“Man Behind the Curtain” – Rootkit Malware

by | Jul 25, 2019 | Cyber Incident and Response, IT Security

Definition of a Rootkit

A rootkit is a set of software tools designed to reside in the top-level directory (the “root”) of a file system. Rootkits can be used to detect attacks and provide anti-theft defenses. But because they can also enable unauthorized users to gain control of an operating system without being detected, they are often used for ill intent, and are therefore commonly understood to be a classification of malware.

Distinctive Characteristics that Qualifies the Rootkit Malware Category

A rootkit can enable an unauthorized person to have access to a computer, or to a specific software, or to a whole network. It is able to obscure its existence. Sometimes it additionally obscures the existence of other software as well. The term rootkit is a compound of the word “root” (the traditional name of the top-level, privileged account on a Unix or Linux operating system) and the word “kit” (the set of software components that function together to make the tool). It lurks with the main controls of the whole system and hides there. It allows unauthorized users to control the operating system without you knowing it. Virus detection programs often cannot detect rootkits, either. Since virus detectors also have to follow the directions of the top-level directory, they are at a disadvantage. A rootkit sets the rules for all proceeding operations, so it puts blinders on any virus detection programs it encounters, letting it continue to exist unimpeded.

Notable Examples of Rootkit Malware

The Greek Wiretapping Scandal of 2004-05

Also known as the “Greek Watergate”, the phone wiretapping operation was all due to a rootkit. It enabled wiretapping of approximately 100 top Greek officials while it simultaneously disabled audit logs, provided a backdoor to allow unauthorized surveillance, and orchestrated many other compromising controls. It operated for a long time undetected. It was only discovered when the communications company installed an update that did not interact correctly with the rootkit – it caused SMS texts to not be delivered consistently. This caused the communications company to realize that something in the system was not right. Unfortunately, by that time a whole lot of damage had been done. Because a rootkit was the culprit, it took weeks of investigation to finally discover the source of the problem.

Malware in the Music: Sony BMG

Around the same time, Sony BMG Music Entertainment published CDs with copy protection. The digital rights management software they used in the CDs was created by an outfit called First 4 Internet, who included a rootkit along with the music player that protected copyright. This rootkit was detectable by a tool called RootkitRevealer, which was able to determine that this rootkit cloaked files starting with “$sys$”. Sadly, this vulnerability on the CDs led to the awareness of other vulnerabilities, leading to more exploitation by others. Sony BMG had to recall the CDs and deal with a mess of lawsuits as a result. 

What are the Typical Objectives for Rootkit Malware?

Modern rootkits are usually used to allow another software payload to be installed undetected. These software payloads may be programmed to steal passwords or credit card payment information, or conduct whatever unauthorized activities it was designed to perform. The possibilities are endless. It allows the attacker to:

  • Create a backdoor, making possible the eventual installment of other malware (like ransomware)
  • Render a computer as a zombie computer for attacks on other computers or networks (such as a DDoS attack)

Network users can unknowingly download malware and rootkits hidden in clickbait on the internet.

Stop Rootkit Malware

How is a Rootkit Usually Delivered?

If an attacker can obtain administrator access to a operating system, the attacker can install it. For an unauthorized person to get this kind of access one of the following must have taken place:

  • The attacker is a person who has already been given root access to the operating system and is now wishing to seek to use that privilege for unauthorized purposes
  • Through “phishing” or some other social engineering tactic, an unauthorized person has gained login credentials for root access
  • Through a network intrusion that takes advantage of programming errors, the attacker uses the flaws for the purpose of granting elevated access (known as “privilege escalation”).

Rootkit installation can be automated, or it can be done manually, just depending on how root access is achieved. 

Combatting Rootkits:
Preventing the “Man Behind the Curtain”

Because of their insidious nature, there is no single answer for how to prevent and eradicate all the variations of rootkits that exist. It is important to educate yourself on the many facets of system hardening and the layers of defense necessary to prevent a rootkit invasion. Rootkits can be present on systems for long periods of time before detection. Rootkit invasions are often forerunners to subsequent malware events, like ransomware. So join us as we pull back the curtain of various types of rootkits, and learn about the attack vectors, the prevention measures, and removal processes they involve.

Hybrid VDI - Total Economic Impact of VMWare End User Computing