Rootkits are complex and ever changing, which makes it difficult to understand exactly what you're dealing with. This article attempts to provide enough information to give you at least a fighting chance if you're confronted with one.
1. What is a rootkit?
Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a Unix/Linux term that's the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge.
2. Why use a rootkit?
Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity and even changing the computer's configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in themselves they aren't malicious at all.
One well-known example of rootkit use is Sony BMG's attempt to prevent copyright violations. Sony BMG didn't tell anyone it placed DRM software on home computers when certain CDs were played, and the rootkit-hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.
3. How do rootkits propagate?
Rootkits can't propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: dropper, loader and rootkit.
The dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
Blended-threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:
- IM: One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it's from a friend), that computer becomes infected and has a rootkit on it as well.
- Rich content: The newest approach is to insert the blended-threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it's all over.
4. User-mode rootkits
There are several types of rootkits, but we'll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer's hard drive, automatically launching with every system boot.
Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It's an old rootkit, but it has an illustrious history.
Blended-threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force
5. Kernel-mode rootkit
Malware developers are a savvy bunch. Realising rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that's getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco's IOS operating system.
Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.
6. User-mode/kernel-mode hybrid rootkit
Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.
7. Firmware rootkits
Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware...
Talkback
Or is it just Windows/Linux machines. I opened what turned out to be a 'spam' PDF the other day (breaking the habit of a lifetime) - now I'm wondering if I've let something in.
the address below will point you in the right direction regarding mac security issues, but the short answer is yes, you'd be wise to look up some freeware type removers. research carefully though/tricksters are rife!
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/
In the old days (about 15 years ago) we had an anti-virus program installed (I think it was Norton) that did a hash of your system at boot up and compared this with a stored hash taken when the system was in a known condition. If the comparison failed the boot up would be halted until someone from Tech Services came to investigate. Would this kind of defence work against rootkits?
Yes, if your tech support is quick of the mark, although it may be worth educating youself'/staff into doing the deed yourselves. Noran software has a reputation for being a resourse hog although they state that this has changed since 2009 release. Many of the anti virus vendors have added rootkit detection to their portfolios.