Rootkit


A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
Rootkit installation can be automated, or an attacker can install it after having obtained root or administrator access. Obtaining this access is a result of direct attack on a system, i.e., exploiting a vulnerability or a password. Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavior-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.

History

The term rootkit, rkit, or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access. If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information. Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems' SunOS UNIX operating system. In the lecture he gave upon receiving the Turing Award in 1983, Ken Thompson of Bell Labs, one of the creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user's correct password, but an additional "backdoor" password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the login command or the updated compiler would not reveal any malicious code. This exploit was equivalent to a rootkit.
The first documented computer virus to target the personal computer, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.
Over time, DOS-virus cloaking methods became more sophisticated. Advanced techniques included hooking low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files.
The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund. It was followed by HackerDefender in 2003. The first rootkit targeting Mac OS X, WeaponX/Weapox, appeared in 2004 while the Stuxnet worm was the first to target programmable logic controllers.

Lenovo BIOS Rootkit (Lenovo Service Engine) Incident (2015)

In mid-2015, it was discovered that Lenovo had been shipping certain consumer PCs with firmware that behaved like a built-in rootkit. The feature, called Lenovo Service Engine, was embedded in the system BIOS and would execute on startup, even before Windows booted. LSE was designed to ensure that Lenovo’s system update utility and related pre-installed programs remained installed by automatically reinstalling them if they were removed. Because it resided in firmware, the code was difficult for users to detect or remove; even a clean Windows installation would not eliminate LSE, as it would be reinstalled on the next reboot.
Researchers later discovered that LSE introduced a serious security issue – a vulnerability allowing a privilege escalation attack to gain administrator-level control. In response, Lenovo released BIOS updates and a removal utility in 2015 to disable and delete the LSE feature. Microsoft also updated its Windows security guidelines to bar such firmware behavior, effectively forcing Lenovo to cease using LSE in new systems. The LSE functionality was removed from subsequent models, and Lenovo urged customers to install the updated firmware to eliminate the risk.

Stuxnet (2010)

Stuxnet, uncovered in 2010, was a highly sophisticated worm developed in a joint U.S.–Israeli intelligence operation targeting Iran’s nuclear facilities. It notably included a Windows kernel-mode rootkit that concealed the malware’s files and processes, enabling the worm to silently sabotage industrial control systems. Stuxnet is often cited as the first known cyberweapon; it destroyed a significant part of Iran’s uranium centrifuges, while remaining difficult to detect.

Sony BMG copy protection rootkit scandal (2005)

In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet. The software included a music player but silently installed a rootkit which limited the user's ability to access the CD. Software engineer Mark Russinovich, who created the rootkit detection tool RootkitRevealer, discovered the rootkit on one of his computers. The ensuing scandal raised the public's awareness of rootkits. To cloak itself, the rootkit hid any file starting with "$sys$" from the user. Soon after Russinovich's report, malware appeared which took advantage of the existing rootkit on affected systems. One BBC analyst called it a "public relations nightmare." Sony BMG released patches to uninstall the rootkit, but it exposed users to an even more serious vulnerability. The company eventually recalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG.

Greek wiretapping case (2004–05)

The Greek wiretapping case 2004–05, also referred to as Greek Watergate, involved the illegal telephone tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators. The intruders installed a rootkit targeting Ericsson's AXE telephone exchange. According to IEEE Spectrum, this was "the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch." The rootkit was designed to patch the memory of the exchange while it was running, enable wiretapping while disabling audit logs, patch the commands that list active processes and active data blocks, and modify the data block checksum verification command. A "backdoor" allowed an operator with sysadmin status to deactivate the exchange's transaction log, alarms and access commands related to the surveillance capability. The rootkit was discovered after the intruders installed a faulty update, which caused SMS texts to be undelivered, leading to an automated failure report being generated. Ericsson engineers were called in to investigate the fault and discovered the hidden data blocks containing the list of phone numbers being monitored, along with the rootkit and illicit monitoring software.

Uses

Modern rootkits do not elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased.
Rootkits and their payloads have many uses:
  • Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms.
  • Conceal other malware, notably password-stealing key loggers and computer viruses.
  • Appropriate the compromised machine as a zombie computer for attacks on other computers. "Zombie" computers are typically members of large botnets that can–amongst other things–launch denial-of-service attacks, distribute email spam, and conduct click fraud.
In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user:
  • Detect attacks, for example, in a honeypot.
  • Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.
  • Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.
  • Bypassing Microsoft Product Activation