Rootkit: What is a Rootkit, Scanners, Detection and Removal Software
What is a Rootkit?
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term Rootkit is a connection of the two words "root" and "kit". Originally a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.
What can a Rootkit do?
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.
It is difficult to detect Rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g. looking for strange behavior on a computer system), signature scanning, and memory dump analysis. To remove a Rootkit often times the only option is to completely rebuild the compromised system.
Many rootkits penetrate computer systems by piggybacking with software you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities. This includes patches of your OS, applications, and up-to-date virus definitions. Don't accept files or open email file attachments from unknown sources. Be careful when installing software and carefully read the end user license agreements.
Static analysis can detect backdoors and other malicious insertions such as rootkits. Enterprise developers as well as IT departments buying ready-made software can scan their applications to detect threats including 'special' and 'hidden-credential' backdoors. The bane of researchers – the rootkit – can also be detected by static analysis scans.
Well known Rootkit examples
- Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990’s.
- NTRootkit – one of the first malicious rootkits targeted at Windows OS.
- HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls.
- Machiavelli - The first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
- Sony BMG copy protection - In 2005, Sony BMG published CDs with copy protection and digital rights management. The software included a music player but silently installed a rootkit which limited the user's ability to access the CD.
- Greek wiretapping – In 2004/05 intruders installed a rootkit that targeted Ericsson's AXE PBX.
- Zeus, first identified in July 2007, is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing.
- Stuxnet - the First Known Rootkit for Industrial Control Systems
- Flame - is a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.
Written by: Fergal Glynn