Rootkit: Definition, Prevention and Removal

DEFINITION

A rootkit is not a single piece of software or code designed with a single task, rather it is a system of several programs designed to take control of a machine at the administrator level, and maintain that control undetected by the system's users or legitimate administrators. Rootkits are by far the most dangerous threats to computer security, even when they are authored by legitimate companies for legitimate reasons.

What makes the rootkit so dangerous is the ability to hide itself and its subordinate processes from view. A well written rootkit will change the way the operating systems sees and reports running programs and processes, effectively making it blind to the unwanted software. As the rootkit takes more and more control, it can make changes to the system's kernel, daemons, drivers, and configuration files, all to mask its presence. A successful root kit will re-write the login script allowing it to accept the attacker's login regardless of any changes made to the system by users or administrators. This hidden login gives the attacker unlimited control of the machine at will.

Rootkits are used like worms to create zombie machines. They are especially effective in the distribution of illegal material over the internet because the rooted machine identifies itself as the source, instead of the attacker's machine. Rootkits almost always open back doors to allow illicit communications. These back doors open the machine up for a host of other problems, adding to the already troubled system. Even rootkits designed for good purposes have this flaw, causing unwanted consequences for the author. Rootkits have been used to record keystrokes, mine for data, launch Denial of Service attacks, access bank accounts, disrupt business activities, and so on.

PREVENTION

Rootkit prevention is difficult, but not impossible. Since the bulk of rootkit attacks come from the internet, the most effective form of prevention is a firewall. Many rootkit attacks begin with a payload from a virus or worm; a payload that will open a back door to continue the rootkit download. A firewall will monitor all incoming traffic including scan attempts that might be made by a worm. If the firewall is set up properly, it should not allow unauthorized traffic to pass through.

Every type of malware has its weakness, and the weakness of the rootkit is the fact that it requires administrative privileges to execute its initial setup. On a Windows based home system this is usually not a problem since rights management is virtually non-existent. On a Windows Corporate system, or a Mac or Unix system, administrative privileges are much more secure, requiring an administrator to be fooled into executing the rootkit installation. With that said, the biggest prevention weapon for admins is simply to not install any software, drivers, or scripts that do not come from trusted and verified sources. Unix users should keep kernels up to date,and all admins, regardless of operating system, should keep machines current with security updates.

REMOVAL

Rootkit removal, like prevention, is difficult but not impossible. Often times these programs go undetected by anti-virus software; there have even been reported cases of a rootkit rewriting portions of an anti-virus program, rendering it completely impotent. Due to the stealth nature of rootkits, detection and removal is heavily dependent on recognizing symptoms. Unusually high network traffic, failing device drivers, odd command-line behavior, increased system crashes and freezes, increasingly slow performance, and identity theft issues are all symptoms of a possible root kit attack. How these symptoms manifest themselves will give clues to the particular rootkit at work.

If you have identified a rootkit on your machine, consult the website of your anti-virus vendor or a security professional for removal instructions. Removal is often tedious and extensive, and rarely can a machine be completely cleaned without causing damage to the operating system. Registry entries will need deletion or repair, communications channels will have to be closed, system files might need regeneration, and so on. If a rootkit goes undetected for a long period of time, it is common for the damage to be so severe as to require a clean installation of the operating system.