what are rootkits?
First of all you need to know that rootkit is NOT a virus…
A rootkit is a combination of two words, root and kit, root is the super user in the *nix operation system, can be equivalent to the administrator user in the windows operation system, the kit stand for kit of tools, so in its basic concept a root kit are a set of tools that will give you the option to be as root, the supper user, by that you will be able to do anything on the desire machine.
The term rootkit is known for long time, more than 10 years, it become more familiar in 2005 when computer virus coders started to use the power of rootkit to create more powerful malicious code.
Some of the “powers” that rootkits add to viruses was a way to hide itself on the operation system, and by that archive the power to bypass anti- malicious tools, like firewalls and anti-viruses.
Rootkits uses some method to take advantage of the operation system and manipulate it in a way that it was bale to hide all kind of object on the computer, include running process, file, registry keys, network connections and so on.
As I mention above rootkit can run on kernel environment and in order to write code that can run on the kernel you have to develop drivers, or filter drivers.
Since then there are all kind of rootkit technologies, some work in user mode, some on kernel mode and some can work on hardware, they take advantage of hardware memory, like BIOS, Network Card, Video Card etc. and write some of the code on its memory, in this case even replacing your computer hard drive will not clean the rootkit from your computer.
Before windows vista, there was an option to load a driver in your computer even if the driver was not sign and without the known of the user or the driver manager, once you load the driver into kernel mode the driver was able to run and change the behavior of the operation system, not only that on kernel mode there was no privilege checking, ones you’re in kernel you can do whatever you want and no one check what you do.
In vista and today operation system Microsoft change the default behavior of the operation system so it will be harder to load a driver to the system, there were some bugs that malicious code use to bypass the operation system checks in order to load the driver, the known bugs might be closed, but from time to time another methods are discovered and use to load rootkit drivers to the system.
How does a rootkit work?
An easy example of flow that hide process on the operation system will be the following, if we look on the operation system process, by opening the task manager and press on the Process tab, by the way there is a hot-keys to open Task Manager – Control + Shift + Escape, we can see the list of current running process on the system, please note that you might only see your running process and in order to see all the running process on the system you need to check the show process from all users check box, or press on the show all process button.
In order to understand what is a process we need to read information about it as a developer, and by that we will be able to understand that there is a structure that hold information about each process in the system, and if we dig a bit more we will find that each structure contains link to a previous and the next process, in a programming language its call a link list or double link list, which mean that each structure can point on the next structure and or the previous structure. In order to get this list I just need to get a pointer to the current structure from my program and start to run on the link list to both sides till I get to an empty structure also call null, this way I know I got to the last process in the list, this is more or less what every basic process viewer will do, actually there are function that can do it for us.
So let’s say we want to hide a process, if we can get the current process structure and by that we can get all the process that currently running on the system, if we say that the current process next structure will point to the previous and the previous to the next one and our process will point to nothing aka null, we just take our process out of the process list, so programs that use the function to list process on the system will not see that process.
This is just one method to hide process on the system, there are much more sophisticated method to do it, but you got the idea of what it is to hide a process in the system.
[Example movie of hidding a running process]
Now let’s talk about files for example, when you open the explorer it list the file that in the current directory, and that is trivial to all the users, if we look behind the scene this is what happens, in short, there is a call to a set of user mode functions that deal with files like FindFirstFile and FindNextFile those function go into the kernel mode version of the functions which go deeper till they reach the hard disk driver itself and returning the data about the files in the current folder, again there is a structure that hold search for file information, the explorer manipulate the return data as we expect to see it, re: order by the ABC, Date, Size etc. and show us the list of files in the folder, keep in mind for example that today you are not seeing two folders that still there, the . (dot) and the .. (double dot), during the parsing of the returning date the two folders ware removed from the returning data that the user will see ( if you open command line (start->run->cmd ) and type dir you will be able to see the two folders).
Now that you see what it take to show you the list of files we can go on, if I want to hide files on the system we need to create something that manipulate or change the above function, there are several method to do it, an example for user more will be to create a hook and add it to the explorer and if there will be a call to one of the File function we will check the data and update it as necessary to hide the files we want to hide. In kernel mode we will add a filter driver and add it to the driver chain and manipulate the data to hide the files that we do not want the user to see.
There are more methods to use in order to hide all kind of objects in the operation system, but this is out of the scope of this article.
how to remove a rootkit?
Well that depend on the rootkit technology that the malware you have is using, most of the operation system, user/kernel rootkit technology can be remove by most of the anti-malware tools some of them have a dedicated tool that was written to deal on a special malware, in most cases if it is a known malware and rootkit technology the anti-malware tool might remove the malware and the rootkit itself or recommended you a dedicated tool to get in order to remove it or at least it will give you the name of the malware and using that name you can search the web for tools to deal with this malware and its rootkit technology.
There are some malware that use hardware base rootkit and to remove them will be almost impossible due to the fact that there might be left over from it on the hardware and to remove it completely you might need to replace the hardware itself, this is also true to some BIOS viruses that use rootkit technology to patch the mainboard BIOS, and by that all the BIOS code was change to infect the system all the time, it might also be so strong that you might need to buy a new computer, we are not there yet but there are some proof of concept about this type of attack.
I want to learn more about rootkits, where?
There are some books that can show you how rootkit works and how to develop them. The books are design mostly for developer with knowledge in the C++ language, due to the nature of rootkit as driver object. I can recommend on the following books that have a lot of information, examples and types of rootkit development: Rootkit subverting the windows kernel (by Greg Hoglund and James Butler) and The Rootkit Arsenal (by Bill Blunden).