Rootkit

As we are familiar with computer viruses and how their code internally works, we will be going into little in-depth about what botnets and rootkits are and how they work, their types, and where hackers use these terms. First of all, we will be dealing with Rootkits.

What is Rootkit?

Rootkits are a collection of tools or sets of applications that allow the administrator-level access to a computer or a network. These rootkits are fed into the host computer by a cracker (malicious hacker) either by exploiting a known vulnerability of the system or cracking the password. These rootkits hide their presence using some of the operating system's low layers, which makes them almost undetectable by standard anti-malware software. So the name implies where 'rootkit' is a compound of two words 'root' and 'kit' where root describes the most privileged user on the computer, and kit describes the set of tools to implement. The rootkit has a synonym with malware, which describes malware with root capabilities.

Root Modes of Windows Operating System

The kernel is the primary component of an operating system. It serves as an intermediate connector between the application and the hardware. The Windows kernel has been designed with flexibility in mind. The windows OS kernel code runs in the highest privileged mode in the system, the Kernel-mode. As because all software and programs don't require system resources and hardware manipulation, a lower privileged mode also exists, knows as User-mode, where this application runs.

Types of Rootkit

As in the Windows operating system, there are two modes a code can execute in: the unrestricted kernel mode and the private, restricted user mode. Rootkits can exist in both of these modes. Rootkits can be either legitimate or malicious; i.e., they may get installed as a part of the legitimate application or through some Trojans via some suspicious email attachments. There are two types of windows rootkits, which are aptly called:

  1. User-mode Rootkits: These rootkits function in user-mode or the low privileged level of the processor ring—the effect of these types of rootkits limits on the user level only via an affected application. If the rootkit wants to infect other applications, they'd need to do the same work in every application's memory space. They operate mostly by hijacking or hooking function calls.
  2. Kernel-mode Rootkits: operates on kernel-mode or highest privileged level, i.e., in the kernel space. It makes rootkits powerful as they reside in the lowest operating system level, which means its controlling capability is strong over the hardware and the operating system. Most kernel-level rootkits take advantage of hooking execution, transmitting to kernel mode, and utilizing a loadable kernel module (LKM) to enhance kernel functionalities with rootkit code. It has a subtype also - the 'bootkit,' which infects the startup programs and codes like MBR (Master Boot Record), VBR (Volume Boot Record), and effects like boot sector viruses and creates malfunction at the time of booting.

Techniques Used by Rootkits

Rootkits use three different techniques that were coded in them. These are:

  1. Hooking: is the most common function of al rootkits, which involves hooking the application's execution flow. They re-direct the normal flow of execution and point to its code. It is internally done when the API calls and the system function calls are intercepted.
  2. DLL Injection: is the mechanism of loading a dynamic link library (DLL) into a running process address space. In malware and rootkits, the DLL injection attack is a malicious one with a DLL file that exports malicious functions and patches or modifies the registry key. Since these malicious DLL can be loaded easily, so it can be injected into processes of USER32.DLL.
  3. Kernel Object Manipulation: is considered to be the most advanced technology used by malware writers. This type of attack contains kernel structure modification, bypassing the kernel object manager to avoid access checks. Most of the kernel's data structure gets modified as the kernel is itself under the siege of this attack. Although this technique is advanced-most, it isn't very easy too. Manipulating the kernel object needs the understanding of that object in detail also.

Countermeasures Against Rootkits

Though some vendors exist in the market, which sells software that can detect the presence of rootkit such as Microsoft, Sysinternals, Symantec, F-secure, etc., if a rootkit is detected, the only sure way to get rid of this is to completely erase the computer's hard drive or format the operating system to reinstall it.


Scroll Back to Top