Why removing rootkits is such a pain

Someone once made the comment, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”

That was in in 2005, when rootkits were an unknown menace for most users. Nowadays, that isn’t quite the case any more, as the number of rootkit infections have exploded in the last few years and lead to more media coverage. In any case, you know a malware has reached evil superstar status when it warrants its own ‘For Dummies’ book.

In the beginning (as in the late 1980s), rootkits were standalone toolkits that allowed hackers to gain root, or administrative access to a computer system (hence the name). Today, the term is usually used to mean programs, codes or techniques that are used to hide malware on an computer.

I’m not going to dwell much on their history or workings (though if you’re interested, Alisa Shevchenko over on Securelist has an excellent article on rootkit history). Instead, I’m going to focus on one particular aspect of rootkits that’s been irritating the daylights out of our Support and Analyst folks recently – why are they so difficult to remove?

Why worry?

Media reports tend to hype ‘rootkits’ as the next big evil in computing, but it’s a bit more complicated than that. For one thing, rootkit tools, coding or techniques aren’t strictly illegal, or even undesirable – perfectly legitimate commercial applications use them to the benefit of users. It also doesn’t help that security vendors don’t have a uniform approach to rootkits; some consider all rootkits as a type of malware, while others shade their evaluations depending on whether the rootkit-like behavior is in a commercial software (in which case, the program may just be potentially unwanted).

Personally, I find it more useful to think of rootkits as operating system controllers. Their entire purpose is to burrow deep into the operating system’s files and subroutines, latching onto and modifying specific processes to gain control over the system. The processes targeted will vary depending on the system and the rootkit in question, but the end result is the same – the rootkit is now in a position to direct the system’s actions for its own ends; it’s become the puppeteer to the computer’s marrionette.

Rootkits have been around a long time, but they only really became a major concern for most users when malware authors found ways to incorporate rootkits into their malicious programs. And for most security professionals, rootkits are considered one of the most troublesome threats to deal with.

How does the rootkit gain so much control?

A rootkit’s defining characteristic is that it has administrative access – its commands are accepted by the operating system as though they were its own. How this access is gained is another story – a separate trojan may exploit a vulnerability to gain access to a administrator account, or a worm might steal the necessary passwords, any number of things. However the access is gained, the end result is that the rootkit is installed with admin rights, and from there proceeds to do its dirty work.

Rootkits use their privileged access to control the operating system itself, mainly by intercepting and modifying the commands it sends to other programs and basic system activities. Slightly more technically, rootkits usually manipulate various application programming interfaces (APIs), or the subroutines used by the operating system to direct operations (at least, in Windows).

An important point to remember is that these APIs are a built-in features of the operating system. They may be undocumented, or rarely used – but commands made through them are perfectly legitimate, and recognized and treated as such. These APIs can involve and affect every activity performed on the computer, from the mundane (e.g., displaying a folder) to the most fundamental  (e.g., booting up).

There are various types of rootkits based on how deeply they can penetrate the operating system to control its most basic processes (if you want to get more technical,  Joanna Rutkowska has a good article), but in every case, the key idea is the same – commands sent by the operating system can be viewed and countermanded by the rootkit, if necessary; likewise, requests coming from other programs or system processes are checked and filtered by the rootkit before they reach the operating system.

Not like other malware

To illustrate why a rootkit’s manipulation of APIs is significant, let’s compare it to other malwares. When a trojan or virus infects a computer, its interactions with the operating system will usually fall into one of two strategies:

  • Strategy 1: Uses the operating system’s standard procedures to run it
  • Strategy 2: Exploits a vulnerability (a flaw or loophole) to execute malicious code

Note that strategy 1 involves the malware functioning just like any other program – its processes and files are visible, the instructions between operating system and program are ‘standard’, and so on. Strategy 2 usually involves some novel technique that forces the system to behave in an unintended manner – ‘breaking  the system’, if you like.

Rootkits on the other hand, doesn’t do either. Unlike trojans or viruses, the rootkit doesn’t behave like a separate program being run on top of the operating system; instead, the rootkit acts more like a driver, or one of the operating system’s own components, giving directions on how other programs should be handled. The rootkit also doesn’t exploit any vulnerabilities – it simply uses the operating system’s own features for its own ends.

The thing is, malwares that use Strategies 1 & 2 can be defeated with fairly standard countermeasures: for example, software vendors can release patches to close vulnerabilities, and users can uninstall malicious programs. Rootkits however don’t suffer either problem: there’s no vulnerability that can be patched, and because a rootkit’s first action is usually to hide itself, the rootkit can effectively prevent the user or the operating system from detecting its presence at all, let alone uninstalling it.

Why are rootkits so difficult to remove?

The highly technical reason for this is: you can’t remove a file you can’t find. Remember, the rootkit is in control. If the user starts looking through system folders for suspicious files, or starts an antivirus scan, a sophisticated rootkit can display a clean ‘image’ of the infected folder rather than the actual infected one, or move the infected file to another location for the duration of the scan; it can stop the antivirus from running, or force it to report false scan results; anything, really, to prevent detection.

Malware authors really want their creations stay installed and active on your computer, and they can use the rootkit to perform any number of actions to prevent their malwares – or the rootkit itself – from being detected. Some of the tricks they can use to get their way include:

  • Renaming their files to match a legitimate system file
  • Burying their processes and files deep within the driver and kernel
  • Installing in such a way that they reinstall again if the computer is rebooted
  • Actively altering its behavior while antiviruses are running to prevent detection
  • Actively changing its own code to make it appear to be a new, unknown program
  • Prevent AV/spyware removal programs from opening at all

Heck, about the only thing they don’t do is say they love you and will still respect you in the morning.

How does an AV detect and remove rootkits, then?

Antivirus programs have historically had a difficult time dealing with rootkits, precisely because of how they operate: by using the operating system itself to evade detection and prevent removal. In the case of simpler rootkits, it was possible to look for telltale signs – odd changes, missing or alter folders, etc, to determine a rootkit was present. With more sophisticated threats though, detection meant deactivating the rootkit entirely before it could start active evasion; because once it was active, detection and removal became well nigh impossible.

That status quo has changed somewhat in the last few years, as more antivirus vendors have developed the necessary tools to combat the threat. As rootkits themselves vary in complexity, detecting and removing them requires a multi-layered approach:

  • First Line of Defense: Heuristic Scanning
    This preliminary defense can deal with the more obvious rootkits, those that make easy-to-spot changes or ham-fistedly modify normally untouched components. Most antivirus products nowadays include heuristic or behavior-based scanning, which examines each program to evaluate how potentially damaging its actions may be. If the rootkit (or the malware it’s hiding) is found, the AV may be able to find and remove them as usual.
  • Second Line of Defense: Specific Malware Removal
    Even with heuristic scanning, standard scanning engines may not detect more sophisticated or devious rootkits.  At this point human ingenuity enters the picture, in the form of Malware Analysts, who analyse the threat and create specific removal scripts designed to find and remove a particular rootkit. These scripts are also called on to scan the computer, looking for specific threats to complement the more general, automated checks.
  • Third Line of Defense: Offline Scanning
    Sometimes, a rootkit can compromise a computer so thoroughly that any detection program running on the infected system is hopelessly outfoxed by the wily rootkit. In that event, the safest bet is to perform offline scanning – shutting down the computer so that the rootkit can’t actively hide itself, then scanning the system using an antivirus program or rootkit detection tool that runs off a CD or USB drive.
  • Fourth Line of Defense: Manual Removal
    As a last resort, some antivirus vendors will recommend specific manual removal procedures, which only apply for particular rootkits. Generally, this type of removal is considered quite advanced for an average user, and is best left to an IT technician or at least to someone more experienced. Some vendors also develop and publish removal utility programs, either for general or specific rootkit removal.

These detection and removal methods will probably catch most of the rootkits out there, but none of them are 100% certain. In some cases, the fastest, easiest and cheapest possible solution is to simply format and reinstall the entire operating system (assuming of course you have backups of your important files). Determining whether that applies in your case really depends on your personal evaluation of the costs and benefits though, so it’s hard to state any hard and fast rule about this.

Unfortunately, malware authors are ingenious at finding ways to get where they’re not wanted, and the highly complex, multi-layered nature of computing tilts the odds in their favour more than it does to ensuring computer security. Then again, to be fair, humans have lived in houses for thousands of years, and we still haven’t figured out how to totally prevent burglars from invading our homes, so you could probably also credit a natural human genius for finding ways to inconvenience their fellows.

More

If you’re still interested, here are few other articles with more details (some technical, others less so) about rootkits:

Also partially available in Google Books:

  • Rootkits for Dummies By Larry Stevenson, Nancy Altholz
  • The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System By Bill Blunden
  • Rootkits: Subverting the Windows Kernel By Greg Hoglund, James Butler

More posts from this topic

Christine Bejerasco

Meet the Online Guardian Working to Keep You Safe

Every time you go online, your personal privacy is at risk – it’s as simple as that. Whether you’re creating an account on a website, shopping, or just browsing, information like your email, IP address and browsing history are potential targets for interested parties.   All too often, that information is sold on or sometimes even stolen without you even knowing it. And the threats to our online privacy and security are evolving. Fast.   As F-Secure’s Online Protection Service Lead, Christine Bejerasco’s job is to make life online safer and more secure.   “We’re basically online defenders. And when your job is to create solutions that help protect people, the criminals and attackers you’re protecting them against always step up their game. So it’s like an arms race. They come up with new ways of attacking users and our job is to outsmart them and defend our users,” Christine says.   Sounds pretty dramatic, right? Well that’s because it is. While it used to be that the biggest threat to your online privacy was spam and viruses, the risks of today and tomorrow are potentially way more serious.   “Right now we’re in the middle of different waves of ransomware. That’s basically malware that turns people’s files into formats they can’t use. We’ve already seen cases of companies and individual people having their systems and files hijacked for ransom. It’s serious stuff and in many cases very sad. If your online assets aren’t protected right now you should kind of feel like you’re going to bed at night with your front door not only unlocked but wide open.”   Christine and her team of 11 online security superheroes (eight full-time members and three super-talented interns) are on the case in Helsinki.   Here’s more on Christine and her work in her own words:   Where are you from? The Philippines   Where do you live and work? I live in Espoo and work at F-Secure in Ruoholahti, Helsinki.   Describe your job in 160 characters or less? Online guardian who strives to give F-Secure users a worry-free online experience.   One word that best describes your work? Engaging   How long is a typical work day for you? There is no typical workday. It ranges from 6 – 13 hours, depending on what’s happening.   What sparked your interest in online security? At the start it was just a job. As a computer science graduate, I was just looking for a job where I could do something related to my field. And then when I joined a software security company in the Philippines, I was introduced to this world of online threats and it’s really hard to leave all the excitement behind. So I’ve stayed in the industry ever since.   Craziest story you’ve ever heard about online protection breach? Ashley Madison. Some people thought it was just a funny story, but it had pretty serious consequences for some of the people on that list.   Does it frustrate you that so many people don’t care about protecting their online privacy? Yeah, it definitely does. But you grow to understand that people don’t value things until they lose it. It’s like insurance. You don’t think about it until something bad happens and then you care.   What’s your greatest work achievement? Shaping the online protection service in the Labs from its starting stages to where we are today.   What’s your idea of happiness? Road trips and a bottle of really good beer.   Which (non-work-related) talent would you most like to have? Hmmm… tough. Maybe, stock-market prediction skills?   What are your favorite apps? Things Stumbleupon   What blogs do you like? Security blogs (F-Secure Security blog of course and others – too many to list.) Self-Help Blogs (Zen Habits, Marc and Angel, etc.)   Who do you admire most? I admire quite a few people for different reasons. Warren Buffett for his intensity, simplicity and generosity. Mikko Hyppönen for his idealism and undying dedication to the online security fight. And Mother Theresa for embodying the true meaning of how being alive is like being in school for your soul.   Do you ever, ever go online without protection? Not with systems associated to me personally, or with someone else. But of course, when we are analyzing online threats, then yes.   See how to take control of your online privacy – watch the film and hear more from Christine.  See how Freedome VPN will keep you protected and get it now.

July 14, 2016
BY 
Could the Sony and Hacking Team hacks have been detected sooner?

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo: Getty Images

May 31, 2016
5588953445_51dcf922aa_o_crop

Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
BY