Rootkits What They Are And Their Impact

This article is from a good friend of mine named Aaron Hulett and is sent out from his website ManageYourPC.com

Who is Aaron you ask?

Well he is not only a very good friend, he is also extremely intelligent and always willing to help. Here is some info for you:

Aaron is a senior at Oakland University studying for a Bachelor of Science in Engineering with a major in Computer Engineering. His past experience includes working as Chief Research Officer for Lavasoft's Ad-Aware program, and he currently works as a Trojan Analyst for Mischel Internet Security's TrojanHunter program.

Greetings.

Several on the forums have requested that I explain what rootkits are and how they impact today's malware. Here goes.

For those familiar with Unix systems, the account with the most power is root. On Windows systems, this is commonly Administrator. Rootkits are powerful tools designed to allow working at a very intimate level with the operating system. To understand how rootkits can be used maliciously, some understanding of operating system structure is needed.

The kernel is the brains of the operating system. It handles all the low-level items, such as memory interaction, loading files, communicating with devices, and so on. On top of that on Windows systems runs the Win32 application layer (there are more, but for simplicity, let's just go with this one). This layer handles things like presenting the user interface to you, and provides easy API calls for programmers, such as drawing an Open box on your screen, or an error message, and so on.

The rootkits themselves are not bad; the use of them with regards to malware is bad. Using rootkits, malware writers can intercept calls to APIs or even to the kernel. This is how they're able to hide file listings from within explorer or the command window. When you open an explorer window to, say, System32, there are API calls that take place which ask the kernel to read the disk, pull a list of files in this directory, and return that list so that it can be drawn as a nice set of icons for you. The rootkit allows for the malware program to intercept this request and remove its files from the resulting list. You get what looks like a complete set of files listed, when in fact a couple are missing because the rootkit prevented them from being returned in that list.

This goes on with running process, too, and it can go further than that. This is what makes rootkits used for malicious purposes very dangerous. By working very near the kernel, several common tasks can be manipulated, making their removal extremely difficult (try removing a file you can't even get listed).

In some cases, the rootkit used comes along for the ride during the infection process. More commonly, though, the functionality is included in the malware program files and only two or three are needed to complete infection and altering system calls such as pulling directory listings. The nice part is all programs MUST load into the memory (RAM) to execute. There's no way around that. So memory scans can find these items, but as you're probably guessing, it's not that easy. To remove these things, it requires antivirus/antitrojan/antimalware programs to also get deep within the OS to bypass the hiding functions in place by the malware to effectively clean it out. In some cases, it can be done, and in others, not. It depends on the capabilities of the scanning and cleaning components of the removal program.

What do I personally think this is going to lead to? Well right now, anyone that runs a Unix-based system knows that running as root all the time is a very very bad idea, so they don't. But when it comes to Windows, being told to not run as Administrator doesn't seem to phase anyone. The big reason in my opinion is that while running on, say, Linux with an account other than root means that things like web browsers, word processors, and etc. all work just fine, when it comes to limited user accounts on Windows, it causes a severe reduction in usability. Program writers of Windows software need to make their programs function in these limited states before a transition away from running as Administrator all the time can become a feasible option.

Until then, the standard security practices apply: run an antivirus, run a firewall, don't open attachments that look risky, stay away from malicious websites, and so on. If you have any questions, feel free to ask at the forums.

Until next time, take care.

Consider subscribing to Aaron's newsletter HERE