Friends, this time I decided to write a short explanation about Rootkits.
Almost all of us must have encountered this term at some point of time. Specially, whenever talking or reading about any antispyware/antivirus utility. Though, most of us are quite familiar with terms like Viruses, Trojan Horses, Worms etc but for a few of us the confusion persists about rootkits.
So let me start with most basis question, what is a rootkit? Is it a virus, a trojan, a worm ? Well, a Rootkit is a program which is designed to hide itself, its related processes, files, folders, registry keys and other malwares(this is a short form of Malicious Softwares).
Now qustion arises that what can be the intent of deploying rootkits in a system?
To answer this, Malicious Rootkits(I am specifying maliciouse explicitly because the rootkits can be non malicious which do not pose any harm) are used to compromise security of a system but letting the deployer to gain remote control over a computer or network for criminal purpose. These rootkits serve the purpose but hiding the malwares which installs a backdoor allowing the attacker to gain access to the infected system. If the rootkit infect a user account with administrator privileges then it allows the attacker to gain unlimited access in the infected computer. This very clearly indicate the harm which a rootkit can do. Yes, it allow an attacker to steel your personal information or allow to install more malware which can leave your computer unusable.
Till now we have understood what are rootkits, what is the intent of deploying rookits and what harm they can do. Now we will dig a bit further to understand how a rootkit hide itself. Yes, this is quite important to understand. The trick lies in the ability of a rootkit to hook(or attach) itself with the operating system(windows) and make the operating system lie for them. In this way, rootkits deceive some traditional anti rootkit scanners. Whenever a scanner queries operating system, the rootkit ensures that the program gets manipulated information to hide its existance. In other words, it changes the program flow i.e whenever any scanner ask for some information from operating system, the rootkit’s own code is executed which provide maniulated information to the questioning program.
Now, a BIG question : But how a rootkit intercepts the program flow? Well, it does so by using a technique which is called as Hooking system function calls.In a very very simple words, hooking is attaching itself in a proper place so as to receive specific calls from the application program(eg. scanner) which asks for some information from operation system. Before we understand hooking, we’ll take a look at types of rootkits because the type of a rootkit will decide which kind of hook a rootkit can deploy.
Types of rootkits:
1) User mode rootkit :Let us take a look at the functioning of a user level program for better understanding. A user lever program cannot perform all the functions by itself. For example, a word processor is a user level program which helps you in composing text. when you save the document then the data is actually written to the disk but this write operation is a privileged operation and can be performed only by the kernel. Therefore, the word processor request the kernel to perform this operation. A user level program cannot interact directly with the kernal because kernel cannot understand the language of the application program. So, when you give command to a word processor to save the text, windows translate this command into a system call which in turn communicate with kernel. The system call generated by windows is the language to accomplish communication between application program(example a word processor) and kernel. This is called as Application Program Interface or API. Since, every application program uses a set of APIs for performing its task therefore it maintains a table in memory which contains addresses of the APIs. This is for improving the efficincy of the appliction porgram. So, for every operation which the application program can perform, there is an addess for the corresponding API stored in a tables. This table is called Import address table or IAT.Depending on the operation to be performed, the program read IAT table, fetches the address of the related API and calls it.
Now, it would be easier to understand what a user level or user mode rootkit is. A user level rootkit is a rootkit which have the privileges of an application program and cannot interect with the kernel directly. Like a user program it also has to interact via APIs. It has an access to all the data structure which recides in application program address space.
2) Kernel mode rootkit :Kernel is a part of operating system that always resides in the memory and manages all the processes in the system. It also control all the hardware, communication between various hardware parts, comunication between various applications. It also allocates resources to various requesting applications and also performs vital tasks like memory management, process scheduling, CPU scheduling. For performing all these tasks efficiently, kernel also maintain table containing important address information. These are the addresses of the native APIs or kernel level APIs which are called by kernel to actually perform the privilege operations like writing to disk, allocating resources to various requesting applications etc.
Now, it would be easier to understand what a kernel level or kernel mode rootkit is. A kernel level rootkit is a rootkit which have the privileges of kernel. These are most critical privileges because the rootkit can access any memory location, any hardware, any process in the system. Thus, results in a very dangerous impact becasue ultimately all the programs communicate with kernel in some way or other and hence kernel level rootkit can control anything or everything.
Now coming to hooking, both user level and kernel level rootkits use API hooking to make sure that operating system only return the result which doesn’t show their presence or hide them. User level rootkits hook into or we can say replace the address of an API with its own address in application program’s IAT(Import address table). For example,it may hook into an API which task manager calls to display the running processes and hide itself. Since, each application program has its own IAT therefore user level rootkit has to hook every program’s IAT to show system wide effect.
On the other hand, a kernel level rootkithooks the tables used by kernel(I was not able to find the specific name given to the table used by kernel). Since, this is a table which is used by all the processes in the system therefore it achieve the system wide effect by hooking in a single table. After hooking, any call to kernel level APIs will result in the execution of rootkit’s code(because rootkit has hooked in the table or we can say replaced the address of API with its own). Since most of the programs rely on he data sent to them by operating system’s therefore rootkits remains invisible to them and give the impression as if the system is clean. Since, these rootkits can access any memory location therefore these can overwrite the code of the kernel itself with their own code.
Now coming to the solution part,I would say that for removing rootkits completely, the scanner should have a capability to run in kernel mode. I am using superantispyware for the past 1 year and it has this capability. You can download this free from http://superantispyware.com. The free version doesn’t offer real time protection and automatic updates but will surely remove the rootkits in manual scan.
There are a few other good program which I personally prefer to have in my system if not superantispyware.
These are Spy sweeper and CounterSpy but these are not freewares therefore I have settled for superantispyware and I am quite happy on my choice.
Another excellent program is RootkitRevealer from Sysinternals. This is a very fine utility and I would have loved to have it in my system but it has some compatibility issues with Vista. But, if you have Windows XP then it is a must have for you. You can download it from Download RootKit Revealer. This utility only display the entries which might be infected. You need to examine all the reported discrepancies for ensuring that it is really a Rootkit which needs to be removed. Once you find that a Rootkit is installed, search web for removal procedure.
Note that, I already have other anti-virus apart from superantispyware which provides real time protection. One should never compromise on real time protection.
Unfortunately, none of the utilities on web can give you 100% guarantee in terms of removing Rootkits from a system. But, I personally prefer the one’s mention in this post because they are really good at the job.
With this I conclude my explanation about rootkits. I hope I explained the topic clearly and in simple language. Stay tuned for more.