Rootkits: The Basics

The biggest disadvantage of any Operating System is that its Administrator User name is always known. Root for Unix\Linux and Administrator for Windows. The term Root-Kit is made up of two words Root and Kit. Where root refers to administrator and kit refers to group of programs. In all a RootKit is a malicious code or group of malicious code, used for illegal access to all admin rights in particular machine. In technical terms,
A ROOTKIT is a program or group of programs used to hide that the fact system has been compromised.
Previously Root-Kit was limited to UNIX and LINUX system so the kit got name of their administrator, i.e root. After introduction of Root-Kit at more system level, attackers made their hands dirty by making similar tools for Windows, reason, Windows is most used Operating System.
Root-Kit grants almost unlimited rights to an attacker and attacker has full access to all hardware, software and services running on victim’s system. An attacker can use Root-Kit to install backdoor or key logger on remote system. Root-Kit hides itself as system program and some times may not even appear in process lists. It is still case under study whether to consider Root-Kit as malware or not because many commercial programs use same type of functionality to provide some power virtual facilities. The examples include honeypot which helps to hide real systems from hackers, emulators that create virtual driver interface, best examples are Alcohol 120 and Daemon Tools which are most loved commercial virtual CD/DVD-ROM emulators. Similar functionality is also used by Anti-Virus programs to keep eye on every piece of code and data before OS gets loaded in memory, because, many Anti-Virus programs modify OS loading process to get highest priority during boot time for scanning each and every file. This might be the reason for some people who complaint their Computer stopped booting after removal of Anti-Virus(If this happens to you then it is clear the Anti-Virus you used have bugs in it). Similar functionality is used when a low end compiler is made to work on a modern Operating System, best example is Turbo C++ 3.0 development environment which still runs without any problem on Windows XP, Windows Vista and to surprise also on Windows 7. The above text gives us an idea that a Root-Kit can be a system file, can be a boot loader, can be an application, can be just portable files and at last to the hell of horror, it can also be a hardware or Operating System itself.
Types Of Root-Kits:
Depending on type of source Root-Kit takes to enter system, root kits are divided as follows,
Hardware/Firmware Root-Kit, Hypervisor Root-Kit, Boot Loader Root-Kit, Kernel Root-Kit, Library Root-Kit and Application Root-Kit.
Hardware Root-Kits:
Firmware can be called as an Operating System for most basic level, firmware can not act as platform for other applications to get installed on it, in fact it is held in embedded system’s system software. So it is clear that once a Root-Kit is embedded, there is no way we can remove it. Since hardware is abstract entity you can not remove it from hardware. The best example of Hardware/Firmware level Root-Kit is shown in movie Pay-Check where Ben Afflick hides a code in one of the motherboards of computer to make it stop after he leaves the company(its just an example, in real world its not done in that way).
Hypervisor Root-Kit:
Hypervisor Root-Kit replaces the original boot loader and makes the original PC to run in virtual mode. Therefore the Root-Kit becomes host and the actual system becomes guest to hosting Root-Kit. In this way Root-Kit gets all rights of guest OS and hardware as well as software.
Boot Loader Root-Kit:
Another variant of Root-Kit family is Boot-Kit(but still held under categories of Root-Kit)A boot-kit is a malicious code which replaces original boot loader with fully remote controlled boot loader. Attacker has right on every piece of information the system has, in this case attacker not only enjoys the right on remote system but also enjoys more rights than administrator itself because whole system is remote controlled. The worst part of boot-kit is that, can it bypass nearly every type of software level or hardware level encryption techniques. The only defense to boot-kit is never leave system alone and use only trusted platforms.
Kernel Root-Kit:
Kernel Root-Kit is again a great killing code. It installs Root-Kit at kernel level and takes charge of every device and device driver associated with it. It modifies original kernel code to stay inside system. The bitter taste of kernel Root-Kit is that it can offer your running code to attacker. The only precaution you can take is to use trusted platforms.
Library Level Root-Kit:
As name suggests this is special kind of root kit designed for Windows Operating System. The DLL(Dynamically Linked Libraries) files in Windows Operating System provides it one of its strongest feature of running loaded files directly without re-loading them. Two DLL files can be linked using hooking(Hooking is process in which one DLL file is linked with another DLL file. In such case when a hooked file is called, the hooker DLL file also gets loaded in memory, this is how theme files work in Windows). With help of Library level Root-Kit attacker gets access to every system call and patch the system uses for security. The precautionary measure includes installing an Anti-Virus program before exposing the System to other installation file or network. After installation of Root-Kit, there is no means you can easily detect it, better way install Anti-Virus first. Most pirated software come with some kind of malicious code(may be Root-Kit too). That’s why even crackers(criminal hackers) never use software cracked by others and if they want to use it, they use it in virtual environment.
Application Level Root-Kits:
Application root-kits can come hidden inside any application program. It may grant partial or complete access to attacker on your system. The best way to prevent is use software from trusted vendor and keep Anti-Virus updated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s