A rootkit (administrator kit; root is the user with administrator privileges on Unix-like operating systems) is a collection of software tools that is installed on the compromised system after breaking into a software system in order to hide future logins of the intruder and hide processes and files.
Today, the term is no longer limited to Unix-based operating systems, as rootkits for other systems have long been available. Antivirus programs try to discover the cause of the compromise. The purpose of a rootkit is to conceal malware from antivirus programs and the user through camouflage. Another collection of software tools or bootloaders is the “bootkit”.
The first collections of Unix tools for the above purposes consisted of modified versions of the programs ps, passwd, etc., which then hide any trace of the attacker that they would normally leave behind, thus allowing the attacker to operate with the privileges of the system administrator root without the legitimate administrator being able to notice it.
A rootkit typically hides logins, processes, and log files, and often contains software to steal data from terminals, network connections, and keystrokes and mouse clicks, as well as passwords from the compromised system. In addition, there can be backdoors that make it easier for the attacker to access the compromised system in the future, for example by launching a shell when a connection request has been made to a specific network port. The line between rootkits and Trojan horses is blurred, with a Trojan having a different approach to infecting a computer system.
The characteristic of a rootkit is that it installs itself without the administrator’s knowledge, thus allowing the attacker to computer equipment for his purposes without being recognized. These include:
- Eavesdropping or, more generally, the theft of data (e.g. access codes, technical documents, trade secrets).
- Installing viruses, for example, to attack other attachments.
- The ability to block distributed denial-of-service.
- Rootkits can open new backdoors. In addition, rootkits try to disguise the path of their infiltration so that they are not removed by others.
Application rootkits consist only of modified system programs. Because of the trivial ways to detect these types of rootkits, they are rarely used today. Kernel rootkits replace parts of the kernel with their own code in order to stealth themselves and provide the attacker with additional functions (“remote access”) that can only be executed in the context of the kernel (“ring-0”). This is most often done by reloading kernel modules. This class of rootkits is therefore also called LKM rootkits (LKM stands for “loadable kernel module”). Some kernel rootkits do not require LKM because they directly manipulate kernel memory. On Windows, kernel rootkits are often implemented by integrating new .sys drivers.
Such a driver can intercept function calls from programs that, for example, list files or display running processes. In this way, the rootkit hides its own presence on a computer.
“Userland rootkits” are especially popular on Windows because they don’t require access at the kernel level. They each provide a DLL that plugs directly into all processes using various API methods. Once this DLL is loaded in the system, it modifies selected API functions and redirects their execution to itself. This allows the rootkit to obtain targeted information, which can then be filtered or manipulated.
Memory rootkits exist only in the memory of the running system. After rebooting the system, these rootkits are no longer present.
Today, almost all common server, PC and laptop processors have hardware functions to trick programs into thinking they have a virtual processor. This is often used to be able to operate several operating systems in parallel on a physical computer system, even if they may be different. Virtual Machine Based Rootkits (VMBR) are rootkits that move an existing operating system into a virtual environment. As a result, the operating system is trapped in the virtual environment. The virtual environment is thus a software layer under the operating system, which makes it very difficult to detect the VMBR.
Since one hundred percent detection of rootkits is impossible, the best method to remove it is to completely reinstall the operating system. Since certain rootkits are hidden in the BIOS, even this method does not provide 100% certainty about the removal of the rootkit. To prevent infection of the BIOS in advance, the BIOS should be read-protected on the hardware side, e.g. by means of a jumper on the motherboard. However, many rootkits are available from official manufacturers (e.g. the Sony rootkit) with detection and removal programs.