Rootkits: Hiding in Windows shadows

Most malware are like leeches on your computer's software. But, a rootkit can turn your computer's very operating system against you.

Most malware are like leeches on your computer's software. But, a rootkit can turn your computer's very operating system against you.

If you're a smart Windows user, you probably already know about the basics of protecting your computer from malware. That is to say, you know you need to update your computer with regular patches and to install and keep updated an anti-virus program. That still isn't enough since Windows is inherently unsafe but it's reasonably secure. Isn't it? Well no, you see there's one kind of malware, rootkits that turns your operating system into a zombie and turns off any patches or updates that might threaten it.

Rootkits didn't start with Windows. As the name indicates, they actually date back to Unix. There, the top-level operating system administrator has the user name of 'root.' As root, or super-user, the administrator has far more power over its computer than any ordinary user. As the saying goes in Unix and Linux circles, "To err is human, to really foul up requires the root password."

While rootkit problems still exist in Unix and Linux, they're far more common in Windows. That's in part because the Unix operating family has many built in system monitoring and logging tools. In other words, while Unix and Linux can be attacked this way, it's a lot harder to pull off without leaving tracks.

Windows, especially desktop Windows, like XP and 7, are far easier to infect with a rootkit. And, once infected, your system no longer really belongs to you. It belongs to your attacker.

That's because a rootkit isn't about cracking your security and breaking into your PC. No, rootkits are placed in your computer after it's already been compromised in some other way. Once there, unless you go looking for them, you may never find them. And, even if you look for them they can be hard to see.

As Ryan Smith, principal researcher for Accuvant Labs, a security consulting business said, "Rootkits are tools that attacker use to hide their presence on compromised systems. Originally they started off as replacements for system programs that might show traces of an attacker. These replacements had additional code added into them to prevent the legitimate system owners from seeing these traces an attacker leaves behind."

The reason why they're so hard to find is that, Smith explained, "Software has continued to evolve to meet the needs of rootkit detection by staying up-to-date with the latest trends. Rootkits have continued to evolve by delving deeper into the system. The trend went from modifications of system programs, to modifications of the kernel, all the way to modifications of the system BIOS and leveraging processor virtualization features."

I'm sure you get the picture. An ordinary anti-virus program, if it isn't just turned off or told to ignore the rootkit, it isn't going to dig around your PC's BIOS looking for trouble.

Once in place, a rootkit enables remote attackers administrative access to compromised machines using via a network back-door. They can do anything they want to your machine: Look through your hard drive, set up or delete user accounts, add, delete, or modify files, or wreck your PC. Attackers who use rootkits aren't likely to do any of those things though. No, your PC is more valuable to them as a solider in an Internet-connected botnet army.

The one thing that a rootkit is likely to do directly to you is to install updated versions of itself. Or, perhaps install more malware. I know, I know, you really didn't want to hear that, but it's the truth.

Detecting the Rootkit

So, how do you know if you have one? Some of the most common signs are unexplained network activity or system slowdowns. Let's be frank though. It's not going to be easy. For example, most ordinary firewall programs or devices, which can stop most unauthorized network activity, would never spot Hacker Defender, an old "kernel mode" rootkit, which manipulates data as it is passed to and from the Windows' core programs, communicates with its master by piggybacking on such commonly used TCP ports as 135, which is usually used for a variety of client/server applications.

A better way of addressing the problem is just to assume that if you've ever had a security problem with your PC, or a PC on the network it's on, that there's a good chance you have one. Lucky you.

There are three basic ways of hunting down rootkits. There are:

Signature-based detection: These work like old-style Windows anti-virus and malware detectors. They scan through your system looking for the tell-tale signs of specific, known rootkits.

The one thing programs that use this method have going for them is that they're fast. That's it. They'll miss most sophisticated rootkits and they can't detect new rootkits because they won't have a signature for it.

Heuristic/behavior-based detection: This is a better, but still not fool-proof method. In this method, which is used by such programs as Avast and NovaShield the name of the game is to look for oddball behavior from the system which shows evidence of a rootkit at work.

For example, if your system shows that you have X amount of free space on your hard drive, while the anti-rootkit program shows that you've only used Y amount of space which should leave Z amount of empty space left, a rootkit might be hiding its files on the drive. The problem with this method is that it can slow down a PC when it's on the patrol for rootkits.

Snapshot/hash-based detection: Here, the idea is to compare a snapshot of a known good PC file system, or an encrypted hash of the contents of parts of the file system, with its current state. If there's an unexplained difference, then -- ah-ha! -- we may have a rootkit. Of course, there are many reasons why files and directories can change and almost all of them have nothing to do with rootkits so this can also lead to false-positives.

Still, as Smith said, programs that use this method are better than the others. "These pieces of software would take simple cryptographic fingerprints of legitimate binaries and periodically compare them against the installed software. If a single bit of the file was changed, it would dramatically change the fingerprint. These tools were quite effective in detecting these rootkits."

Notice, though that Smith said, "were" effective. Smith explained, "As these rootkit countermeasures matured, attackers evolved their tools. All of the programs that might show traces of attacker activity relied on a central piece of software: the kernel. So attackers found ways to modify the kernel to hide their traces. It was effective at combating the signature based anti-rootkit technology, and was indicative of a trend that continues to this day; rootkits are a game of cat and mouse."

So what can you do as a mouse? The best thing is to make sure you use anti-virus programs, which specifically state that they include anti-rootkit features, from top security companies like Kaspersky Lab, Sophos and Symantec. Playing against rootkits is one game where you don't to be caught.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon