Surf Wiki
Save to docs
general/types-of-malware

From Surf Wiki (app.surf) — the open knowledge base

Rootkit

Software designed to enable access to unauthorized locations in a computer

Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of "root" (the traditional name of the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.

Rootkit installation can be automated, or an attacker can install it after having obtained root or administrator access. Obtaining this access is a result of direct attack on a system, i.e., exploiting a vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like "phishing"). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavior-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.

History

The term rootkit, rkit, or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.{{Cite web | access-date=2010-08-17 | archive-date=2010-12-14 |archive-url=https://web.archive.org/web/20101214100124/http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf | url-status=dead | doi-access=free | archive-date=2007-09-24 | access-date=2010-06-09 | archive-url=https://web.archive.org/web/20070924124136/http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf | url-status=live

The first documented computer virus to target the personal computer, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.{{cite web | archive-url=https://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf | archive-date=2006-08-23 Over time, DOS-virus cloaking methods became more sophisticated. Advanced techniques included hooking low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files.

The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund. It was followed by HackerDefender in 2003. The first rootkit targeting Mac OS X, WeaponX/Weapox, appeared in 2004{{cite web | access-date=2025-10-03 | archive-date=2022-05-28 | archive-url=https://web.archive.org/web/20220528052716/https://www.virusbulletin.com/uploads/pdf/magazine/2005/200507.pdf | url-status=live | archive-url=https://web.archive.org/web/20100820034513/http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices | url-status=dead | archive-date=August 20, 2010 | access-date=2010-12-04

Lenovo BIOS Rootkit (Lenovo Service Engine) Incident (2015)

In mid-2015, it was discovered that Lenovo had been shipping certain consumer PCs with firmware that behaved like a built-in rootkit. The feature, called Lenovo Service Engine (LSE), was embedded in the system BIOS and would execute on startup, even before Windows booted. LSE was designed to ensure that Lenovo’s system update utility and related pre-installed programs remained installed by automatically reinstalling them if they were removed. Because it resided in firmware, the code was difficult for users to detect or remove; even a clean Windows installation would not eliminate LSE, as it would be reinstalled on the next reboot.

Researchers later discovered that LSE introduced a serious security issue – a vulnerability allowing a privilege escalation attack (via a buffer overflow) to gain administrator-level control. In response, Lenovo released BIOS updates and a removal utility in 2015 to disable and delete the LSE feature. Microsoft also updated its Windows security guidelines to bar such firmware behavior, effectively forcing Lenovo to cease using LSE in new systems. The LSE functionality was removed from subsequent models, and Lenovo urged customers to install the updated firmware to eliminate the risk.

Stuxnet (2010)

Main article: Stuxnet

Stuxnet, uncovered in 2010, was a highly sophisticated worm developed in a joint U.S.–Israeli intelligence operation targeting Iran’s nuclear facilities. It notably included a Windows kernel-mode rootkit that concealed the malware’s files and processes, enabling the worm to silently sabotage industrial control systems. Stuxnet is often cited as the first known cyberweapon; it destroyed a significant part of Iran’s uranium centrifuges, while remaining difficult to detect.

Sony BMG copy protection rootkit scandal (2005)

Main article: Sony BMG copy protection rootkit scandal

In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet. The software included a music player but silently installed a rootkit which limited the user's ability to access the CD.{{cite web | access-date=2010-08-19 | archive-url=https://web.archive.org/web/20100818202245/http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453096362 |archive-date=2010-08-18 |url-status=dead | author-link=Mark Russinovich | access-date=2010-08-16 | archive-date=2016-01-01 | archive-url=https://web.archive.org/web/20160101141613/https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far/ | url-status=live | access-date=2008-09-15 | archive-date=2012-07-15 | archive-url=https://archive.today/20120715/http://news.bbc.co.uk/2/hi/technology/4456970.stm | url-status=live | access-date = 2010-11-21 | archive-date = 2011-01-15 | archive-url = https://web.archive.org/web/20110115071305/http://www.newscientist.com/article/dn8307 | url-status = live

Greek wiretapping case (2004–05)

Main article: Greek wiretapping case 2004–05

The Greek wiretapping case 2004–05, also referred to as Greek Watergate,{{cite news | access-date = 2007-11-24}} {{dead link

Uses

Modern rootkits do not elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities.{{cite book

Rootkits and their payloads have many uses:

  • Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms.
  • Conceal other malware, notably password-stealing key loggers and computer viruses.{{cite journal |author-link = Mark Russinovich |access-date = 2010-12-16 |url-status = dead |archive-url = https://archive.today/20120918/http://www.windowsitpro.com/Article/ArticleID/46266/46266.html |archive-date = 2012-09-18
  • Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can–amongst other things–launch denial-of-service attacks, distribute email spam, and conduct click fraud.

In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user:

  • Detect attacks, for example, in a honeypot.{{Cite web
  • Enhance emulation software and security software.{{cite web | access-date=2006-08-13 | author-link=Mark Russinovich | archive-url=https://web.archive.org/web/20060814225723/http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html | archive-date=14 August 2006 | url-status=dead
  • Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.{{cite conference | conference-url = https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html | access-date = 2014-06-12 | archive-date = 2014-10-16 | archive-url = https://web.archive.org/web/20141016022916/http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf | url-status = live
  • Bypassing Microsoft Product Activation{{cite web |access-date = 2010-11-23 |url-status = dead |archive-url = https://web.archive.org/web/20110716145530/http://www.stoned-vienna.com/downloads/The%20Rise%20of%20MBR%20Rootkits%20%26%20Bootkits%20in%20the%20Wild.pdf |archive-date = 2011-07-16

Types

There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.

User mode

User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection mechanisms include:

  • Use of vendor-supplied application extensions. For example, Windows Explorer has public interfaces that allow third parties to extend its functionality.
  • Interception of messages.
  • Debuggers.
  • Exploitation of security vulnerabilities.
  • Function hooking or patching of commonly used APIs, for example, to hide a running process or file that resides on a filesystem.{{cite journal | archive-date=2012-09-12 | access-date=2025-08-20 | archive-url=https://archive.today/20120912/http://www.phrack.org/issues.html?issue=62&id=12%23article | url-status=live

Kernel mode

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write. The complexity makes bugs common, and any bugs in code operating at the kernel level may seriously impact system stability, leading to discovery of the rootkit. One of the first widely known kernel rootkits was developed for Windows NT 4.0 and released in Phrack magazine in 1999 by Greg Hoglund.{{cite journal | access-date=2010-11-21 | archive-date=2012-07-14 | archive-url=https://archive.today/20120714/http://phrack.org/issues.html?issue=55&id=5 | url-status=live |author-link = Anton Chuvakin |access-date = 2010-11-21 |archive-url = https://web.archive.org/web/20110725214743/http://www.megasecurity.org/papers/Rootkits.pdf |archive-date = 2011-07-25 |url-status = dead | access-date=2010-11-13

A rootkit can modify data structures in the Windows kernel using a method known as direct kernel object manipulation (DKOM).{{cite web | access-date=2010-11-12 | archive-date=2021-01-21 | archive-url=https://web.archive.org/web/20210121092138/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments | url-status=live | access-date=2010-11-23 | archive-date=2020-08-10 | archive-url=https://web.archive.org/web/20200810045911/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=c06510cf-8199-4bc4-9323-1af7e2f2fe04&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments | url-status=live | access-date=10 August 2011 | archive-date=25 August 2011 | archive-url=https://web.archive.org/web/20110825101010/http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf | url-status=live | access-date=2008-07-06 | archive-date=2012-05-30 | archive-url=https://archive.today/20120530/http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx | url-status=live

{{anchor|bootkit}}Bootkits

A kernel-mode rootkit variant called a bootkit can infect startup code like the Master Boot Record (MBR), Volume Boot Record (VBR), or boot sector, and in this way can be used to attack full disk encryption systems. An example of such an attack on disk encryption is the "evil maid attack", in which an attacker installs a bootkit on an unattended computer. The envisioned scenario is a maid sneaking into the hotel room where the victims left their hardware.{{cite web | author-link=Bruce Schneier | access-date=2009-11-07 | archive-date=2012-09-11 | archive-url=https://archive.today/20120911/http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html | url-status=live | access-date=2010-11-23 | archive-url=https://web.archive.org/web/20130817055752/http://www.eeye.com/Resources/Security-Center/Research/Tools/BootRoot | archive-date=2013-08-17 | url-status=dead | conference-url = https://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html#eu_07 | access-date=2010-11-21 | url-status=dead | archive-url=https://web.archive.org/web/20100610194454/http://www.nvlabs.in/archives/5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html | archive-date=June 10, 2010 | access-date=2009-11-07 | archive-date=2012-09-21 | archive-url=https://archive.today/20120921/http://www.stoned-vienna.com/ | url-status=live | access-date=2010-11-22 | archive-date=2010-11-21 | archive-url=https://web.archive.org/web/20101121184707/https://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/ | url-status=live

Hypervisor level

Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system.{{Cite report | chapter-url = http://www.eecs.umich.edu/virtual/papers/king06.pdf | access-date = 2008-09-15 | archive-date = 2008-12-07 | archive-url = https://web.archive.org/web/20081207095137/http://www.eecs.umich.edu/virtual/papers/king06.pdf | url-status = live while Blue Pill software is another. In 2009, researchers from Microsoft and North Carolina State University demonstrated a hypervisor-layer anti-rootkit called Hooksafe, which provides generic protection against kernel-mode rootkits.{{Cite conference | conference-url = http://www.sigsac.org/ccs/CCS2009/ | book-title = Proceedings of the 16th ACM Conference on Computer and Communications Security | access-date = 2009-11-11 | archive-date = 2009-12-29 | archive-url = https://web.archive.org/web/20091229035226/http://research.microsoft.com/en-us/um/people/wdcui/papers/hooksafe-ccs09.pdf | url-status = live

Firmware and hardware

A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a router, network card,{{cite conference | access-date=2010-11-25 | url-status=dead | archive-url=https://web.archive.org/web/20120425194643/http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf | archive-date=2012-04-25 | conference-url = https://www.blackhat.com/html/bh-federal-06/bh-fed-06-index.html | access-date = 2010-11-21 | archive-date = 2011-02-27 | archive-url = https://web.archive.org/web/20110227225450/http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdf | url-status = live | access-date = 2010-11-13 |conference-url = http://cansecwest.com/csw09archive.html |access-date = 2010-11-21 |archive-date = 2011-07-08 |archive-url = https://web.archive.org/web/20110708114942/http://cansecwest.com/csw09/csw09-sacco-ortega.pdf |url-status = dead | access-date=2009-03-25 | access-date=2010-11-13 | archive-date=2012-07-17 | archive-url=https://archive.today/20120717/http://phrack.org/issues.html?issue=66&id=7 | url-status=live

Intel Active Management Technology, part of Intel vPro, implements out-of-band management, giving administrators remote administration, remote management, and remote control of PCs with no involvement of the host processor or BIOS, even when the system is powered off. Remote administration includes remote power-up and power-down, remote reset, redirected boot, console redirection, pre-boot access to BIOS settings, programmable filtering for inbound and outbound network traffic, agent presence checking, out-of-band policy-based alerting, access to system information, such as hardware asset information, persistent event logs, and other information that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off. Some of these functions require the deepest level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have "the ability to remotely kill and restore a lost or stolen PC via 3G". Hardware rootkits built into the chipset can help recover stolen computers, remove data, or render them useless, but they also present privacy and security concerns of undetectable spying and redirection by management or hackers who might gain control.

Installation and cloaking

Rootkits employ a variety of techniques to gain control of a system; the type of rootkit influences the choice of attack vector. The most common technique leverages security vulnerabilities to achieve surreptitious privilege escalation. Another approach is to use a Trojan horse, deceiving a computer user into trusting the rootkit's installation program as benign—in this case, social engineering convinces a user that the rootkit is beneficial. The installation task is made easier if the principle of least privilege is not applied, since the rootkit then does not have to explicitly request elevated (administrator-level) privileges. Other classes of rootkits can be installed only by someone with physical access to the target system. Some rootkits may also be installed intentionally by the owner of the system or somebody authorized by the owner, e.g. for the purpose of employee monitoring, rendering such subversive techniques unnecessary.{{cite book |access-date = 2010-08-17 |url-status = dead |archive-url = https://web.archive.org/web/20110513194348/http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf |archive-date = 2011-05-13 |access-date = 2011-08-08 |url-status = dead |archive-url = https://web.archive.org/web/20150729043339/http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf |archive-date = 2015-07-29

Once installed, a rootkit takes active measures to obscure its presence within the host system through subversion or evasion of standard operating system security tools and application programming interface (APIs) used for diagnosis, scanning, and monitoring. Rootkits achieve this by modifying the behavior of core parts of an operating system through loading code into other processes, the installation or modification of drivers, or kernel modules. Obfuscation techniques include concealing running processes from system-monitoring mechanisms and hiding system files and other configuration data.{{cite web | access-date=2007-08-27 | archive-date=2012-05-27 | archive-url=https://archive.today/20120527/http://www.usenix.org/publications/login/1999-9/features/rootkits.html | url-status=live |access-date = 2010-08-17 |url-status = dead |archive-url = https://web.archive.org/web/20110717104243/http://www.trlokom.com/pdf/TrlokomRootkitDefenseWhitePaper.pdf |archive-date = 2011-07-17

Detection

The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components.{{cite book | chapter-url=http://www.mhprofessional.com/downloads/products/0071591184/0071591184_chap10.pdf | archive-date=2012-03-08 | access-date=2010-08-14 | archive-url=https://web.archive.org/web/20120308170649/http://www.mhprofessional.com/downloads/products/0071591184/0071591184_chap10.pdf | url-status=dead |access-date = 2010-08-17 |url-status = dead |archive-url = https://web.archive.org/web/20100911033147/http://download.microsoft.com/download/a/b/e/abefdf1c-96bd-40d6-a138-e320b6b25bd3/understandingantimalwaretechnologies.pdf |archive-date = 2010-09-11

For kernel-mode rootkits, detection is considerably more complex, requiring careful scrutiny of the System Call Table to look for hooked functions where the malware may be subverting system behavior,{{cite web |access-date=13 Sep 2012 |url-status=dead |archive-url=https://web.archive.org/web/20120910164327/http://www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449 |archive-date=September 10, 2012 | access-date=8 August 2011 | access-date=2010-11-13 | archive-date=2017-07-01 | archive-url=https://web.archive.org/web/20170701115301/https://technet.microsoft.com/en-us/sysinternals/bb897445.aspx | url-status=live |access-date = 13 September 2017 | access-date=8 August 2011 | archive-date=21 September 2012 | archive-url=https://archive.today/20120921/http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html | url-status=live | access-date=8 August 2011 | archive-date=21 September 2012 | archive-url=https://archive.today/20120921/http://www.f-secure.com/en_UK/security/security-lab/tools-and-services/blacklight/index.html | url-status=dead | access-date=8 August 2011 | archive-date=21 September 2012 | archive-url=https://archive.today/20120921/http://www.usec.at/rootkit.html | url-status=dead | access-date=8 August 2011 | archive-date=2 August 2012 | archive-url=https://archive.today/20120802/http://www.gmer.net/ | url-status=live

Alternative trusted medium

The best and most reliable method for operating-system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g., a "rescue" CD-ROM or USB flash drive).{{Cite web | access-date=2010-08-17 | archive-date=2009-10-07 | archive-url=https://web.archive.org/web/20091007031103/http://www.symantec.com/avcenter/reference/testing_methodology_for_rootkit_removal.pdf | url-status=dead

Behavioral-based

The behavioral-based approach to detecting rootkits attempts to infer the presence of a rootkit by looking for rootkit-like behavior. For example, by profiling a system, differences in the timing and frequency of API calls or in overall CPU utilization can be attributed to a rootkit. The method is complex and is hampered by a high incidence of false positives. Defective rootkits can sometimes introduce very obvious changes to a system: the Alureon rootkit crashed Windows systems after a security update exposed a design flaw in its code.{{cite web | access-date=2010-08-19 | access-date=2010-10-05

Signature-based

Antivirus products rarely catch all viruses in public tests (depending on what is used and to what extent), even though security software vendors incorporate rootkit detection into their products. Should a rootkit attempt to hide during an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload itself from the system, signature detection (or "fingerprinting") can still find it. This combined approach forces attackers to implement counterattack mechanisms, or "retro" routines, that attempt to terminate antivirus programs. Signature-based detection methods can be effective against well-published rootkits, but less so against specially crafted, custom-root rootkits.

Difference-based

Another method that can detect rootkits compares "trusted" raw data with "tainted" content returned by an API. For example, binaries present on disk can be compared with their copies within operating memory (in some operating systems, the in-memory image should be identical to the on-disk image), or the results returned from file system or Windows Registry APIs can be checked against raw structures on the underlying physical disks{{cite web |access-date = 2010-08-14 |url-status = dead |archive-url = https://archive.today/20120729/http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/ |archive-date = 2012-07-29

Integrity checking

Code signing uses public-key infrastructure to check if a file has been modified since being digitally signed by its publisher. Alternatively, a system owner or administrator can use a cryptographic hash function to compute a "fingerprint" at installation time that can help to detect subsequent unauthorized changes to on-disk code libraries.{{cite web | access-date=2008-09-15 | archive-date=2008-12-29 | archive-url=https://web.archive.org/web/20081229033712/http://msdn.microsoft.com/en-us/library/ms537364(VS.85).aspx | url-status=live

More-sophisticated rootkits are able to subvert the verification process by presenting an unmodified copy of the file for inspection, or by making code modifications only in memory, reconfiguration registers, which are later compared to a white list of expected values.{{cite web | access-date= 2008-07-11 | access-date=2010-11-22 | archive-date=2011-09-28 | archive-url=https://web.archive.org/web/20110928031500/http://www.trustedcomputinggroup.org/files/resource_files/87B92DAF-1D09-3519-AD80984BBE62D62D/TCG_PCSpecificSpecification_v1_1.pdf | url-status=live

Memory dumps

Forcing a complete dump of virtual memory will capture an active rootkit (or a kernel dump in the case of a kernel-mode rootkit), allowing offline forensic analysis to be performed with a debugger against the resulting dump file, without the rootkit being able to take any measures to cloak itself. This technique is highly specialized, and may require access to non-public source code or debugging symbols. Memory dumps initiated by the operating system cannot always be used to detect a hypervisor-based rootkit, which is able to intercept and subvert the lowest-level attempts to read memory—a hardware device, such as one that implements a non-maskable interrupt, may be required to dump memory in this scenario.{{cite web | access-date=2010-11-13 | archive-date=2015-03-24 | archive-url=https://web.archive.org/web/20150324224555/https://support.microsoft.com/en-us/kb/927069 | url-status=live | display-authors=etal

Removal

Manual removal of a rootkit is often extremely difficult for a typical computer user,{{cite web | access-date=2010-08-17 | archive-url=https://web.archive.org/web/20081205031526/http://www.mcafee.com/us/local_content/white_papers/wp_rootkits_0407.pdf | archive-date=2008-12-05 | access-date=2010-10-05 | archive-date=2012-07-13 | archive-url=https://archive.today/20120713/http://searchenterprisedesktop.techtarget.com/news/column/0,294698,sid192_gci1112754,00.html | url-status=dead | access-date=2016-05-16 | archive-date=2016-12-30 | archive-url=https://web.archive.org/web/20161230135630/https://support.microsoft.com/en-us/kb/890830 | url-status=live | access-date = 2010-11-21 | archive-date = 2015-09-26 | archive-url = https://web.archive.org/web/20150926181008/http://www.infoworld.com/article/2663426/security/rootkits--the-next-big-enterprise-threat-.html | url-status = live | access-date=2009-04-07 | archive-url=https://web.archive.org/web/20121008233927/http://reviews.cnet.com/4520-3513_7-6686763-1.html | archive-date=2012-10-08 | url-status=dead | access-date=2009-04-07 | archive-date=2012-10-11 | archive-url=https://web.archive.org/web/20121011013837/http://www.pcworld.com/article/137821/article.html | url-status=dead | access-date=2010-11-21 | archive-date=2021-07-26 | archive-url=https://web.archive.org/web/20210726013315/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ec586a87-54ac-4b1d-92ca-8cb0dbb66984&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments | url-status=live | access-date=2010-08-15 | archive-date=2024-11-02 | archive-url=https://web.archive.org/web/20241102081429/https://www.networkworld.com/article/842371/lan-wan-experts-divided-over-rootkit-detection-and-removal.html | url-status=live

Defenses

System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to be installed in the first place.{{cite book | access-date=2010-11-22 | url-status=dead | archive-url=https://web.archive.org/web/20101024164136/http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901 | archive-date=October 24, 2010

Another defense mechanism called the Virtual Wall (VTW) approach, serves as a lightweight hypervisor with rootkit detection and event tracing capabilities. In normal operation (guest mode), Linux runs, and when a loaded LKM violates security policies, the system switches to host mode. The VTW in host mode detects, traces, and classifies rootkit events based on memory access control and event injection mechanisms. Experimental results demonstrate the VTW's effectiveness in timely detection and defense against kernel rootkits with minimal CPU overhead (less than 2%). The VTW is compared favorably to other defense schemes, emphasizing its simplicity in implementation and potential performance gains on Linux servers.

Notes

References

References

  1. (2016-08-23). "Cyber-security of SCADA and Other Industrial Control Systems". Springer.
  2. (2021-04-09). "What is Rootkit – Definition and Explanation".
  3. "CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS".
  4. Hern, Alex. (2015-08-14). "Lenovo does it again as LSE component removed after security fears". The Guardian.
  5. "Is Stuxnet the ‘best’ malware ever?".
  6. "The Real Story of Stuxnet - IEEE Spectrum".
  7. Weinberger, Sharon. (2011-06-01). "Computer security: Is this the start of cyberwarfare?". Nature.
  8. (July 2007). "The Athens Affair".
  9. Marks, Joseph. (July 1, 2021). "The Cybersecurity 202: DOJ's future is in disrupting hackers, not just indicting them". [[The Washington Post]].
  10. (2006). "Symantec Releases Update for its Own Rootkit". HWM.
  11. Osborne, Charlie. (September 17, 2019). "Skidmap malware buries into the kernel to hide illicit cryptocurrency mining".
  12. Salter, Jim. (July 31, 2020). "Red Hat and CentOS systems aren't booting due to BootHole patches".
  13. Francisco, Neil McAllister in San. "Microsoft tightens grip on OEM Windows 8 licensing".
  14. (11 July 2023). "Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)".
  15. (2015-07-13). "Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems - TrendLabs Security Intelligence Blog".
  16. Modine, Austin. (2008-10-10). "Organized crime tampers with European card swipe devices: Customer data beamed overseas". Situation Publishing.
  17. Gatlan, Sergiu. (May 6, 2021). "New Moriya rootkit used in the wild to backdoor Windows systems".
  18. Steinberg, Joseph. (June 9, 2021). "What You Need To Know About Keyloggers".
  19. (2017). "Windows Virus and Malware Troubleshooting". Apress.
  20. (2021). "Virtual Wall: Filtering Rootkit Attacks to Protect Linux Kernel Functions". IEEE Transactions on Computers.
Info: Wikipedia Source

This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page.

types-of-malware rootkits privilege-escalation-exploits cryptographic-attacks cyberwarfare
Want to explore this topic further?

Ask Mako anything about Rootkit — get instant answers, deeper analysis, and related topics.

Research with Mako

Free with your Surf account

Content sourced from Wikipedia, available under CC BY-SA 4.0.

This content may have been generated or modified by AI. CloudSurf Software LLC is not responsible for the accuracy, completeness, or reliability of AI-generated content. Always verify important information from primary sources.

Report