A Guide to Rootkit Detection: History, Methods and More
In mid-April 2019, a new and sophisticated malware threat began to appear on computers of home users and businesses. The powerful threat, named Scranos, boasts an impressive list of capabilities, including the ability to steal login credentials, payment account information, browsing history and tracking cookies. It can also add subscribers to services like YouTube, display ads, and even download and run payloads. Originally, attacks were focused on China, but have since spread worldwide. A key feature of the attack is its ability to gain boot persistence, which allows it to take over the victim’s system at the admin level.
(To learn more how Cynet can automatically detect and respond to rootkit attaks, click here)
What Is a Rootkit?
Scranos is a prime example of a rootkit attack. But what exactly is a rootkit?
Rootkits are a highly sophisticated type of malware which provide the creator (usually an attacker, but not always) with a backdoor into systems. This gives the creator admin-level remote access and control over a computer system or network. When they are malicious in nature, threats are aimed at user-mode applications and will often deactivate antivirus and anti-malware software.
Rootkit detection is difficult, as these threats hide traces of themselves by nature. Attackers use rootkits so they can hide themselves and sit dormant for any amount of time, until the attacker executes the files or changes the configurations. Rootkits can also be used to spy on a legitimate user’s usage, enlist a victim machine into a botnet to launch DDoS attacks, escalate privileges, enable persistence, and “phone home” sensitive data. Rootkits that load before the operating system does are particularly dangerous, as this helps them evade detection.
How Rootkits Spread
Rootkits often spread through the use of blended threats. A blended threat takes advantage of more than one vulnerability to launch an attack. In the case of rootkits, it uses a dropper and a loader. The dropper is a piece of software that installs the rootkit on a system. This may be in the form of an email attachment or an infected download. The loader is the code that launches the rootkit.
A Short History of Rootkits
First appearing in the 1990s, rootkits initially targeted Linux systems. The word “root” refers to the admin or superuser, who, by default, has access to all files and commands on a Unix/Linux system. “Kit” is the software that grants the access.
As the name implies, rootkits were mainly a Unix/Linux phenomenon until the late 1990s. That’s when the first known Windows rootkit, NTRootkit, was spotted. NTRootkit was a proof-of-concept, developed by famed security researcher Greg Hoglund, to see what rootkits could do on Windows systems. It was closely followed by He4Hook, a kernel rootkit which hides files; Hacker Defender, which hides files and registry keys; and Vanquish, which hides registry keys, directories, and files. From then on, rootkits have become a relatively common, but incredibly challenging, threat.
Infamous Rootkit Attacks
Today, malware creators can easily buy rootkits on the dark web as part of exploit kits to be used in a myriad of attacks. Here’s a look at some famed attacks that used rootkits to do their dirty work, either through rootkit commoditization or in advanced attacks.
Since 2012, the Necurs spam botnet has infected over 6 million endpoints and has been linked to some of the most infamous malware exploits of all time, including Dridex, Gameover Zeus, CryptoWall, and CryptoLocker. It consists of an infector and a rootkit and has become the tool of choice for many top cyber criminals. It’s one of the most costly malware families ever, estimated at around $6 trillion.
Discovered in 2011, the ZeroAccess rootkit threat spreads a bitcoin mining botnet or a click fraud operation. ZeroAccess is spread in a number of ways, including via social engineering, and, at its height, was raking in over $100k per day. Ultimately, it reached 9 million systems. In 2013, Microsoft tried to kill the rootkit’s C&C, but the attempt failed.
The Zacinlo malicious adware rootkit first appeared in 2012. In 2017, it began to display a new rootkit component that allowed it to bypass Windows 10 security features. Zacinlo mainly targets victims in the U.S. The rootkit functionality was apparently added to help the malware stay in systems undetected for as long as possible. It also prevents specific security tools, including Malwarebytes, Panda, and Symantec, from starting.
Usage in Advanced Attacks
The Greek Wiretapping Scandal
Referred to as the Greek Watergate, in 2005, a phone-tapping scandal of epic proportions began to unfold. It was discovered that phones on the Vodafone network belonging to Greek government officials and high-ranking civil servants were being monitored and recorded. Unknown attackers installed a rootkit that monitored conversations and placed backdoors on the network that would allow attackers to conduct even more wiretapping activities unnoticed.
Stuxnet was the first rootkit for programmable logic controllers, or industrial computers, which are used on production lines and in manufacturing devices. Stuxnet is famous for taking down a portion of the uranium enrichment facility in Iran’s Natanz nuclear plant in 2010. The rootkit element allowed the malware component to hide all file processes, which prevented detection of the unfolding attack.
Sony BMG Rootkit Scandal
Although not exactly malicious in nature per say, in the mid 2000s, Sony BMG inserted a copy-protection software into 22 million CDs. When a user inserted a CD into his or her computer, it installed a rootkit that modified the operating system to protect the CD from being copied. The rootkit was undetectable by typical antivirus measures and was finally exposed by security expert Marc Russinovich with his own proprietary rootkit-detection tool. Not only did the software prevent copying, it also slowed down users’ computers and made them more vulnerable to further attacks.
What Makes Malware a Rootkit?
Rootkits are unique among malware variants, as they are created and distributed with the intention of hiding something, whether it’s a malicious program or any other activity. But not all rootkits function the same way. Below, we’ll explore in depth the three main kinds of rootkits: kernel, hardware/firmware, and bootloader. There are other types of rootkits as well, such as hypervisor/virtual, user-mode, and memory variants, but these are far less common in the wild.
The most common, yet one of the most complex types of rootkit, these variants function at the operating-system level and can change the way the operating system works. Kernel rootkits may add their own code into the operating system (also called the Kernel) and can delete and replace code. They can be incredibly challenging to detect because of the degree to which they can elevate their privileges.
These rootkits hide inside hardware or in system firmware and can actually have some legitimate uses, such as in anti-theft programs that can help find stolen devices.
These rootkits target the hard drive’s master boot record. They replace or change the real bootloader with their own, giving them control over the operating system. This allows the bootloader rootkit to activate the boot kit before the OS starts.
It is notoriously difficult to detect and remove rootkits because, as we have mentioned, they hide themselves from view. Moreover, once an operating system has been compromised, it probably won’t be able to find unauthorized modifications, and nothing can be trusted to act as it normally should. This means that rootkits can typically only be found when they have some sort of defect in them. And just to make things even more complicated, malware authors use the rootkit detection tools that actually work to adapt their own rootkits, making them even more difficult to detect.
This said, there are some helpful rootkit detection methods, such as:
- Using a logging solution to get alerts to unusual traffic.
- Using a behavioral analysis tool to look for anomalous behaviors and behaviors commonly displayed by rootkits.
- Booting the system in question to a known clean machine. In this new environment, use runtime tools to look for rootkit components.
- Running a rootkit scan. Nowadays, many major anti-malware vendors have their own rootkit scanners, and some are even free. Most use signatures of known rootkits for detection, but only a few are able to detect unknown variants.
- Using machine learning static analysis for rootkit detection and to prevent rootkits from executing.
Cynet 360 Rootkit Protection
Rootkits are a sophisticated and high-level threat that should be taken very seriously. Though they can be daunting for even the best IT and security pros to detect, using the right rootkit protection tools can make your job easier.
Cynet 360 rootkit protection involves the following mechanisms:
1)Execution prevention: Cynet applies ML based static analysis on all binaries prior to execution, disclosing files with malicious attributes and preventing them from executing.
2) Rootkit Prevention at Runtime: Cynet 360 monitors all the critical OS components that are involved in the rootkit attempt to place itself where it won’t be affected by booting. Cynet 360 detects any malicious attempts of processes to access these locations and denies these processes the required permissions, practically disarming them from their ‘rootkiting’ ability.
3) In the rare cases where the rootkit successfully establishes itself, Cynet would detect its presence via its multilayered behavior monitoring of running processes which would attribute the derived anomalies to the rootkit origin.