What actually is a rootkit?

G DATA Guidebook

They move in and out of other people’s computers without being noticed. They creep in through backdoors and smuggle valuable data out so it can be sold on the black market; they steal money, credit card data and confidential documents – without the victim noticing a thing. –  Something that sounds like a Sunday evening crime story, but has long been a digital problem as well, is hackers using complex software to access other people’s systems and single-handedly managing to gain control of their victims’ computers. The rootkit is the accomplice in such activities, keeping watch and disguising the actual miscreants’ nefarious deeds as far as possible.

How dangerous are rootkits?

The danger itself does not come from the rootkit, but from the malware whose traces it is covering up. A rootkit is not malware in the usual sense. Its specific capability lies in hiding files and processes from other applications as well as the operating system malware from virus scanners and security solutions. The ‘danger level’ of an infection with a rootkit is therefore dependent on what the intruders are planning to do and what malware they decide to place on the system through the backdoor they have broken open.

What do “root” and “kit” mean here?

This accomplice in code form penetrates deep into the operating system and becomes active there. The word “root” therefore refers to the root rights that also bear the name of the superuser account. Originating from the UNIX world, this account is set up during installation of the operating system and grants the user general access rights. Hence it is not intended for everyday use but for all administrative tasks that need to be carried out deep in the system – at “root” level. The “kit”, on the other hand, means that it is a collection of software tools. Literally, therefore, a rootkit is something like a toolkit for administrators.

How does a rootkit work?

This toolkit enables cyber criminals to log into the computer without being noticed and execute administration functions. The rootkit prevents the user noticing any sign of the illegal access on the computer. Messages to the criminals are disguised on the computer, as are the associated files and processes. The rootkit also enables dangerous programs to be hidden that spy on things such as passwords, trade secrets, keyboard and mouse input, credit card information and the like.

How can I prevent an infection?

  • Account: Always use a user account when using your Windows computer. The administrator account should never be your everyday way of accessing the system. This account has fewer barriers and protection mechanisms against threats from the Internet than a user account, which has restricted permissions.
  • System updates: Ensure that your operating system (e.g. Windows) is always fully up to date, and install any updates.
  • Software updates: The same applies to installed programs. As rootkits can also access the system through security holes in programs, you should regularly close them using the updates regularly provided by the software providers.
  • Security software: Robust security software is a must. It should include security mechanisms such as behaviour monitoring and other proactive technologies.
  • Boot CD: A boot CD scans the system when it is idle. Such a boot medium analyses the computer for a whole range of malware, including rootkits. A boot CD cannot be certain of preventing infection with a rootkit. However, it can prevent malware stealing its way onto the computer without being noticed.
  • Rootkit check: For a rootkit check, the system is put into a specific state and then checked for rootkit infection. A rootkit is easier to find in this state, as it disguises itself when the system is operating. This check can also be carried out using a boot CD.
  • Alertness: As with the plethora of malware, rootkits distribute themselves via storage media, the Internet or emails. Sharpen your awareness of this by being critical of third-party USB sticks and attachments or links from unknown senders. Never click on a link without thinking and only open files that look harmless, such as PDFs, if you are sure that you are not being deceived.
  • Caution: Never leave your computer or mobile devices unlocked when unattended, especially when switched on, whether you get up for a moment in the café or fetch another book in the library. Setting up strong passwords offers additional security so that unauthorised individuals cannot log into your computer, tablet or smartphone, even if they get their hands on it.

How do rootkits differ?

As it can conceal so many different files and processes, a rootkit has long been far from just a rootkit. Each variant proceeds in a different way and draws on different parts of the system. The two most widely distributed types of rootkit are the user mode rootkit and the kernel mode rootkit. The kernel mode is the innermost core of an operating system. The lowest level settings are specified there and only the administrator has access to this part of the system. When a rootkit embeds itself here, attackers can remotely manipulate the computer as they want. The user mode, on the other hand, comprises significantly fewer rights and has correspondingly less influence on the operating system. The operating system can be penetrated on various levels, the depth of which depend on where the rootkit is located. It is true that complex kernel rootkits are rarer, but at the same time they are harder to discover and remove than user mode rootkits.

What is a backdoor function?

When criminals succeed in smuggling such a rootkit onto a computer, they already have one foot in the door. If they also manage to spy on the passwords for the computer, and they have the right malware, they hold the key to your system and can let themselves in at any time. If all the coming and going happens with the protection of a rootkit, experts often refer to a “backdoor” to the system having been opened. Backdoors enable hackers to install or launch more software, access data and change settings.

Where are rootkits used?

What intruders can do with the help of a rootkit differs greatly. A well-known example of such an unwanted guest on third-party computers is the Sony scandal. It came to light in 2005 that Sony was using copy protection on various music CDs in which a rootkit was supposedly hidden. This rootkit manipulated users’ operating systems to prevent CDs from being copied. Antivirus and anti-spyware software were blind to this program. Furthermore, the software secretly sent the users’ private listening habits to Sony – all under the rootkit’s protection. Consequently, Sony not only acquired enormous knowledge about the users, but also caused a major scandal. Instead of protecting its copyright, Sony significantly infringed data protection – and potentially made it easier for hackers to get in through security holes opened in this way.

How do I detect rootkits and what is a rootkit scan?

Whether or not the doors to your computer are still tightly shut cannot be seen with the naked eye. Moreover, rootkits are rarely detected through suspicious behaviour by the computer. Security software can only offer technical support here – for example a special rootkit check. Such protection against rootkits is included in most security software suites. The rootkit check, sometimes also called a rootkit scan, is carried out in a particular way: Because rootkits actively protect themselves from detection on a running system, they can almost only be detected if the system is put into a specific state. It is the only way that the hard disk on which the system is running can be successfully scrutinised for rootkits.

How can I delete a rootkit?

Special boot CDs help with detecting rootkits. G DATA security solutions provide the option of creating a Linux-based boot CD that can be used for booting up the computer remotely from the installed operating system. The system can be scanned by the virus scanner contained on the CD in a condition where the rootkit that may be present on the hard disk is not active and so can be discovered more easily. In this state, the disguising function is ineffective and the rootkit’s cover is blown open – along with that of its criminal accomplices.