What are Rootkits?

Rootkits are Internet-based threats that have recently been discussed at great length, basically in the light of the fact that a large company distributed a rootkit with some of its products.

But, what exactly is a rootkit? Why are rootkits so dangerous? Is it true that they cannot be removed from systems? We are going to try to give answers to these questions and lay various myths to rest.

The word “rootkit” comes from the two words “root” and “kit”. Root refers to the user with maximum rights in UNIX systems (this can be UNIX, AIX, Linux, etc.). This person is called the “super-user”, the “administrator”, or one of a host of other names. Specifically, it represents the highest level of authority present within a given IT system. On the other hand, the “kit” is a group of tools, so a rootkit is therefore a group of tools with a root category.

In practice, rootkits are programs which, once installed on a system, carry out the necessary modifications to be able to carry out the tasks programmed into them without being detected.

In essence, rootkits try to help hide the presence of other processes which are carrying out malicious activity in the system. For example, if there are backdoors in the system, which allow spying tasks to be carried out, the rootkit will hide the open ports which could warn of this communication, or if there is a system for sending spam, the rootkit will hide all email activity. The only real limitation is the creator’s imagination.

Due to their specific design, rootkits cannot be detected. If a user (even a root user) tries to analyze the system to see what processes are being executed, a rootkit will show false information, meaning that all processes will be visible to the user except the rootkit itself and the processes it is hiding. Furthermore, if the user tries to view a list of files on the system, the rootkit will ensure that this information is shown, but will hide its own file and the files of the processes it is hiding.

The previously mentioned rootkit can hide files and processes with names beginning with $sys$. This feature is now used by a malicious code, naming the file with the code “$sys$drv.exe”. So, this file never exists to anybody who wants to look for it, not even the antivirus.

The same will apply when an antivirus scan is carried out. When the antivirus system requests a list of files from the operating system, or when it tries to discover which processes are being executed, the rootkit will falsify data and the antivirus will not receive the correct information it needs in order to disinfect the system.

In addition, rootkits have yet another problem: they are not code which can propagate itself. If a rootkit is in a system it is because it has been directly introduced into the system, not because it has propagated via Internet, as is the case with traditional worms. In this way, it is highly likely that a rootkit has been created and designed for a specific system, and not for a general group of computers. The functions and characteristics of the rootkit depend on the system, as it is basically a “hand-made” solution for causing havoc in one system in particular.

Rootkits and antivirus

With this characteristic, antivirus designers are faced with the enormous difficulty of detecting a code that is difficult to spot. There is no propagation, so they cannot obtain samples of the rootkit. In addition, scanning is practically impossible, as information on the rootkit cannot be obtained within the affected system as it remains undetected.

A multitude of warnings and alerts on the huge danger posed by these programs has appeared in the media, and not without justification. The risk is extremely high, and the consequences of infection by a rootkit can be very serious. However, it is time to dispel the myth that these programs cannot be detected.

Firstly, in order for a rootkit to be able to infect a system, it must first be installed. Currently, in order for a program (whether a rootkit or an email reader) to be installed on a computer, a series of files must first be copied onto the host device. In other words, the system’s hard drive must be used in order to introduce the rootkit’s files.

1 | 2