29 Jun 2011

Malware: Rootkits

malware No Comments

Software to Fix Problems Icon

In the continuing series on Malware, we have reached one of the most scary – and potent – forms of malware out there:  the rootkit.  In this article I’ll explain what a rootkit is, why it is dangerous, what different forms there are of this beasty, and what you can do to protect yourself.  It is very important to be aware of this form of malware as it will not make itself known to you unless you actively hunt it down.  Let’s dive in and figure out just what the heck these things are, shall we?

A What Now?

A rootkit originally came from UNIX-land and was a set of tools (some of which you may have heard of – netstat, passwd, etc.) that an attacker modified to gain full control of the computer – all the while being undetectable to the systems administrators.  It is extremely unlikely that you are here on a UNIX system, so let’s investigate what a rootkit is on a Windows machine.

A rootkit on Windows is a program that hides things (files, memory addresses, network connections and activity, processes, etc.) from the operating system, the user, and from other programs such as anti-spyware.  While a rootkit isn’t inherently evil, it usually is – since you are here. ;-)   It is easiest to think of Windows as analogous to the earth’s crust that you learned about in middle school:  it is a layered object with several rings.  At the center of this object is the kernal – the heart of Windows.  This is known as Ring 0; each ring outward from the core steps out (Ring 1, Ring 2, Ring 3) from the center.

Don’t worry, I won’t get too technical here.  Just know that each ring inwards gets more serious as we approach the core (the kernel).  For example:

A Ring 3 level rootkit may include the ability to intercept messages, exploit security vulnerabilities, or hook onto a common API to mask/hide a running process or file that is on your system.

A Ring 0 rootkit, also known as a Kernel-mode rootkit is very serious and can add to or replace portions of the operating system, portions of drivers, or even the kernel itself!  Kernel-mode rootkits are almost impossible to detect, and can be very hard to remove (I’ll get to that – no worries).  This is because they operate with the same level of permission and access that the operating system has.  This enables them to subvert monitoring by anti-malware tools, and many or all of the protections built into the operating system.

How does it do this you are wondering, aren’t you?  You are wondering right?  Well, I’m going to tell you anyway.  A rootkit uses a method called Direct Kernel Object Modification (DKOM) to hook kernel functions into the System Service Descriptor Table (the SSDT), or it modifies the gates between user mode and kernel mode.  Lost you didn’t I?  Think of it as a baddie that sneaks in a closing door to reach the vault with all of the money in it.  That still doesn’t answer how they got on your computer though, does it?  Typically, rootkits are installed by taking advantage of a security vulnerability in a piece of software (*cough* Adobe Reader *cough* Adobe Flash).  They can infect your machine through more traditional means as well (Trojan Horses, for example).  But you don’t get those, right?  Right?

Am I Screwed?

How do you know if you have one?  You don’t.  Unless you run this tool from Microsoft.  Download this tool and burn or transfer it to a blank CD/DVD/USB drive.  Put it into your machine and reboot.  Follow the steps necessary to scan your computer.  Simple.  Nice.

Don’t Get Screwed!

What can you do to prevent getting a rootkit?  Read my Secure Computing Habits page.  Download a strong anti-malware program, keep it updated, and scan your computer regularly.  Turn on your firewall, if it isn’t already.  This last step is the most difficult, only because it is a total pain in the you-know-what:  keep the applications that you use up to date.  I know that is almost impossible with Adobe updating their software every other day, and Apple updating iTunes daily.  Why are you using iTunes again?  Why (there isn’t a good answer here)?

For all intents and purposes, that is what rootkits are.  They are forms of malware that dig deep into your system and attach themselves to the very heart of your machine.  They are able to modify your system in order to prevent you from knowing that they are there, and thus removing them.  They can track you, steal your personal information, the sky is the limit with a rootkit.  It is probably the most dangerous form of malware you will come across.

If you’d like to know more, please check out Geek University where I will dive into these topics in-depth.  In the meantime, hug your favorite Geek!

No Responses to “Malware: Rootkits”

Leave a Reply