A rootkit is a collection of typically malicious computer software designed to enable access to a computer or to part of its software that would not otherwise be allowed (for example, by an unauthorized user). Rootkits often mask their presence or that of other software. The term "rootkit" has negative connotations through its association with malware. Obtaining this access is a result of direct attack on a system, i.e., exploiting a vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like "phishing"). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavior-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.
History
The term rootkit, rkit, or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access. If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information. In the lecture he gave upon receiving the Turing Award in 1983, Ken Thompson of Bell Labs, one of the creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix <code>login</code> command and generate altered code that would accept not only the user's correct password, but an additional "backdoor" password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the <code>login</code> command or the updated compiler would not reveal any malicious code. This exploit was equivalent to a rootkit.
The first documented computer virus to target the personal computer, discovered in 1986, used Helix Cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.
Over time, DOS-virus cloaking methods became more sophisticated. Advanced techniques included hooking low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files. while the Stuxnet worm was the first to target programmable logic controllers (PLC).
Lenovo BIOS Rootkit (Lenovo Service Engine) Incident (2015)
In mid-2015, it was discovered that Lenovo had been shipping certain consumer PCs with firmware that behaved like a built-in rootkit. The feature, called Lenovo Service Engine (LSE), was embedded in the system BIOS and would execute on startup, even before Windows booted. LSE was designed to ensure that Lenovo’s system update utility and related pre-installed programs remained installed by automatically reinstalling them if they were removed. Because it resided in firmware, the code was difficult for users to detect or remove; even a clean Windows installation would not eliminate LSE, as it would be reinstalled on the next reboot.
Researchers later discovered that LSE introduced a serious security issue – a vulnerability allowing a privilege escalation attack (via a buffer overflow) to gain administrator-level control. In response, Lenovo released BIOS updates and a removal utility in 2015 to disable and delete the LSE feature. Microsoft also updated its Windows security guidelines to bar such firmware behavior, effectively forcing Lenovo to cease using LSE in new systems. The LSE functionality was removed from subsequent models, and Lenovo urged customers to install the updated firmware to eliminate the risk.
Stuxnet (2010)
Stuxnet, uncovered in 2010, was a highly sophisticated worm widely believed to have been developed in a joint U.S.–Israeli intelligence operation targeting Iran’s nuclear facilities. It notably included a Windows kernel-mode rootkit that concealed the malware’s files and processes, enabling the worm to silently sabotage industrial control systems. Stuxnet is often cited as the first known cyberweapon; it destroyed a significant part of Iran’s uranium centrifuges, while remaining difficult to detect.
Sony BMG copy protection rootkit scandal (2005)
thumb|right|Screenshot of [[RootkitRevealer, showing the files hidden by the Extended Copy Protection rootkit]]
In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet. The software included a music player but silently installed a rootkit which limited the user's ability to access the CD. Software engineer Mark Russinovich, who created the rootkit detection tool RootkitRevealer, discovered the rootkit on one of his computers. To cloak itself, the rootkit hid any file starting with "$sys$" from the user. Soon after Russinovich's report, malware appeared which took advantage of the existing rootkit on affected systems. Sony BMG released patches to uninstall the rootkit, but it exposed users to an even more serious vulnerability. The company eventually recalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG.
Greek wiretapping case (2004–05)
The Greek wiretapping case 2004–05, also referred to as Greek Watergate, involved the illegal telephone tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators. The intruders installed a rootkit targeting Ericsson's AXE telephone exchange. According to IEEE Spectrum, this was "the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch." The rootkit was designed to patch the memory of the exchange while it was running, enable wiretapping while disabling audit logs, patch the commands that list active processes and active data blocks, and modify the data block checksum verification command. A "backdoor" allowed an operator with sysadmin status to deactivate the exchange's transaction log, alarms and access commands related to the surveillance capability. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased.
Rootkits and their payloads have many uses:
- Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms.
- Conceal other malware, notably password-stealing key loggers and computer viruses.
- Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can–amongst other things–launch denial-of-service attacks, distribute email spam, and conduct click fraud.
In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user:
- Detect attacks, for example, in a honeypot.
- Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.
- Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.
- Bypassing Microsoft Product Activation
Types
There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.