Now that the first victims of the Heartbleed web vulnerability…
Why removing rootkits is such a pain
Someone once made the comment, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
That was in in 2005, when rootkits were an unknown menace for most users. Nowadays, that isn’t quite the case any more, as the number of rootkit infections have exploded in the last few years and lead to more media coverage. In any case, you know a malware has reached evil superstar status when it warrants its own ‘For Dummies’ book.
In the beginning (as in the late 1980s), rootkits were standalone toolkits that allowed hackers to gain root, or administrative access to a computer system (hence the name). Today, the term is usually used to mean programs, codes or techniques that are used to hide malware on an computer.
I’m not going to dwell much on their history or workings (though if you’re interested, Alisa Shevchenko over on Securelist has an excellent article on rootkit history). Instead, I’m going to focus on one particular aspect of rootkits that’s been irritating the daylights out of our Support and Analyst folks recently – why are they so difficult to remove?
Media reports tend to hype ‘rootkits’ as the next big evil in computing, but it’s a bit more complicated than that. For one thing, rootkit tools, coding or techniques aren’t strictly illegal, or even undesirable – perfectly legitimate commercial applications use them to the benefit of users. It also doesn’t help that security vendors don’t have a uniform approach to rootkits; some consider all rootkits as a type of malware, while others shade their evaluations depending on whether the rootkit-like behavior is in a commercial software (in which case, the program may just be potentially unwanted).
Personally, I find it more useful to think of rootkits as operating system controllers. Their entire purpose is to burrow deep into the operating system’s files and subroutines, latching onto and modifying specific processes to gain control over the system. The processes targeted will vary depending on the system and the rootkit in question, but the end result is the same – the rootkit is now in a position to direct the system’s actions for its own ends; it’s become the puppeteer to the computer’s marrionette.
Rootkits have been around a long time, but they only really became a major concern for most users when malware authors found ways to incorporate rootkits into their malicious programs. And for most security professionals, rootkits are considered one of the most troublesome threats to deal with.
How does the rootkit gain so much control?
A rootkit’s defining characteristic is that it has administrative access – its commands are accepted by the operating system as though they were its own. How this access is gained is another story – a separate trojan may exploit a vulnerability to gain access to a administrator account, or a worm might steal the necessary passwords, any number of things. However the access is gained, the end result is that the rootkit is installed with admin rights, and from there proceeds to do its dirty work.
Rootkits use their privileged access to control the operating system itself, mainly by intercepting and modifying the commands it sends to other programs and basic system activities. Slightly more technically, rootkits usually manipulate various application programming interfaces (APIs), or the subroutines used by the operating system to direct operations (at least, in Windows).
An important point to remember is that these APIs are a built-in features of the operating system. They may be undocumented, or rarely used – but commands made through them are perfectly legitimate, and recognized and treated as such. These APIs can involve and affect every activity performed on the computer, from the mundane (e.g., displaying a folder) to the most fundamental (e.g., booting up).
There are various types of rootkits based on how deeply they can penetrate the operating system to control its most basic processes (if you want to get more technical, Joanna Rutkowska has a good article), but in every case, the key idea is the same – commands sent by the operating system can be viewed and countermanded by the rootkit, if necessary; likewise, requests coming from other programs or system processes are checked and filtered by the rootkit before they reach the operating system.
Not like other malware
To illustrate why a rootkit’s manipulation of APIs is significant, let’s compare it to other malwares. When a trojan or virus infects a computer, its interactions with the operating system will usually fall into one of two strategies:
- Strategy 1: Uses the operating system’s standard procedures to run it
- Strategy 2: Exploits a vulnerability (a flaw or loophole) to execute malicious code
Note that strategy 1 involves the malware functioning just like any other program – its processes and files are visible, the instructions between operating system and program are ‘standard’, and so on. Strategy 2 usually involves some novel technique that forces the system to behave in an unintended manner – ‘breaking the system’, if you like.
Rootkits on the other hand, doesn’t do either. Unlike trojans or viruses, the rootkit doesn’t behave like a separate program being run on top of the operating system; instead, the rootkit acts more like a driver, or one of the operating system’s own components, giving directions on how other programs should be handled. The rootkit also doesn’t exploit any vulnerabilities – it simply uses the operating system’s own features for its own ends.
The thing is, malwares that use Strategies 1 & 2 can be defeated with fairly standard countermeasures: for example, software vendors can release patches to close vulnerabilities, and users can uninstall malicious programs. Rootkits however don’t suffer either problem: there’s no vulnerability that can be patched, and because a rootkit’s first action is usually to hide itself, the rootkit can effectively prevent the user or the operating system from detecting its presence at all, let alone uninstalling it.
Why are rootkits so difficult to remove?
The highly technical reason for this is: you can’t remove a file you can’t find. Remember, the rootkit is in control. If the user starts looking through system folders for suspicious files, or starts an antivirus scan, a sophisticated rootkit can display a clean ‘image’ of the infected folder rather than the actual infected one, or move the infected file to another location for the duration of the scan; it can stop the antivirus from running, or force it to report false scan results; anything, really, to prevent detection.
Malware authors really want their creations stay installed and active on your computer, and they can use the rootkit to perform any number of actions to prevent their malwares – or the rootkit itself – from being detected. Some of the tricks they can use to get their way include:
- Renaming their files to match a legitimate system file
- Burying their processes and files deep within the driver and kernel
- Installing in such a way that they reinstall again if the computer is rebooted
- Actively altering its behavior while antiviruses are running to prevent detection
- Actively changing its own code to make it appear to be a new, unknown program
- Prevent AV/spyware removal programs from opening at all
Heck, about the only thing they don’t do is say they love you and will still respect you in the morning.
How does an AV detect and remove rootkits, then?
Antivirus programs have historically had a difficult time dealing with rootkits, precisely because of how they operate: by using the operating system itself to evade detection and prevent removal. In the case of simpler rootkits, it was possible to look for telltale signs – odd changes, missing or alter folders, etc, to determine a rootkit was present. With more sophisticated threats though, detection meant deactivating the rootkit entirely before it could start active evasion; because once it was active, detection and removal became well nigh impossible.
That status quo has changed somewhat in the last few years, as more antivirus vendors have developed the necessary tools to combat the threat. As rootkits themselves vary in complexity, detecting and removing them requires a multi-layered approach:
- First Line of Defense: Heuristic Scanning
This preliminary defense can deal with the more obvious rootkits, those that make easy-to-spot changes or ham-fistedly modify normally untouched components. Most antivirus products nowadays include heuristic or behavior-based scanning, which examines each program to evaluate how potentially damaging its actions may be. If the rootkit (or the malware it’s hiding) is found, the AV may be able to find and remove them as usual.
- Second Line of Defense: Specific Malware Removal
Even with heuristic scanning, standard scanning engines may not detect more sophisticated or devious rootkits. At this point human ingenuity enters the picture, in the form of Malware Analysts, who analyse the threat and create specific removal scripts designed to find and remove a particular rootkit. These scripts are also called on to scan the computer, looking for specific threats to complement the more general, automated checks.
- Third Line of Defense: Offline Scanning
Sometimes, a rootkit can compromise a computer so thoroughly that any detection program running on the infected system is hopelessly outfoxed by the wily rootkit. In that event, the safest bet is to perform offline scanning – shutting down the computer so that the rootkit can’t actively hide itself, then scanning the system using an antivirus program or rootkit detection tool that runs off a CD or USB drive.
- Fourth Line of Defense: Manual Removal
As a last resort, some antivirus vendors will recommend specific manual removal procedures, which only apply for particular rootkits. Generally, this type of removal is considered quite advanced for an average user, and is best left to an IT technician or at least to someone more experienced. Some vendors also develop and publish removal utility programs, either for general or specific rootkit removal.
These detection and removal methods will probably catch most of the rootkits out there, but none of them are 100% certain. In some cases, the fastest, easiest and cheapest possible solution is to simply format and reinstall the entire operating system (assuming of course you have backups of your important files). Determining whether that applies in your case really depends on your personal evaluation of the costs and benefits though, so it’s hard to state any hard and fast rule about this.
Unfortunately, malware authors are ingenious at finding ways to get where they’re not wanted, and the highly complex, multi-layered nature of computing tilts the odds in their favour more than it does to ensuring computer security. Then again, to be fair, humans have lived in houses for thousands of years, and we still haven’t figured out how to totally prevent burglars from invading our homes, so you could probably also credit a natural human genius for finding ways to inconvenience their fellows.
If you’re still interested, here are few other articles with more details (some technical, others less so) about rootkits:
- R00tkit Analysis: What Is A Rootkit at OmniNerd
- Kernel Rootkits by Dino Dai Zovi from SANS Institute InfoSec Reading Room
- Rootkits vs. Stealth by Design Malware (PDF) by Joanna Rutkowska, presented at the 2006 BlackHat Conference Europe
Also partially available in Google Books:
- Rootkits for Dummies By Larry Stevenson, Nancy Altholz
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System By Bill Blunden
- Rootkits: Subverting the Windows Kernel By Greg Hoglund, James Butler