Rootkits

Rootkit

• Type of Software designed to gain administrative level control over a given computer system without being detected
• It's primary objective is to seamlessly embed itself into the operative system

Admin account

• Account with the highest level of permissions is called the Administrator account
• Allows the person to install programs, delete programs, open ports, shut ports, and do whatever it is they want to do on that system
• In a UNIX, Linux, or MacOS computer, this type of administrator account is actually called the root account

Rings of permission

• A computer system has several different rings of permissions throughout the system

• Ring 3 (Outermost Ring)

  • Where user level permissions are used

• Ring 0 (Innermost or Highest Permission Levels)

  • Operating in Ring 0 is called “kernel mode”
  • Kernel Mode
    • Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things

• If you login as the administrator or root user on a system, you have root permission and you will be operating at Ring 1 of the operating system

  • Remember, the closer the malicious code is to the kernel, the more permissions it will have and the more damage it can cause on your system

• When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection

• Rootkits are designed to dig deeply into the operative system so your anti-malware solution have a really hard time detecting them.

Techniques used by rootkits

• One technique used by rootkits to gain this deeper level of access is a DLL injection
  • DLL Injection
    • Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
  • Dynamic Link Library (DLL)
    • Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development
    • Often provided by default inside the Windows OS
  • Shim
    • Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them
    • Rootkit will intercept the communications between Windows OS and the DLL.

Detect rootkits

• Rootkits are extremely powerful, and they are very difficult to detect because the operating system is essentially blinded to them
• Conduct an external system scan!
  • To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti-malware scanning solution from a live boot Linux distribution