Rootkit

A rootkit is a malicious software that allows an unauthorized user to gain control of a computer remotely, without being detected.

Rootkit: definition

Originally, within the context of UNIX-type systems, a rootkit was a group of tools belonging to the operating system itself, such as netstat, passwd and ps, which were modified by an intruder in order to gain unlimited access to the target computer, without this intrusion being detected by the system administrator.

Within the framework of UNIX system terminology, the system administrator was called "root", thus the generic term for these tools, which remained hidden in the system once they had obtained root privileges.

Windows systems are today the most widespread operating systems, yet the concept still remains the same.

 

What is a rootkit?

A Windows rootkit is a program that hides certain elements (files, processes, Windows Registry keys, memory addresses, network connections, etc.) from other programs or the operating system.

As it can be seen, this definition does not in itself represent any kind of damaging effect on the system - it is a technology that can be used for constructive as well as destructive ends.

 

What danger is presented by rootkits?

Contrary to popular belief, rootkits are not tools which can be used to expose a computer to risk.

Rootkits in UNIX

In UNIX systems, rootkits are used as a way to guarantee continuous access to a remote computer that has been previously compromised in order to, for example:

  • Install backdoor Trojans through which the computer can be accessed.
  • Hide those modifications that have been made to the computer's configuration.
  • Hide those logs left behind as a record of system intrusion.

Rootkits in Windows

For Windows systems the objective remains similar: to hide the existence of other elements within the computer, so that both their presence and execution remain undetected by the eyes of the user, and even by the security software itself. If these elements are viruses, then the computer owner is faced with a truly serious problem.

This fact is perfectly in line with the current malware dynamics. As the aim of malware is to carry out information crimes with the ultimate goal of economic gain, it is of the utmost importance that it passes by with little or no detection. In this way, the malware will stay active within the computer for the longest time possible, all the while remaining undetected.


Rootkits for good causes

Although there are implications that must be carefully considered, there are potential benefits of using rootkits, which can be legitimately applied to the following areas:

  • Monitoring employees.
  • Protection of intellectual property.
  • Protecting programs from malware activity or user errors (accidental deletion, for example).

 

What are the different types of rootkits?

Rootkits can be classified in accordance with the following characteristics:


Persistence:

A persistent rootkit is one that is activated every time the system starts up. To do so, it must store its code in some way within the computer, and must also have some way to automatically start itself up.

On the other hand, a non-persistent rootkit is not capable of automatically running again after the system has been restarted.


The way in which they are executed:

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface).

Kernel (nucleus of the operating system) mode: these rootkits modify the kernel data structures, as well as they hook the kernel's own APIs.

 

How can I protect myself from rootkits?

The following techniques can be used to detect the existence of rootkits within a system:


Signature-based detection:

Mature technology which has been successfully used by antivirus companies for many years now. This technology is based on scanning files and comparing them with a collection of signatures from known malware.


Heuristic or behavior-based detection:

Identifies rootkits by recognizing any deviations in the computer's normal activity.


Detection by comparison:

It compares results returned by the operating system with those obtained through low-level calls - if any differences are detected, a rootkit is present on the system.


Integrity-based detection:

Shows the existence of a rootkit by comparing files and memory with a test status that is known to be reliable.

Each of these techniques has its limitations, and for this reason it is highly recommended to integrate various different technologies. It must also be taken into account that some rootkits are expressly designed to avoid detection by those antivirus companies that lead the market.

The first line of defense against rootkits consists in preventing them from entering your computer. To do this, please bear in mind the following basic advice on how to protect yourself against malware:

  • Install a good anti-malware solution on your computer, and always keep it activated and updated.
  • Install a firewall that will protect against unauthorized access to your computer.
  • Always ensure that the applications installed on your computer are kept up-to-date, and make sure to install any security patches supplied by manufacturers.

However, the task of protecting yourself against rootkits is not to be taken lightly, and cannot be limited to a series of generic protection measures.