwords, any number of things. However the access is gained, the end result is that the rootkit is installed with admin rights, and from there proceeds to do its dirty work.
Rootkits use their privileged access to control the operating system itself, mainly by intercepting and modifying the commands it sends to other programs and basic system activities. Slightly more technically, rootkits usually manipulate various application programming interfaces (APIs), or the subroutines used by the operating system to direct operations (at least, in Windows).
An important point to remember is that these APIs are a built-in features of the operating system. They may be undocumented, or rarely used – but commands made through them are perfectly legitimate, and recognized and treated as such. These APIs can involve and affect every activity performed on the computer, from the mundane (e.g., displaying a folder) to the most fundamental (e.g., booting up).
There are various types of rootkits based on how deeply they can penetrate the operating system to control its most basic processes (if you want to get more technical, Joanna Rutkowska has a good article), but in every case, the key idea is the same – commands sent by the operating system can be viewed and countermanded by the rootkit, if necessary; likewise, requests coming from other programs or system processes are checked and filtered by the rootkit before they reach the operating system.
To illustrate why a rootkit’s manipulation of APIs is significant, let’s compare it to other malwares. When a trojan or virus infects a computer, its interactions with the operating system will usually fall into one of two strategies:
Note that strategy 1 involves the malware functioning just like any other program – its processes and files are visible, the instructions between operating system and program are ‘standard’, and so on. Strategy 2 usually involves some novel technique that forces the system to behave in an unintended manner – ‘breaking the system’, if you like.
Rootkits on the other hand, doesn’t do either. Unlike trojans or viruses, the rootkit doesn’t behave like a separate program being run on top of the operating system; instead, the rootkit acts more like a driver, or one of the operating system’s own components, giving directions on how other programs should be handled. The rootkit also doesn’t exploit any vulnerabilities – it simply uses the operating system’s own features for its own ends.
The thing is, malwares that use Strategies 1 & 2 can be defeated with fairly standard countermeasures: for example, software vendors can release patches to close vulnerabilities, and users can uninstall malicious programs. Rootkits however don’t suffer either problem: there’s no vulnerability that can be patched, and because a rootkit’s first action is usually to hide itself, the rootkit can effectively prevent the user or the operating system from detecting its presence at all, let alone uninstalling it.
The highly technical reason for this is: you can’t remove a file you can’t find. Remember, the rootkit is in control. If the user starts looking through system folders for suspicious files, or starts an antivirus scan, a sophisticated rootkit can display a clean ‘image’ of the infected folder rather than the actual infected one, or move the infected file to another location for the duration of the scan; it can stop the antivirus from running, or force it to report false scan results; anything, really, to prevent detection.
Malware authors really want their creations stay installed and active on your computer, and they can use the rootkit to perform any number of actions to prevent their malwares – or the rootkit itself – from being detected. Some of the tricks they can use to get their way include:
Heck, about the only thing they don’t do is say they love you and will still respect you in the morning.
Antivirus programs have historically had a difficult time dealing with rootkits, precisely because of how they operate: by using the operating system itself to evade detection and prevent removal. In the case of simpler rootkits, it was possible to look for telltale signs – odd changes, missing or alter folders, etc, to determine a rootkit was present. With more sophisticated threats though, detection meant deactivating the rootkit entirely before it could start active evasion; because once it was active, detection and removal became well nigh impossible.
That status quo has changed somewhat in the last few years, as more antivirus vendors have developed the necessary tools to combat the threat. As rootkits themselves vary in complexity, detecting and removing them requires a multi-layered approach:
These detection and removal methods will probably catch most of the rootkits out there, but none of them are 100% certain. In some cases, the fastest, easiest and cheapest possible solution is to simply format and reinstall the entire operating system (assuming of course you have backups of your important files). Determining whether that applies in your case really depends on your personal evaluation of the costs and benefits though, so it’s hard to state any hard and fast rule about this.
Unfortunately, malware authors are ingenious at finding ways to get where they’re not wanted, and the highly complex, multi-layered nature of computing tilts the odds in their favour more than it does to ensuring computer security. Then again, to be fair, humans have lived in houses for thousands of years, and we still haven’t figured out how to totally prevent burglars from invading our homes, so you could probably also credit a natural human genius for finding ways to inconvenience their fellows.
If you’re still interested, here are few other articles with more details (some technical, others less so) about rootkits:
Also partially available in Google Books:
Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good. Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.
On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS. iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.
Our Freedome VPN service hit a new milestone this summer. We added our newest location in Paris, France and now have 11 nodes in 10 different countries: Canada (Toronto) Finland (Espo) France (Paris) Germany (Sachsen) Hong Kong Italy (Milan) Netherlands (Amsterdam) Singapore Spain (Madrid) Sweden (Stockholm) United Kingdom (London) United States (East Coast) United States (West Coast) That means regardless where you are in world, you can pick any of these locations to mask your whereabouts and use any of the services you love. Freedome also acts a VPN to encrypt your data so a free Wi-Fi network is safe for private transactions along, and it includes anti-virus, anti-tracking, and anti-phishing. It's been localized into 10 different locations and will soon be available for iOS devices. If you travel -- our just want your phone to think you're traveling -- this is the kind of protection you need. Get it now from the Google Play or iTunes store. Cheers, Sandra, UPDATED: Hong Kong and Singapore were added on September 15, 2014. [Image by jvieras via Flickr]