5 Star Support Security Specialist
Many computer users have heard of rootkits. Still many more have not. They have
been around for a long time and are mostly known to people familiar with Unix or
Linux Operating Systems. Originally, rootkits were designed to perform program
functions for the benefit of the program user. Later on, rootkits became a tool
used by hackers to carry out their own intents. In recent times, they have been
used maliciously and beginning in December 2004 we saw the start of rootkits
designed for malicious use against Windows Operating Systems emerge in large
numbers. This is when rootkits suddenly moved into the spotlight. They finally
were written in large numbers and for use against Windows, the system that runs
90% of the worlds’ computers. In this article, I hope to increase your knowledge
in this area, tell you what a rootkit is, how it works, and why it can be so
dangerous. This is not a paper designed to make you fearful. Quite the contrary
– remember that with knowledge comes ability and power, power to accomplish
A rootkit is a program or set of programs used by an intruder to both hide their
presence on a computer system and allow future access to that same system. A
rootkit will usually either manipulate the data set the operating system relies
on, or alter the execution flow of the operating system.
It is important you realize that rootkits are designed to be very stealth,
meaning they are difficult to find or detect by normal means. Many rootkits have
been so well written that their presence can go undetected for years. They are
written by experienced individuals with an advanced level of programming
knowledge far above that of the average virus or malware writer. A rootkit is
not an exploit. It is what an attacker uses after an initial exploit to allow
future undetected access to a compromised computer.
It is also important not to confuse a rootkit with a virus, or a worm. The main
difference is in propagation and stealth. Like a rootkit, a virus also alters
software components of a system. A virus, however, is designed to do damage and
possibly provide additional service(s) to the attacker. This usually alerts the
user right away that something is wrong, and gives away its existence. A worm is
usually designed to scan for vulnerabilities and take advantage of them, as well
as spread to other computers connected to a network, thereby doing the same
damage to them. Again, this alters computer behavior significantly enough to
alert the user to its existence and that there is something wrong. A rootkit, on
the other hand, is designed to maintain its own integrity, and remain hidden
from the user in order to allow the attacker to use the compromised computer for
a long period of time for his or her own nefarious means.
A well written and executed rootkit can easily remain hidden and operate
literally for years without giving away its presence to the user, or even a
systems administrator or other IT professional. This has already happened many
times, especially in companies that maintain large networked systems, and
continues today even while you are reading this paper.
A rootkit is designed to hide logins, processes, files, and logs, and may
include software to intercept data from terminals, network connections, and the
keyboard. They are often considered as Trojan horses and indeed may even contain
Trojans and backdoors as part of the rootkit.
There are three basic types of rootkits - library, application and kernel. There
are also two subtypes - memory based, and persistent, but more on that later.
Library level rootkits will most commonly patch, hook or replace system calls
with versions that hide information so the rootkit is not visible by normal
means. That is to say you won’t be able to find the files with a normal file
search, or by going to the task manager to check what applications are running.
Before discussing the next two, it is important to remember that current
versions of Windows were designed with security and stability in mind. Some
readers may scoff at this statement in light of the vulnerabilities reported in
Windows operating systems, but it is true. No operating system is designed from
the beginning with protection from malicious intruders subverting the system in
mind. The kernel is protected from user applications while still allowing
functionality. Windows currently supports two modes of execution: user mode and
kernel mode. Applications will run under user mode, which is unprivileged, thus
protecting the kernel.
Application level rootkits usually operate by replacing normal application
binaries with Trojan style fakes, or modifying program behavior through the use
of hooks, patches, or other injected code. Your first alert to the possible
existence of a rootkit hiding in an application is abnormal or different
behavior of one of your application programs. The key here is to know your
software and pay attention to how in normally runs.
Kernel level rootkits usually add additional code, or replace a section of
kernel code with modified code in order to hide the existence of the rootkit, as
well as any backdoor(s) that have been added as a way in for the attacker.
Remember that kernel mode execution is a mode of execution by a processor that
grants access to all system memory and all the processors instructions. Windows
will tag specific sections of memory specifying which mode is required to access
that section of memory, but it does not protect memory in kernel mode from other
threads that are also running in kernel mode. This is what makes kernel level
rootkits particularly dangerous. Kernel level rootkits usually do not alter the
operation of the computer in a significantly enough fashion to alert the user to
their existence. This level of rootkit is virtually impossible to detect without
the use of specialized software.
There are two basic categories that modern rootkits in the wild can be divided
into: those that are designed to hook, and those that are designed to use DKOM.
These will be explained below. Hacker defender is one of the more popular
rootkits that works by hooking. It hides processes, services, files, directory
keys and ports. FU is a popular rootkit that is designed to use DKOM. Fu can
hide processes and device drivers and elevate privileges and groups of any
Hooks (or hooking) –
In the above section, we mentioned a hook. A hook, or hooking, is a method used
by a rootkit to alter the normal execution path of the operating system. Modern
operating systems are designed to be flexible, extendable and backward
compatible. If they weren’t, you would have to replace all your applications
software with newer versions every time you got a newer computer or newer
operating system. This is why if you upgraded to, let’s say, Windows XP, your
other software still runs with Windows XP as it did with your older operating
By using a hook, a rootkit can alter the information that the original operating
system function would have returned, using it for the rootkits’ own designs as
programmed by the attacker.
Some of the more common areas a rootkit will hook are: execution paths, import
address tables, system service descriptor tables, and layered filter drivers.
DKOM stands for Direct Kernel Object Manipulation. Rootkits designed to use DKOM
rely on creation of kernel objects by the operating system, which are normally
used by the system for auditing normal operation. By modifying these objects
sufficiently, the rootkit can trick the operating system into thinking a
particular operation or process was performed by a normal function of the
program. This will prevent the system from logging an incorrect operation, and a
system alert, thus allowing the rootkit to remain hidden from normal detection
means. Since all kernel process objects are linked, the rootkit unlinks the
process it performed from itself, and links it to a normal process function of
the operating system. The system is tricked, and thinks the operation was
performed as a legitimate function of the program.
Rootkit Subtypes –
As we hinted at earlier in the section on rootkit types, there are two subtype
categories – memory-bases and persistent. The main difference is that a
memory-based rootkit only resides in memory and it will not survive a computer
An attacker that wants to perform a quick, one-time, in-and-out procedure of
some sort, remain undetected, and then leave un-noticed without intending to
return, usually uses memory-based rootkits. These types of attacks are usually
used as information gathering missions by an attacker that has already
discovered when a machine is normally turned on or running. These kinds of
rootkits are extremely stealth and virtually impossible to detect due to the
short life-span nature of their existence. These rootkits can also be reserved
for use only against server machines that are left running for long periods of
time, and by an attacker that wants to remain completely undiscovered and
untraceable. A computer scan catching one of these rootkits would result more
from sheer luck than by design.
Persistent rootkits, on the other hand, are designed to easily survive a system
re-boot. In order to survive a re-boot, this kind of rootkit must have some
means of permanently storing its code on the victims’ machine, usually on the
hard drive. It must also use some form of a hook in the system boot sequence so
it will be loaded from disk into memory each time the machine starts so it can
begin execution again.
Hiding a rootkits existence:
As we discussed above, a memory-based rootkit is virtually impossible to detect.
But, what about the persistent form of rootkit and how does it hide? These kinds
of rootkits survive a system re-boot, and remain on the machine for very long
time periods, perhaps even years.
In order to hide its existence and remain undetected, a rootkit must be able to
conceal the presence of its own executable code. Some do this better than
others. The rootkit must also be able to hide the memory-based modifications in
the operating system (hooks or DKOM). The rootkit must also be able to hide its
code on long-term storage in the system and conceal the permanent hook in the
system boot sequence it uses to load itself when the system starts. For these
reasons, successful rootkits are designed to often reside at least partially in
the boot sector of the hard drive. The main reason for this is to avoid
detection from most modern anti-virus scans. Many anti-virus programs are not
fully functional until the system boots up, after which the boot sector cannot
be properly scanned for vulnerabilities because the system is running. There are
a few programs that include boot sector scans before the system boots up, and I
recommend you check for this functionality before purchasing an anti-virus
product. They do not slow the boot process very much, and the added protection
offered is well worth the extra time it takes for the machine to be ready to go.
Let me say at the beginning of this section that rootkit detection is still a
work in progress. There are currently a number of methods in use, some of which
we will discuss here. As of this writing, all of them have their particular
strengths and weaknesses, and none of them have been proven to be completely
effective or foolproof.
Rootkits have become very sophisticated over the past two years, and we continue
to see new ones spawned almost every month. As the writing skills of rootkit
programmers improve, detection becomes more difficult all the time.
Signature based detection –
Signature based detection is currently the most common detection method, and it
can work to a fair degree against rootkits programmed with publicly available
code available on the Internet. Programs with this scanning capability are
usually from anti-virus software vendors who have included the capability in
their products only recently. They work the same way that they scan for viruses,
worms and trojans. They look for a specific or known fingerprint unique to the
threat located in the computer. This form of detection is helpful against
publicly available rootkit code, but is useless against more advanced rootkits
for which a signature does not exist. These include rootkits that hook virtual
memory that are capable of controlling the memory threads of the scanning
Heuristic detection –
Heuristic detection is the next step upwards in detection. Instead of looking
for a particular fingerprint, heuristic detection instead looks for deviations
from normal system patterns and behavior. This gives the ability to find new and
previously unidentified rootkits. This technology is currently emerging and not
readily available yet, and uses various heuristics to identify a rootkit based
on the execution path hooks it uses. Current examples of this form of technology
are VICE and Patchfinder. At this time, they only work with Microsoft .NET
Framework installed on the computer, and they are not foolproof either. They can
be subverted by some rootkits, and still others will remain undetected. One of
the problems is trying to determine which hooks are malicious, and which hooks
are legitimate and part of the normal operating system (false positives can be
Another method of detection currently being developed is profiling, or more
specifically, profiling the runtime execution path. The only tool currently
known to this writer with this technology is a very promising proof of concept
tool called Patchfinder. It is discussed and made available on a Website called
invisiblethings.org run by rootkit expert Joanna Rutkowska. It is built on the
observation that a rootkit adds code to a given execution path, and operates by
counting instructions. The technique can still result in false positives, and is
vulnerable to rootkits that have the ability to realize they are being traced.
Nonetheless, I believe the technology has excellent merit and I hope development
continues and is able to eliminate the problems encountered so far.
Cross View –
Cross view based detection techniques are both very new and very promising. The
detection software works by enumerating data within the system such as files,
processes and Registry keys and compares them to an algorithm used to generate a
similar data set that does not rely on the system’s common APIs (Application
Program Interface). A difference between the two results can indicate something
hidden. This technology is still being developed and improved to eliminate false
positives when the program runs. Current examples of this developing technology
are Rootkit Revealer from Sysinternals, Klister by Joanna Rutowsksa, BlackLight
by F-Secure, and Strider Ghostbuster from Microsoft.
Integrity based detection is an alternative to either signature based detection
or heuristic detection, and works by comparing a snapshot of the filesystem or
memory with a known trusted baseline. Differences between the two are taken as
an indicator of malicious activity. Examples of this are Tripwire from
Sourceforge, and System Virginity Verifier by Joanna Rutowska. Tripwire was
effective against early rootkit designs, but virtually useless against the
modern rootkit. System Virginity Verifier, on the other hand, is, to me, very
promising as it also checks the integrity of data structures and uses advanced
heuristics to help deal with false positives stemming from normal system hook
Join me in keeping high hopes for this one. It could be absolutely great!
This technology is very new and was born as a project at the University of
Maryland. A new company, Komoku of College Park, Md. is currently the owner of
this technology. With funding (at around $2.5million) coming from government
contracts, specifically DARPA (Defense Advanced Research Projects Agency), the
Department of Homeland Security, and the U.S. Navy, they have developed a
proprietary, high-assurance PCI card based detection system called Copilot. The
PCI card has its own processor and memory allowing it to remain independent of
the system it is installed into. It also has its own network interface allowing
communications to an outside administrative department or team. The prototype
PCI card solution is currently not publicly available and is more than likely
pretty pricey at this time, but represents a formidable foe to rootkits.
Personally, I have high hopes that the governmental agencies involved will allow
mass production after the prototype is finalized so the benefits of this new
technology will become both available and affordable to the general computer
user like you and me.
By being able to remain independent of the computer’s processor and memory it is
installed in, this PCI card can scan and monitor all processes, memory, files
and activity in the computer at the hardware level, looking for any
modifications or abnormal behavior, thus making any rootkit design an easy
target to find. According to the project designers, instead of looking directly
for the rootkit, it looks instead for the side effects of the rootkits
activities. Coupled with a software-monitoring and cleanup component that is
also being partnered (by guess who – Symantec), it could actually be capable of
putting and end to the rootkit threat on any machine it is installed in.
Komoku also plans to release a low-assurance software-only clone of this
technology called Gamma sometime this summer – I can hardly wait to see it.
Komoku is currently partnered with Symantec to handle disinfection, cleanup and
restoration after a rootkit or other sophisticated malware is found. Symantec’s
Live State product combined with Copilot and Gamma can restore the system to its
original operating state as if nothing had ever happened.
I see some really exciting, commercial software offerings becoming available for
us in the hopefully not too distant future, and I really hope the Copilot PCI
card becomes a reality for us as well.
For the time being, rootkit removal is rather subjective. There is a large body
of opinion that believes it to impractical. The majority seems to recommend
copying and saving your data files, wiping the hard drive clean, and
re-installing everything from scratch. The feeling is this will take less time
than trying to remove the rootkit and restore the system. If it was a truly
severe case, and sensitive data and material were at stake, I would tend to
For the average user, however, I would recommend running the Malicious Software
Removal Tool from Microsoft, scanning with Windows Defender, and trying a scan
with the latest version of SpySweeper from WebRoot. All have some degree of
rootkit detection and removal capability built in that I have had good success
with in the past. I have also cleaned up and removed some boot sector rootkits
with AVG Pro from Grisoft, another product I like a lot. A number of other
constituents I am in contact with also have reported good success with
BlackLight from F-Secure. BlackLight will be rolled into another F-Secure
product this summer as part of a security software suite, but it is still free
until June 1, 2006, after which it stops working. One thing to keep in mind –
BlackLight is currently a Beta program, and you assume all responsibility for
its use. If using it breaks your system, it’s your problem. Final release of the
integrated product from F-Secure this summer will come with support.
On final thing to remember – a rootkit alters the operating system, and thus
needs administrator privilege to install (not that you can expect a warning that
it is about to install, and you certainly will not see a Windows Installer
screen). You can greatly reduce your exposure to this threat in the first place
if you remember to not go on-line with an account on your computer that has
administrator privilege. Use a limited account when connecting to the Internet.
If you absolutely must be on-line as an administrator for certain programs to
work, you might want to look into a protection program like Process Guard
(shareware, $29.95) that has the capacity to prevent programs from installing
global hooks and performing process injection. If you are a high-risk user, such
as a P2P user, and must be on-line as an administrator, then you should
definitely consider such a program as mandatory and a must have.
Another possible program to look into is called AntiHook. Of the two, I can only
honestly recommend Process Guard for the high-risk user. AntiHook is freeware
and is a less powerful program, but it offers good, solid protection for the
average home user. Please note that AntiHook is only for home use, and currently
(AntiHook v 2.5) does not work properly with Windows XP Home edition. New
versions AntiHook 2.6 and AntiHook 3.0 are due out in a few weeks and promise to
fix this issue. Both programs (Process Guard and AntiHook) feature real-time
kernel mode protection. If you are a home user that downloads a lot and installs
downloaded programs, I really would recommend you use one of the two programs.
Either of these programs will be noisy at first as they go through a learning
curve of the software on your system, much like what you see with pop-up
warnings after installing a new firewall. Don’t despair though as things will
settle down soon when the program learns your particular system. You can also
minimize this if you use AntiHook by initially running it in fingerprint mode
for the first few days while it learns. Before doing this, however, you might
want to first scan your system if it has been on-line for a while to be sure it
is clean in the first place.
One final point. If you install either of these programs, please do not fool
yourself into thinking that you are now totally safe from all rootkits. Although
the vast majority of rootkits use hooking, remember that we also discussed
advanced rootkits that use DKOM. Although there are few of them in existence so
far, they are still out there, and I’m sure more will be coming.
I hope I have increased your knowledge of rootkits and how they work, as well as
why they are so dangerous. I also hope I have not made you afraid. You now know
about them, how they work, and how to begin with removal trials and what to do
for prevention. There are also a lot of experienced techs available for help on
the 5 Star Forums. I would sure try those avenues before contemplating saving
all my files somewhere and starting over from scratch by re-imaging my machine.
Try to remember that computer security is a never-ending game of wits between
opposing groups. We, the computer users, are in the vast majority, and I see no
reason for us to become afraid or intimidated. If we allow this to happen, we
forfeit the game without even trying, and that’s sad. If you are willing to poke
around a little here on the 5 Star Support Security Center, and at Microsoft’s
Website, you will find everything you need to keep yourself safe, and have an
enjoyable computing experience at least 99% of the time in a Windows world. Mac,
Unix and Linux have their share of problems too, in fact, they are becoming an
ever-increasing sized target for the bad guys as well.
I only request you keep three things in mind for your computing success:
- Know your computer (the basics – you don’t need to know everything)
- Know your software
These are actually pretty easy to learn, and we here at 5 Star Support are
always available and here to help you. Don’t forget about Microsoft’s Website
either. It may not be the easiest to navigate, but there is a wealth of free
information always available if you are just willing to look for it.
a quick explanation of rootkits and how to deal with them, click the link below:
What is a rootkit?
Until next time here at 5 Star Support, happy computing!
10/29/06 Update -
AntiHook v 2.6 from InfoProcess is now available, and runs well on Windows 2000,
Windows XP and 2003 and all related service packs. AntiHook v 3.0 is still in
beta version only, and will be aimed more at the enterprise market for network
Users of Dr Web anti-virus should note that when trying to download and install
AntiHook v 2.6, Dr Web Anti-Virus displays a false positive and says that the
program contains a muldrop trojan in one of the .dll files. This is definitely a
false positive, as AntiHook contains no malware of any kind. This is the only
anti-virus program known to display this warning as of this writing. Dr Web has
been contacted by InfoProcess and has been requested to resolve this issue.