Rootkit

A rootkit ( English as: "administrators kit"; root is in Unix-like operating systems, a user with administrative rights) is a collection of software tools which in a software system on after the break- compromised is installed system to future logins (logins) to hide the intruder and hide processes and files.

Today, the term is no longer limited to Unix-based operating systems, as rootkits have long been available for other systems. Antivirus programs try to discover the source of the compromise. The purpose of a rootkit is to hide malicious programs (“malware”) from the antivirus programs and the user by camouflage.

Another collection of software tools or boot loaders is the “ boot kit ”.

history

The first collections of Unix tools for the purposes mentioned above consisted of modified versions of the programs ps , passwd , etc., which then hid any trace of the attacker that they would normally leave behind, thus allowing the attacker to have system administrator rights to act root without the legitimate administrator being able to notice.

Backdoor functionalities

A rootkit usually hides logins, processes and log files and often contains software to access data from terminals , network connections and keystrokes and mouse clicks and passwords from the compromised system. There can also be backdoors that make it easier for the attacker to access the compromised system in the future, for example by starting a shell when a connection request has been made to a certain network port. The line between rootkits and Trojan horses is fluid, with a Trojan having a different approach to infecting a computer system.

Technical implementation

The characteristic of a rootkit is that it installs itself without the administrator's knowledge and thus enables the attacker to use the computer system undetected for his own purposes. These are u. a .:

The eavesdropping or, in general, the theft of data (e.g. access IDs, technical documents, trade secrets).
The installation of e.g. B. Viruses to attack other systems.
The possibility of distributed denial of service (English for distributed service blockade ).

Rootkits can open new backdoors. In addition, rootkits try to disguise the way they were introduced so that they are not removed by others.

Application rootkits

Application rootkits only consist of modified system programs. Because of the trivial ways in which this type of rootkit can be detected, they are rarely used today.

Nowadays, rootkits of the following three types can be found almost exclusively:

Kernel rootkits

Kernel rootkits replace parts of the kernel with their own code in order to camouflage themselves ("stealth") and to provide the attacker with additional functions ("remote access") that are only available in the context of the kernel ("ring-0") can be executed. This is most often done by reloading kernel modules . This class of rootkits is therefore also called LKM rootkits (LKM stands for “loadable kernel module”). Some kernel rootkits can do without LKM, as they manipulate the kernel memory directly. Under Windows, kernel rootkits are often implemented by integrating new .sys drivers.

Such a driver can intercept function calls from programs that list files or display running processes, for example. In this way, the rootkit hides its own presence on a computer.

Userland rootkits

“Userland rootkits” are particularly popular under Windows because they do not require access at the kernel level. They each provide a DLL that hooks directly into all processes using various API methods ( SetWindowsHookEx, ForceLibrary ). Once this DLL is loaded into the system, it modifies selected API functions and redirects their execution to itself (“redirect”). As a result, the rootkit gets targeted information, which can then be filtered or manipulated.

Storage rootkits

Storage rootkits only exist in the working memory of the running system. After the system has been restarted ("rebooted"), these rootkits are no longer available.

Virtualization rootkits

Almost all common server, PC and laptop processors today have hardware functions to fool programs into a virtual processor. This is often used in order to be able to operate several, possibly different operating systems in parallel on a physical computer system. Virtual Machine Based Rootkits (VMBR) s are rootkits that move an existing operating system into a virtual environment. As a result, the operating system is trapped in the virtual environment . The virtual environment is therefore a software level under the operating system, which makes it very difficult to recognize the VMBR.

Proof of feasibility for this technology was provided by Joanna Rutkowska with the Bluepill program and Microsoft Research with the SubVirt program . Unlike SubVirt, Bluepill can be installed without restarting the infected computer. The name Bluepill (English for "blue pill") is an analogy to the film Matrix .

Prominent rootkits in recent years

The company Sony BMG hit the headlines and had several music CDs recall after it became known, that of that Sony copy protection used XCP ( "E x tended C opy P rotection") for music CDs with methods of a rootkit in Windows Systems. Although not a virus or Trojan horse itself, its very existence opens the door to further malware .

In the meantime, there was also a USB stick with a fingerprint scanner from Sony , the software of which hid a rootkit in the Windows directory for full functionality. However, according to a press release from Sony , the production and sale of this USB stick was discontinued at the end of August 2007.

In 2006, the Kinowelt company sold and rented DVDs in German-speaking countries with a copy protection developed by Settec , which also installs a userland rootkit under Windows to hide processes.

Researchers at the University of Michigan have developed a variant of using virtual machines as rootkits (" Virtual Machine Based Rootkits "). The work on this project called SubVirt was supported by Microsoft and Intel , among others . The rootkit, which has meanwhile been developed by scientists and Microsoft employees, was to be presented at the " IEEE Symposium on Security and Privacy" in May 2006.

At the conference Black Hat in January 2006 was a possible rootkit type presented, which survived even to reinstall the operating system or reformatting the hard disk by the ACPI ( "Advanced Configuration and Power Interface") manipulated or in the PC BIOS fixes .

The company EA has in its published in September 2008 game titles Spore in DRM used a rootkit with the purpose of the program package to hide the copy protection with online authentication from the user. An up to now controversial discussion has arisen about this.

Removal of rootkits

Since 100% detection of rootkits is impossible, the best method of removal is to completely reinstall the operating system. Since certain rootkits are hidden in the BIOS, even this method does not offer one hundred percent security about the removal of the rootkit. To prevent infection of the BIOS in advance, the BIOS should be provided with write protection on the hardware side, e.g. B. by a jumper on the motherboard .

However, for many rootkits from official manufacturers there are already programs for detection and removal, e.g. B. the Sony Rootkit.

Web links

c't article "Free tracker dog, RootkitRevealer detects back doors" from April 4, 2005 on rootkits under Windows XP (see also www.heise.de/security/artikel/38057/0 )
SonyBMG's Digital Trespass - A Review of Events
10 things you should know about rootkits Diagramm.net website as of November 2008. Retrieved June 12, 2016.
Rootkit infiltrates beta version of Windows Vista on heise online
https://www.heise.de/security/meldung/Microsoft-demonstriert-Virtualisierungs-Rootkit-110190.html - Microsoft demonstrates virtualization rootkit on heise Security
http://bluepillproject.org (no longer available) - Homepage of the Blue Pill project with source code of the virtualization rootkit
http://blog.invisiblethings.org/ - Homepage of Joanna Rutkowska
http://www.stealthware.org (no longer available) - Homepage of the book Virtual Machine Based Rootkits by E. Hermann, R. Kolmhofer u. a.

Individual evidence

↑ www.heise.de/newsticker/Sony-BMGs-Kopierschutz-mit-Rootkit-Fätze--/meldung/65602 Heise Verlag

↑ Golem.de "Sony's USB sticks with rootkit function"

↑ GameStar.de ( Memento of the original from September 3, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. "Sony: Production of USB sticks with rootkit discontinued" @1@ 2

↑ DVD copy lock Alpha-DVD: Update or Uninstaller - heise.de

↑ www.heise.de Once again: Rootkit in the PC BIOS

↑ heise.de Spore: Trouble about copy protection

↑ technet.microsoft.com Sysinternals on removing rootkits

↑ Jürgen Schmidt: Hacking Team uses UEFI rootkit. heise.de , July 14, 2015, accessed on August 6, 2015 .

[1] www.heise.de/newsticker/Sony-BMGs-Kopierschutz-mit-Rootkit-Fätze--/meldung/65602 Heise Verlag

[2] Golem.de "Sony's USB sticks with rootkit function"