Local Tech Repair: Rootkits Understood

Sunday, April 17, 2011

Rootkits Understood

There is some confusion in some of the tech industry in what a rootkit is. and so i want to talk to our users about what rootkits really are and the different types of rootkits out there. I will try not to rewrite my research paper in this post but give you an over view of my research I have done over the years.

I was reading some tech blogs like I normally do and I ran across a post on rootkits and realized I have not posted any of my research that I did in college on here to talk about it. In college at my university we had a Directed research class which we got to choose the topics of our choice and then research them for the next 6 months and write a 25 page paper on that research it and present it to the school. I was able to do my research on a specific type of rootkits called VM rootkits or virtual machine rootkits. I will talk more about these later.

So for those that do not know rootkits are small peaces of code or a program that sole purpose is to hide it self from the operating system and user. Kinda like stealth technology that the US has in its stealth fighters. Rootkits is that technology not the fighter it self.

A rootkit is different in terms of a virus or malware. A worm, virus, and malware all use methods of self preservation either by coping code to other computers or making it hard to delete the software to preserve it self. On the other hand rootkits will try to hide it self from virus software so that it can preserve it self. It is common for viruses and malware alike can use rootkits in their programs to help keep their programs installed longer. For instance a Black Hat(unethical hacker) will use a rootkit to hide their code to log key strokes or open a back door into the operating system.

There are 3 many types of rootkits I like to categorized. A level 1 rootkit will be one that does not compromise the Kernel of the operating system but will try to compromise other files to hide it self. A level 1 rootkit is one of the easiest rootkits to detect on a system. A level 2 rootkit is one that will compromise the Kernel of the operating system. This means that the rootkit is using system calls to hide it self. For instance when a virus program checks the list of programs in memory it must ask the Kernel files for these lists. In turn the rootkit may wipe any reference of it self while giving the virus scanner the information and in doing so make the virus scanner think that there is no problem. These forms of rootkits are very hard to detect because the method that they chose to use to hide them selves get more complex than most of the basic virus scanners out there.

Now for the most dangerous type of rootkits are those that fall in to level 3. These rootkits are those completely outside of the operating system. There are various types of these also everything from boot loader rootkits to VM rootkits. The reason why these are so dangerous is because they are undetectable to any software you install on your computer. For instance a rootkit in a SMM (system management mode) of a CPU will be able to control all information going through there and a simple key logger will be able to send everything you press on your keyboard out to who ever they want. This is a dangerous thing found in some Intel processing chips.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.153.9106&rep=rep1&type=pdf 


Another type of is those that hide in the hypervisor world of the computer. The most prominent rootkit is that from Invisible Things Labs by Joanna Rutkowska. She developed a VM rootkit that would create a vm under any vm that existed or did not exist and then run on the hardware. This means the rootkit could monitor anything that the operating system was doing and in turn be able to do what every it wanted. Sense it was running on the hardware level it was able to hide it self from any calls and keep it self in restricted space. But not only that she built it to be able layer it self in a way. if the computer was already compromised it could be compromised again and have one after another on top of each other. This rootkit is called the Blue Pill.

So how do you protect your computer from these rootkits? The best way is to take a proactive approach to it. which is really the only way because if your computer is already infected you can't trust anything the computer is telling you. Some of the most trusted and some of the longest detectors that have been around are chkrootkit and rkhunter both for windows and linux. But they are not the only ones out there. Sense rootkits have been becoming so prevalent in viruses, worms, and malware most of the main security virus scanners out there come with their own rootkit detectors. Even windows has one called rootkitrevealer

I would suggest trying out some of the rootkit detectors out there and see which ones that you like. If you find one that you really like or one that you don't know is a real rootkit detector or not then post back here and I will check them out for you.

thanks for reading,
- Local Tech Repair Admin