This blog mainly provides an overview of rootkit and basic rootkit knowledge.
Rootkit s not a virus. It’s not a worm and it’s not a trojan. Nor is it spyware and – despite what imagery the name might evoke – it’s definitely not a piece of agricultural machinery.
A rootkit allows someone, either legitimately or maliciously, to gain and maintain command and control over a computer system without the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer usage.
Potential consequences of a rootkit include:
Concealed malware – Rootkits allow attackers to install additional malware on infected computers. They hide malicious programs from users and any anti-virus software installed on a computer.
Information theft – Malicious software installed with the aid of rootkits can be used to steal user passwords, credit card information, or other sensitive data without being detected.
File deletion – Rootkits can delete operating system code or other files on a system.
Eavesdropping – Hackers can use rootkits to eavesdrop on users and intercept their personal information.
File execution – After subverting anti-malware software on a system, rootkits allow perpetrators to remotely execute other files on target computers.
Remote access – Rootkits can alter system configuration settings, such as opening up backdoor TCP ports in firewall settings, or altering startup scripts. This grants attackers remote access, allowing them, for example, to use the computer in a botnet.
Rootkits are unable to spread by themselves and instead rely on clandestine tactics to infect your computer. They typically disseminate by hiding themselves in devious software that may appear to be legitimate and could actually be functional. However, when you grant the software permission to be installed on your system, the rootkit quietly sneaks inside where it may lay dormant until the hacker activates it. Rootkits are notoriously difficult to detect and remove due to their ability to conceal themselves from users, administrators and many types of security products. Simply put, once a system is compromised with a rootkit, the potential for malicious activity is high.
Other common infection vectors include email phishing scams, downloads from dodgy websites and connecting to compromised shared drives. It’s important to note that rootkits don’t always require you to run an executable – sometimes something as simple as opening a malicious PDF or Word document is enough to unleash a rootkit.
There are four main types of rootkits:
1. Kernel rootkits
Kernel rootkits are engineered to change the functionality of your operating system. These types of rootkits usually add their own code (and sometimes their own data structures) to parts of the operating system core (known as the kernel). Creating an effective kernel rootkit is fairly complex and, if implemented incorrectly, can have a noticeable impact on system performance. The good news is that most kernel rootkits are easier to detect than other types for rootkits.
SmartService is an excellent example of a kernel rootkit. Rising to prominence mid way through 2017, SmartService prevents you from launching many antivirus products, thereby essentially acting as a bodyguard for adware and trojan infections that may already existing on the machine.
2. User mode rootkits
User mode rootkits are either started as a program in the normal manner during system startup, or injected into the system by a dropper. There are many possible methods and depend heavily on the operating system used. While Windows rootkits tend to focus on manipulating the basic functionality of Windows DLL files, in Unix systems it’s common for an entire application to be completely replaced.
User mode rootkits are very popular in financial malware these days. One of the most copied financial malware named Carberp includes this technique and also had its source codes leaked several years ago, so its user mode rootkit component has been recycled over and over again and can be found in many financial malware families to this day.
3. Bootloader rootkits
Bootloader rootkits or bootkits target the building blocks of your computer by infecting the Master Boot Record (a fundamental sector that instructs your computer how to load the operating system). These types of rootkits are particularly tricky to exterminate because, if the bootloader has injected code into the MBR, removing it could damage your computer.
Modern operating systems like Windows 8 and 10 have become almost completely immune to these types of rootkits due to the introduction of Secure Boot. As a result, bootkits are almost extinct. The most prominent bootkit family has to be the Alureon/TDL-4 family that was active from 2007 to 2012. During its lifetime the Alureon malware protected by its bootkit component managed to become the second most active botnet before its creators were arrested at the end of 2011.
A Universal Windows Bootkit
In October, 2015 Kaspersky released an analysis of a family of malware they dubbed “HDRoot” on their Securelist blog. It was an installment in their ongoing series on the WINNTI group, known for targeting gaming companies in their APT campaigns. The Securelist blog was dismissive of the HDRoot bootkit and called out a number of mistakes they claimed the authors made, which brought it to be the focus of their ridicule.
The bootkit in question uses two stolen signing certificates and is capable of running without problem on any Windows system that was released in the last 16 years, from Windows 2000 to Windows 10. The one limitation is that it will only run as an MBR bootkit and will not work on systems using UEFI. It contains the ability to install any backdoor payload to be launched in the context of a system service when Windows starts up on both 32 and 64-bit systems. It also does a fairly good job of concealing the actual bootkit code, only failing to remove the backdoor after running it at boot. This likely a conscious choice made by the authors to have the backdoor responsible for removing itself, and not an oversight.
HDRoot represents a serious commitment in time and effort to develop, and likely has been in use or development since at least 2006. The sample analyzed here dates to sometime in 2012 or 2013, and is the same sample Kasperky reports to have analyzed in their debut post on HDRoot. However, all evidence points to Kaspersky doing their analysis with a 2006 sample, criticizing problems in the malware that are not actually present. Additionally, they provide no hashes or other information on the actual sample they used.
4. Memory rootkits
These types of rootkits exist in your computer’s memory (RAM). Unlike other types of rootkits that may stow away on your computer for years and years without your knowledge, memory rootkits are lost when you reboot your computer due to the fact that the contents of your RAM resets on startup.
Although there are many different types of rootkits, most are designed with the same task in mind: eliminating traces of itself (or accompanying software) in the operating system. They can do this in any number of ways. For example, Windows has a built-in function responsible for listing the contents of folders. A rootkit could modify this basic function (API) so that the name of the file containing the rootkit is never displayed, which would make the file suddenly become invisible to the normal user. Through manipulation of other Windows APIs, not only files and folders can be hidden, but also active programs, open network communication ports that are being used, or registry keys. Of course, these are only a few of many camouflage measures used by rootkits.
As we touched on earlier, rootkits are commonly used by malware distributors, but does that make them malicious in and of themselves?
In a word: No. Rootkits are not inherently dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether or not the software being hidden is a legitimate or malicious program is another story.
There have been many examples of legitimate rootkits over the years, with one of the most famous cases being that of Sony BMG’s CD copy protection system. In 2005, Windows specialist Mark Russinovich discovered that simply using a Sony BMG CD protected with this system caused a piece of software to be automatically installed, without the approval of the user, which did not appear in the process list and could not be uninstalled (i.e. it hid itself from the user). This copy protection software was originally intended to prevent a music CD purchaser from reading the audio data in any manner and then possibly illegally redistributing it.
While they may have legitimate applications, it has to be said that cybercriminals are the ones who have benefited the most from leveraging the power of rootkits. Because rootkits can be used to hide running processes, files and storage folders, hackers often use them to conceal malicious software from users and make it more difficult for antivirus products to detect and remove the offending programs. Rootkits are also commonly used for keyloggers, as they can sit between your operating system and your computer’s hardware and keep tabs on every single key you press. In addition, hackers have used rootkits to create enormous botnets comprised of millions of machines, which they put to work harvesting cryptocurrency, launching massive DDoS attacks and carrying out other illegal campaigns on a huge scale.
Signature-reliant antivirus products struggle to detect rootkits. Many rootkits are more than capable of hiding from virus scanners and other disinfection systems, making it all but impossible for some antivirus software to analyze and deal with the corresponding signatures.
Detecting a rootkit on your system is easier said than done. There is no off-the-shelf product like there is for viruses or spyware that can magically find and remove all of the rootkits of the world. There are various tools to scan memory or file system areas, or to look for hooks into the system used by rootkits, but most of these tools are not automated tools and those that often focus on detecting and removing a specific rootkit.
Another method is just to look for bizarre or strange behavior on the computer system. If there are suspicious things going on, you might be compromised by a rootkit. Of course, you might also just need to clean up your system.
1. The TDSSKiller
TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the TDSS rootkit. This rootkit is know under other names such as Rootkit.Win32.TDSS, Tidserv, TDSServ, and Alureon. TDSSKiller will also attempt to remove other rootkits such as the ZeroAccess or ZeroAccess rootkit if it is detected.
TDSSKiller can be downloaded as an EXE or a ZIP file that contains the executable. When using the program, it is easier to download the EXE directly and only download the ZIP file if your computer software or Internet connection does not allow the direct download of executables.
It is important to note that many rootkits target the name of the TDSSKiller executable so that it is terminated when you attempt to run it. Therefore, after downloading or extracting the executable you should rename it to iexplore.exe so that it can more easily bypass any protection routines a particular rootkit may use.
Here is the video for usage instruction:
The TDSSKiller utility detects and removes the following malware:
The TDSSKiller utility supports the following operating systems:
2. Emsisoft Anti-Malware Rather than relying on identifying a matching signature, Emsisoft Anti-Malware’s Behavior Blocker is able to recognize malicious attempts to gain access to relevant system functions and stop the offending program before it can make any changes to the system.
This innovative approach to fight rootkits and malware enables Emsisoft Anti-Malware to detect and block all types of digital attacks, including threats it has never encountered before.
Here is the usage instruction video:
Protecting Your System From Rootkits In the Information Security Management Handbook, Sixth Edition, Volume 2, security researchers E. Eugene Schultz and Edward Ray recommend that enterprises consider the following measures to prevent rootkit infections: using intrusion detection and prevention tools such as rootkit scanners
https://blog.emsisoft.com/en/29468/rootkits/
https://www.lifewire.com/what-is-a-rootkit-2487272
https://www.esecurityplanet.com/network-security/top-5-rootkit-threats-and-how-to-root-them-out.html
https://www.imperva.com/learn/application-security/rootkit/
http://williamshowalter.com/a-universal-windows-bootkit/
Rootkit s not a virus. It’s not a worm and it’s not a trojan. Nor is it spyware and – despite what imagery the name might evoke – it’s definitely not a piece of agricultural machinery.
A rootkit allows someone, either legitimately or maliciously, to gain and maintain command and control over a computer system without the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer usage.
Potential consequences of a rootkit include:
Concealed malware – Rootkits allow attackers to install additional malware on infected computers. They hide malicious programs from users and any anti-virus software installed on a computer.
Information theft – Malicious software installed with the aid of rootkits can be used to steal user passwords, credit card information, or other sensitive data without being detected.
File deletion – Rootkits can delete operating system code or other files on a system.
Eavesdropping – Hackers can use rootkits to eavesdrop on users and intercept their personal information.
File execution – After subverting anti-malware software on a system, rootkits allow perpetrators to remotely execute other files on target computers.
Remote access – Rootkits can alter system configuration settings, such as opening up backdoor TCP ports in firewall settings, or altering startup scripts. This grants attackers remote access, allowing them, for example, to use the computer in a botnet.
How do rootkits work?
Other common infection vectors include email phishing scams, downloads from dodgy websites and connecting to compromised shared drives. It’s important to note that rootkits don’t always require you to run an executable – sometimes something as simple as opening a malicious PDF or Word document is enough to unleash a rootkit.
There are four main types of rootkits:
1. Kernel rootkits
Kernel rootkits are engineered to change the functionality of your operating system. These types of rootkits usually add their own code (and sometimes their own data structures) to parts of the operating system core (known as the kernel). Creating an effective kernel rootkit is fairly complex and, if implemented incorrectly, can have a noticeable impact on system performance. The good news is that most kernel rootkits are easier to detect than other types for rootkits.
SmartService is an excellent example of a kernel rootkit. Rising to prominence mid way through 2017, SmartService prevents you from launching many antivirus products, thereby essentially acting as a bodyguard for adware and trojan infections that may already existing on the machine.
2. User mode rootkits
User mode rootkits are either started as a program in the normal manner during system startup, or injected into the system by a dropper. There are many possible methods and depend heavily on the operating system used. While Windows rootkits tend to focus on manipulating the basic functionality of Windows DLL files, in Unix systems it’s common for an entire application to be completely replaced.
User mode rootkits are very popular in financial malware these days. One of the most copied financial malware named Carberp includes this technique and also had its source codes leaked several years ago, so its user mode rootkit component has been recycled over and over again and can be found in many financial malware families to this day.
3. Bootloader rootkits
Bootloader rootkits or bootkits target the building blocks of your computer by infecting the Master Boot Record (a fundamental sector that instructs your computer how to load the operating system). These types of rootkits are particularly tricky to exterminate because, if the bootloader has injected code into the MBR, removing it could damage your computer.
Modern operating systems like Windows 8 and 10 have become almost completely immune to these types of rootkits due to the introduction of Secure Boot. As a result, bootkits are almost extinct. The most prominent bootkit family has to be the Alureon/TDL-4 family that was active from 2007 to 2012. During its lifetime the Alureon malware protected by its bootkit component managed to become the second most active botnet before its creators were arrested at the end of 2011.
A Universal Windows Bootkit
In October, 2015 Kaspersky released an analysis of a family of malware they dubbed “HDRoot” on their Securelist blog. It was an installment in their ongoing series on the WINNTI group, known for targeting gaming companies in their APT campaigns. The Securelist blog was dismissive of the HDRoot bootkit and called out a number of mistakes they claimed the authors made, which brought it to be the focus of their ridicule.
The bootkit in question uses two stolen signing certificates and is capable of running without problem on any Windows system that was released in the last 16 years, from Windows 2000 to Windows 10. The one limitation is that it will only run as an MBR bootkit and will not work on systems using UEFI. It contains the ability to install any backdoor payload to be launched in the context of a system service when Windows starts up on both 32 and 64-bit systems. It also does a fairly good job of concealing the actual bootkit code, only failing to remove the backdoor after running it at boot. This likely a conscious choice made by the authors to have the backdoor responsible for removing itself, and not an oversight.
HDRoot represents a serious commitment in time and effort to develop, and likely has been in use or development since at least 2006. The sample analyzed here dates to sometime in 2012 or 2013, and is the same sample Kasperky reports to have analyzed in their debut post on HDRoot. However, all evidence points to Kaspersky doing their analysis with a 2006 sample, criticizing problems in the malware that are not actually present. Additionally, they provide no hashes or other information on the actual sample they used.
4. Memory rootkits
These types of rootkits exist in your computer’s memory (RAM). Unlike other types of rootkits that may stow away on your computer for years and years without your knowledge, memory rootkits are lost when you reboot your computer due to the fact that the contents of your RAM resets on startup.
Although there are many different types of rootkits, most are designed with the same task in mind: eliminating traces of itself (or accompanying software) in the operating system. They can do this in any number of ways. For example, Windows has a built-in function responsible for listing the contents of folders. A rootkit could modify this basic function (API) so that the name of the file containing the rootkit is never displayed, which would make the file suddenly become invisible to the normal user. Through manipulation of other Windows APIs, not only files and folders can be hidden, but also active programs, open network communication ports that are being used, or registry keys. Of course, these are only a few of many camouflage measures used by rootkits.
Should rootkits be considered malware?
As we touched on earlier, rootkits are commonly used by malware distributors, but does that make them malicious in and of themselves?
In a word: No. Rootkits are not inherently dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether or not the software being hidden is a legitimate or malicious program is another story.
There have been many examples of legitimate rootkits over the years, with one of the most famous cases being that of Sony BMG’s CD copy protection system. In 2005, Windows specialist Mark Russinovich discovered that simply using a Sony BMG CD protected with this system caused a piece of software to be automatically installed, without the approval of the user, which did not appear in the process list and could not be uninstalled (i.e. it hid itself from the user). This copy protection software was originally intended to prevent a music CD purchaser from reading the audio data in any manner and then possibly illegally redistributing it.
While they may have legitimate applications, it has to be said that cybercriminals are the ones who have benefited the most from leveraging the power of rootkits. Because rootkits can be used to hide running processes, files and storage folders, hackers often use them to conceal malicious software from users and make it more difficult for antivirus products to detect and remove the offending programs. Rootkits are also commonly used for keyloggers, as they can sit between your operating system and your computer’s hardware and keep tabs on every single key you press. In addition, hackers have used rootkits to create enormous botnets comprised of millions of machines, which they put to work harvesting cryptocurrency, launching massive DDoS attacks and carrying out other illegal campaigns on a huge scale.
How to detect a Rootkit
Signature-reliant antivirus products struggle to detect rootkits. Many rootkits are more than capable of hiding from virus scanners and other disinfection systems, making it all but impossible for some antivirus software to analyze and deal with the corresponding signatures.
Detecting a rootkit on your system is easier said than done. There is no off-the-shelf product like there is for viruses or spyware that can magically find and remove all of the rootkits of the world. There are various tools to scan memory or file system areas, or to look for hooks into the system used by rootkits, but most of these tools are not automated tools and those that often focus on detecting and removing a specific rootkit.
Another method is just to look for bizarre or strange behavior on the computer system. If there are suspicious things going on, you might be compromised by a rootkit. Of course, you might also just need to clean up your system.
Rootkit Scanner
1. The TDSSKiller
TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the TDSS rootkit. This rootkit is know under other names such as Rootkit.Win32.TDSS, Tidserv, TDSServ, and Alureon. TDSSKiller will also attempt to remove other rootkits such as the ZeroAccess or ZeroAccess rootkit if it is detected.
TDSSKiller can be downloaded as an EXE or a ZIP file that contains the executable. When using the program, it is easier to download the EXE directly and only download the ZIP file if your computer software or Internet connection does not allow the direct download of executables.
It is important to note that many rootkits target the name of the TDSSKiller executable so that it is terminated when you attempt to run it. Therefore, after downloading or extracting the executable you should rename it to iexplore.exe so that it can more easily bypass any protection routines a particular rootkit may use.
Here is the video for usage instruction:
The TDSSKiller utility detects and removes the following malware:
The TDSSKiller utility supports the following operating systems: 
2. Emsisoft Anti-Malware Rather than relying on identifying a matching signature, Emsisoft Anti-Malware’s Behavior Blocker is able to recognize malicious attempts to gain access to relevant system functions and stop the offending program before it can make any changes to the system.
This innovative approach to fight rootkits and malware enables Emsisoft Anti-Malware to detect and block all types of digital attacks, including threats it has never encountered before.
Here is the usage instruction video:
Protecting Your System From Rootkits In the Information Security Management Handbook, Sixth Edition, Volume 2, security researchers E. Eugene Schultz and Edward Ray recommend that enterprises consider the following measures to prevent rootkit infections: using intrusion detection and prevention tools such as rootkit scanners
- applying vulnerability patches in a timely manner
- configuring systems according to security guidelines and limiting services that can run on these systems
- adhering to the least privilege principle
- deploying firewalls that can analyze network traffic at the application layer
- using strong authentication
- performing regular security maintenance
- limiting the availability of compiler programs that rootkits exploit
https://blog.emsisoft.com/en/29468/rootkits/
https://www.lifewire.com/what-is-a-rootkit-2487272
https://www.esecurityplanet.com/network-security/top-5-rootkit-threats-and-how-to-root-them-out.html
https://www.imperva.com/learn/application-security/rootkit/
http://williamshowalter.com/a-universal-windows-bootkit/
Comments
Post a Comment