Rootkits Explained

The name “rootkit” came from the days when Unix dominated the computer landscape. “Root” in Unix and Linux is the ultimate administrator of the operating system, a superuser. Root users have full access to the operating system and can make any change at will—hence the name for tools that let attackers operate covertly with root-level rights. Today, rootkits typically target Microsoft Windows operating systems. Other operating systems are targeted, too—and none are immune.

In theory, a rootkit enables undetectable access to a computer system. Rootkits typically have payloads consisting of keyloggers, backdoors, and other nefarious programs designed to steal data, intercept network communications, or use computer resources in a botnet/zombie network. 

Rootkits are more persistent and harder to track down than Trojans, worms, and logic bombs. These other types of malware hide by naming files they create with a familiar name to appear innocuous to the user. But rootkits operate stealthily by hiding the processes, by removing the processes from the process viewer or burying their code in existing dynamic link libraries (DLL), or by replacing existing binaries with a binary provided by the rootkit.  

Potential Signs Your Computer Is Infected

If your computer is running inordinately slow and the processor or memory usage always seems high, a rootkit could be the reason. A rootkit could also be to blame if your computer locks up while performing everyday tasks. Rootkits are seldom a single piece of malware. Usually, rootkits contain other malware within their code. Rootkits come in different forms, including the “user-mode” type.

User-Mode Rootkits

A user-mode rootkit installs on the application level. Privilege escalation usually takes place prior to installation. The attacker installs the rootkit with escalated privileges gained during the attack, providing the rootkit with administrator or root-level system rights. Payloads associated with user-mode rootkits can include a backdoor with non-administrator or administrator access. If the rootkit has non-administrator access, the attacker may employ privilege-escalation techniques during the next visit to the system. 

Attackers achieve persistence without root or administrator access by deactivating or compromising antivirus or antimalware software. This move prevents the software from conducting scans, receiving updates, and checking the system for a rootkit. The rootkit and other malware deployed by the rootkit is then able to execute without detection.   

Rootkits maintain system access for the attacker. Username and password information for the attacker is not held in the same file as other username and password information. Compromised files or hidden files contain the attacker’s login and password information, making removal of the attacker’s account difficult. 

User-mode rootkits can be installed in various ways. Users might click on a link to a site that installs the malware, duped into thinking they are installing a known, safe program. Users might also be conned into opening an email attachment from an attacker. In addition, in an insider threat scenario, a malicious user could knowingly install a rootkit for all manner of nefarious purposes. 

Rootkits installed by a user may be installed with higher privileges if the user is logged in with superuser or administrator privileges. If the user is logged in with simple user permissions, the rootkit will be installed with the privilege level of the user account that it was installed with. Payloads targeting a specific operating system may contain malware designed for privilege escalation, providing the rootkit with administrator or root privileges. 

User-mode rootkits exist for all common operating systems. While most user-mode rootkits are primarily focused on Microsoft Windows installations, rootkits also exist for Linux, Unix, Android, and Apple operating systems.

Import Address Table (IAT) Hooking

Import address table (IAT) hooking is a technique that user-mode rootkits apply to achieve code execution and privilege escalation. IAT hooking rewrites an application programming interface (API) within a DLL, replacing the function with malicious code provided by the rootkit. The redirection is completed prior to processing the function supplanted by the rootkit. The functions supplanted in the API execute the code inserted by the rootkit.  

Detecting and Removing a Rootkit

Rootkit detection and removal is difficult since rootkits are designed to operate undetected. Rootkits may have root-level access, giving them the ability to hide their underlying processes from process viewers, along with many virus scanners. Virus scanners pick up on the hooks as they dig into the .dll file replacing an API. During the hooking process is when a virus scanner usually detects the rootkit. Some rootkits are detected by signature-based virus scans if the signature is a known by the scanner. 

User-mode rootkits are detectable and can generally be removed. Removing a user-mode rootkit may require reinstallation of the operating system. Some user-mode rootkits with less sophistication may be more easily removed. Follow-up procedures may be needed to rectify a breach of the network and possible password theft. Data forensics should be conducted to validate the loss or theft of sensitive data. 

Open-source scanning tools used for Linux and Unix include Chkrootkit, Rootkit Hunter, ClamAV, BotHunter, Avast, and NeoPI. ClamAV can be found in Linux repositories and has been available since Aug. 17, 2007. Chkrootkit can be found in the Ubuntu online repository. Not many user-mode rootkits exist for Linux and Unix variants. Most rootkits for “nix” environments are kernel-based rootkits. 

Most rootkit scanners for Windows have in the past been bootable disks, which scan the boot sector and the hard drive. The bootable nature of the scanner allowed them to remove a rootkit with ease, due to the operating system being dormant at the time of the scan. When the operating system is not active a rootkit is not active and cannot protect itself from being removed. Most of the bootable scanners were freeware and easily accessible online with a simple search. 

A number of popular virus scanners offer free rootkit scans for Windows. The software is not open source—it is freeware. Examples of free rootkit scanners include Kaspersky TDSSKiller, Bitdefender Rootkit Remover, McAfee Rootkit Remover, Sophos Rootkit Removal Tool, and Avast aswMBR Rootkit Scanner. 

Security teams can look to Booz Allen’s Malware Open-source Threat Intelligence Family (MOTIF) dataset to find samples of different types of rootkits that target Windows systems.

This blog series is brought to you by Booz Allen DarkLabs. Our DarkLabs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.

This article is for informational purposes only; its content may be based on employees’ independent research and does not represent the position or opinion of Booz Allen. Furthermore, Booz Allen disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader’s sole discretion and risk.