Quick Links

Rootkits compromise a network in a way that lets the threat actors get back in whenever they like. They may exfiltrate information, delete files, or plant other malware. Here's how to stay safe.

Rootkits

Rootkits are a particularly pernicious form of malware. They are very difficult to detect and even harder to get rid of. On top of that, they give the threat actor tremendous power over your system including the ability to come and go as they please. This puts long-term observation and reconnoitering fully within the threat actors' grasp.

Rootkits are not new. They have been around since the early 1990's when the first rootkit was developed for Sun Microsystems' SunOS Unix operating system. This is reflected in the name. The "root" part refers to the system administrator on Unix-like operating systems, and the "kit" part describes the collection of software tools required to perfrom the exploit.

The first rootkit designed specifically for the Windows operating system was a piece of malware called NTRootkit. It was created by a security researcher called Greg Hoglund to promote interest in developing defenses against such attacks.

A recent innovation has been the development of rootkits for Internet of Things (IoT) devices. Partly this is because of the astonishing proliferation of IoT devices. The more targets the threat actors have, the happier they are. But the real reason the cybercriminal finds them such an attractive target is the lack of robust security---sometimes any security at all---in the majority of IoT things devices.

Any point of ingress is useful to a threat actor. IoT devices often have the weakest security capabilities of any device connected to a network. They are internet-facing, connected to the organization's Wi-Fi, and almost certainly not segmented away from the main corporate network. If the compromised IoT device doesn't suit their needs as a base in your network they can easily find and move to another location that better fits their purpose.

How Rootkits are Installed

Rootkits cannot self-replicate like viruses and worms. They must be distributed by some other mechanism such as social engineering-based attacks like phishing email campaigns, infected websites, or USB drops.

Phishing campaigns send out fraudulent emails that masquerade as emails from genuine, trusted sources. The emails are carefully worded. They try to coerce the recipient into clicking on a link or opening an infected attachment. The attachment contains a piece of software called a dropper. Once this is installed it downloads a further payload---the rootkit itself---from the threat actor's servers. Phishing emails without attachments have links in them that take the victim to infected websites. These websites exploit unpatched browsers to infect the victim's computer.

A USB drop is a more targeted attack. Infected USB memory keys are left in places where they will be found by staff members of the targeted organization. The USB memory key is usually attached to a set of keys. This starts a series of events aimed at identifying the owner of the keys. Of course, no one comes forward to claim them. Sooner or later, someone will insert the USB memory key into a computer to look for information that identifies the owner. What appear to be PDFs or other document files on the USB memory key are actually masked programs. Trying to open one of them will infect the computer.

Trojan techniques can be used too. This is where an innocent software application is repackaged by the threat actors in a different installation routine. The installation of the software appears to proceed as expected but the rootkit has been installed along with the application. Cracked and pirated software from torrent sites are often Trojans.

What a Rootkit Does

Rootkits dig in deep. The dropper can hide in the BIOS or UEFI so even if the hard drive is wiped the dropper simply downloads the rootkit again. This is how rootkits can seem to magically survive completely reformatting the hard drive, or even swapping out the hardware and installing a brand new hard drive.

A rootkit installs itself in such a way that it appears to be an integrated and legitimate part of the operating system itself. They can prevent their detection by endpoint protection suites, may remove end-point protection software, and may include techniques to prevent their removal even if they are detected by endpoint protection software. Because it has administrator-level privileges a rootkit---and therefore, the threat actors---can do whatever it likes.

Threat actors particularly like rootkits because of the private backdoor it gives them. It's like an intruder in a building. If they have to pick the lock every time they try to gain access they are going to be spotted sooner or later. But if they have their own key or they know the code for the door entry keypad they can come and go at will. In 2020 the average time from infection to detection and containment was over 200 days. This is why rootkits are classed as advanced persistent threats.

A rootkit may do any of the following:

  • Install a Backdoor: This allows the threat actors to have easy repeat access to the network.
  • Install Other Malicious Software: The rootkit might install further malware such as keylogging software. The aim is to catch authentication credentials to online banking, other payment platforms, or other services the cybercriminals are interested in. Once the threat actors have decided that they have milked as much out of your network as they can, they may install ransomware as their parting shot. It is becoming more and more common that a network is compromised and sensitive or company confidential material is exfiltrated before the ransomware attack is triggered. If the victim has a robust disaster recovery scheme in place and refuses to pay the ransom the cybercriminals threaten to publicly release the private documents.
  • Read, copy, exfiltrate, or delete files: Once they are in your network nothing is private or immutable.
  • Change System configurations: Rootkits will modify system settings to hide from endpoint protection software and appear legitimate to other components of the operating system. It will modify settings to give itself the highest level of administration rights and permission to interact with the lowest level of operating system functionality.
  • Access and modify log files: Rootkits will amend system logs to make their discovery or Investigation impossible.
  • Log and monitor keystrokes: Logging keystrokes is a simple and effective way to capture usernames and passwords, both for local systems and online systems. After all, everything you type goes through the same keyboard.

Who is Behind Rootkits?

Rootkits are extremely sophisticated pieces of code. The creation of an effective rootkit is beyond the capabilities of the average cybercriminal. However, rootkit toolsets are available on the Dark Web. These put the power of rootkits into the hands of any reasonably competent programmer. Proof of concept code demonstrating rootkit techniques is even available on GitHub.

To write a rootkit from scratch requires a lot of resources and top-tier development expertise. State-sponsored offensive cybergroups---APT groups---working on behalf of their military or other agencies are a known source of rootkits. A recent example is the Drovorub rootkit. National Security Agency (NSA) and Federal Bureau of Investigation (FBI) attribution for this has identified the Russian 85th Main Special Service Center (GTsSS)---also known as APT28 and Fancy Bear---as the group behind the threat.

Types of Rootkits

Rootkits can be classified according to some of their behaviors. The more common variants are:

  • Kernel rootkits: These operate at the kernel level. The rootkit obtains all of the privileges granted to the operating system.
  • Application rootkits: These function at the application level. Typically, they replace or modify applications modules, files, or code. This enables the rootkit and cybercriminals to pose as normal, permitted software.
  • Memory rootkits: These operate in Random-Access Memory (RAM). Because they run in RAM they do not leave any digital footprints or file signatures on the hard drive.
  • Bootkit: A bootkit---or bootloader kit---is a rootkit that affects the operating system boot loaders such as the Master Boot Record (MBR). These are initialized while the computer powers up and before the operating system is fully loaded. This makes their removal extremely difficult.
  • Library rootkits: These rootkits behave like a kernel patch or hook. They either block, or intercept and modify, system calls. They may also replace Dynamic Link Libraries (DLLS) in Windows-based systems or libraries in Unix-like operating systems.
  • Firmware rootkits: These affect firmware on network devices. This gives the threat actors' control of the device. From this foothold, the threat actors can move onto other networked devices and computers.

Detection and Removal

Sudden inexplicable crashes or very poor performance may be indicators that you have a rootkit. Poorly engineered rootkits built on the "self-assembly" tool kits available on the Dark Web may introduce instability into your system. because rootkits interwork with the kernel and other modules of the operating system at the lowest level, bugs in the rootkit can easily lead to system instability.

Rootkits are notoriously difficult to detect because they can hide so successfully from end-point security suites. Some of the top-tier big-name end-point protection suites claim to be able to detect some rootkit variants, which is a help.

Security software that includes behavioral analysis techniques can build a picture of the correct operation of your computer and the network habits of the different types of roles your users have. Deviation from expected behavior can be an indication of a rootkit on your system. It should be noted that without high-end detection systems it usually requires specialist intervention to positively identify a rootkit compromise and to you remove them.

  • Security auditing software takes reference fingerprints of system-critical files. The software is configured to scan your computer regularly. Any differences between the on-disk files and their reference signatures mean the files have been altered or replaced. These anomalies are flagged up for investigation. This technique can find modified or substituted files, kernel patches, DLLs, and drivers. An example of this type of security auditing tool is the open-source Lynis package with a suitable file integrity plug-in.
  • API monitoring software can track the calls and data returned from API calls. Any variance from the expected norms is flagged as suspicious.

removal can be a long-winded affair. Booting into safe mode doesn't do any good with a rootkit. You need to boot from a CD or DVD containing an operating system. This means your hard drive isn't involved in the boot process and the rootkit dropper software cannot modify the image on the CD or DVD.

Often the operating system booted into isn't the same as the one your machine normally runs. On a Windows PC, you might boot from a Linux Live CD, for example. You can then use specialist rootkit hunting software to identify where the dropper resides so that it can be removed. The hard drive should be replaced or completely erased and re-installed.

Prevention is the Best Cure

The vast majority of rootkit infections depend on human interaction. Perhaps someone has been duped by a phishing email or decided to download software from an illegal torrent site. This means the best way to improve your defenses against compromise by rootkits is to provide cybersecurity awareness training to your staff and to have policies and procedures for them to follow.

An Acceptable Use Policy details what is and what is not considered acceptable use of your organization's computing resources. Can your employees browse to any type of website during their lunch break, or are some categories of website banned? What are the rules about allowing them to view their personal webmail? if they use their office desktop to read their personal mail and fall for a phishing attack, it is your organization that is compromised not the user's domestic computer.

A Password Policy must contain clear guidance for the construction of robust passwords, as well as the pitfalls to avoid. Don't base passwords on anything that can be socially engineered such as children's names or anniversary dates. Don't re-use passwords on different systems. You should advocate password managers, and provide a list of which ones are approved for use. Implement two-factor authentication where you can.

Conduct short, sharp training sessions describing the threat from malware and phishing attacks. A ransomware attack might threaten the financial viability of the organization, so paying attention to cybersecurity doesn't just protect the business it protects your employees' livelihoods. Give guidance on how to spot a phishing email, and what to do if they receive one. Foster a security-minded culture in which security-based queries and double-checks are valued, not frowned upon.

You may wish to engage with a cybersecurity company and perform staff susceptibility exercises such as benign phishing campaigns and USB drops to identify staff who require top-up training.

With most types of malware, your personnel are your troops on the front-line. You should empower them to be the most effective they can be at protecting your network.