What is a rootkit and why should I be concerned?

“Rootkits… they are PURE EVIL… NO ONE IS SAFE… LOCK UP YOUR DATA!!!” OK, I admit that’s a little over the top, but hopefully I have your attention, because this is a very serious issue for anyone connected to the Internet that cares about their personal and financial data. What are rootkits? I’m SO GLAD you asked!

In the constant online warfare being waged over your personal identity and information, rootkits represent the next wave of attack. Before we get too far into this, let me present a few definitions of a rootkit.

What is a Rootkit?

Rootkits have been defined by Microsoft Technical Fellow Mark Russinovich as “anything in the software realm that hides objects from standard security administration or management.” Now, latch on to the word “HIDES” in that definition, for it’s the very core of why you should be concerned. Another definition found in Wikipedia reads, “A rootkit is a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a system has been compromised.” Again, the word “HIDE” is brought forth. The final definition is for the word “Insidious”, which means “Working or spreading harmfully in a subtle or stealthy manner”. That also could be used to describe a rootkit. Are you starting to get the picture?

So rootkits are software programs that use various techniques to install themselves on a computer in such a way that they can hide themselves and their activity, from the Operating System. Please realize that when the Operating System itself is unaware of the existence or activity of a program, many programs designed to protect your computer may also not be aware of this activity.

Sneak Attack

The primary focus of this “next wave” is stealth, but to varying degrees. For instance, there are rootkits whose purpose is mainly to secretly download other malware onto your computer and install it. The malware itself may alert you to it’s presence, as in the case of a browser helper object (BHO) which redirects your browser to other sites; an obvious tip-off that something’s amiss. So you run something like Malwarebytes Anti-Malware program to get rid of the offender and all is good, until a few days later when you notice your browser is again redirecting you to a site you never intended to visit. That fact could be a clue that you either never fully removed the malware, or that a rootkit, which went undetected and continued to operate unseen, has downloaded more malware onto your PC and has re-started it.

In the case of an attacker who wants to steal your personal or financial data, you may never see any outward signs that your system has been compromised. Think about it – if you were going to steal something from someone, would you advertise it? Would you pull out a bullhorn and stand in front of your victims house and shout out what you’re about to do? Not likely, unless you were a genuine loony! No, you’d sneak in through an unlocked backdoor when no ones looking. You’d make every attempt to cover your tracks and not raise suspicions. You’d make sure you weren’t noticed. And that’s why you should be concerned! If a rootkit program has made it’s way onto your computer for the purpose of stealing personal or financial information, you likely won’t be aware it’s happening to you!!! Very insidious!

Who uses Rootkits?

We won’t attempt to explain the many techniques that rookits use to disguise themselves, but you should know it’s an ever evolving field of research, both by good guys and bad guys. Learning how to create new ways to circumvent the Operating System has moved into the big leagues. It’s no longer just some bored teenager with mad programming skills seeking attention. More and more, this research has big money behind it, funded by various nefarious (I had to say that) groups, because THERE IS A LOT OF MONEY TO BE MADE!!! That statement alone should wake you up. If the payback wasn’t worthwhile, they wouldn’t pump money into it!

Who – besides the usual bad guys – uses rootkits? Governments use them to spy on other governments or “groups of concern”. An example would be the Chinese governments use of rootkits to spy on the Dalai Lama and steal documents from his office computers. The Sony Corporation has used rootkit technology to implement their Digital Rights Management scheme. Sonys’ use of this technology wound up in court, which has since been settled, and Sony no longer uses that technology. The technology of rootkits, by itself, isn’t illegal. How you use it is another matter. The source code for various rootkits can be downloaded freely from the Internet. Anyone, from the kid down the street, to government security agencies, can use this technology.

I want to point out that, more often than not, the rootkit itself isn’t doing the actual spying or gathering of your personal information. The rootkit is usually just an enabler. It is typically used to hide the activity of other programs that the rootkit, once it is installed, secretly downloads to your computer. These downloaded programs can include programs which record your keystrokes or take screen-shots of your display and send them to someone for analysis. Rootkits can install “backdoor” or RAT (Remote Access Tool) programs which enable a remote user to gain further access to your operating system, altering security permissions as needed, and gain access to potentially interesting data files residing on your hard drive. Anything that an attacker wants to install, and do so in a manner that is undetected by the operating system, can be done through the functionality of a rootkit program.

What can you do?

Look for anti-rootkit functionality when you purchase protective software. Rootkit detection technology is becoming more common in commercial anti-malware programs. There are also standalone anti-rootkit programs that you can freely download. Be aware that rootkits are based on various techniques and not every anti-rootkit program will detect every type of rootkit. And some anti-rootkit tools are for detection only. Of course, the detection methods vary. Some require you to be in Safe Mode, and some require that the rootkit be operational in order for it to be detected. Try several from different vendors. Most of the standalone variety, it seems, require a fair amount of technical skill to use correctly, while others are as easy as clicking a few buttons. Here are a few which do not require technical knowledge.

Sophos Anti-Rootkit

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

F-Secure Blacklight Rootkit Eliminator

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/

As with any security program, try to get the most recent versions.

Isolate Yourself

Consider doing ALL of your Internet browsing within the confines of a virtual machine (VM), especially online banking or any online financial transaction. Virtual machines are really cool technology. Essentially it’s a software implementation of a machine ( a computer) that executes programs like a physical machine. A virtual machine is software that creates an environment that emulates real hardware. You can actually install other operating systems into this “environment”. The installation program thinks it’s communicating with real hardware and completes it’s installation as though it were installing to a real standalone computer. You can obtain free Virtual machine software from either Microsoft or VMWare. You can also purchase commercial products which have more features than the free versions but that’s another topic.

You can download Microsoft’s free Virtual PC program

You can download VMWare’s free VMWare Player

So how exactly does this benefit you? Glad you asked! Once you’ve created a virtual machine and installed a copy of Windows and updated it with whatever programs you need, you can save this configuration or the current “state” and call it up as needed. Each time you run it, it will be exactly as it was when you first created it – free of any rootkits or spyware – presumably. A totally pristene system each time you start it. Now if you add something later or visit a web site and save the changes, then that’s another matter. It’s now an altered state and may or may not be pristine. We are suggesting that you create a clean virtual machine environment for general surfing and another strictly for online banking or financial transactions. When you’re done surfing the net, you just close your virtual machine without saving any changes; anything malicious that was picked up while surfing essentially disappears. Use these VM’s only for their designated purpose and nothing else. Use the one designated for financial transactions to visit your banks web site, and when you are through, close the browser and close the VM. Don’t save any changes to the VM. If you want to purchase something online with a credit card, make sure you know what you want ahead of time and that the site you are going to purchase through is legit, open a virtual machine and go directly to the site and finish the transaction. When it’s finished, again, close the browser and close the VM. Don’t save any changes. You want to keep it pristine. That is currently about as safe as can be expected when doing anything financial online.

Hire a Professional

Removing rootkits can be a dicey proposition. Rootkits insert themselves into an operating system at a very low level and can manipulate the system at a low level. Depending on the variety of rootkit, they can be EXTREMELY difficult to remove, without crashing or rendering your system inoperable. If in doubt, seek out professional help. They have advanced knowledge and tools and are more likely to be able to extract the rootkit. Before taking your machine to a pro, please make a backup of your data if at all possible or have them do it. Even if your machine is infected, an infected backup can be better than no backup sometimes. Make sure to mark the backup as being possibly infected.

Also be aware that it’s entirely possible that the machine may need to be wiped out using special programs and techniques, so that the operating system can be re-installed from scratch. Why the special software? Some rootkits have found a way to install themselves in areas of your hard drive which your hard drive’s own firmware has marked as unusable. The operating system never uses these areas and most detection programs don’t look there either. Special drive erasure programs are needed to bypass this and erase or format these previously marked-as-bad sectors.

Closing thought

It’s been said that the creation of rootkits and anti-rootkit programs is a game of “cat and mouse” that no one can win. The reality is, if the bad guys are always a step ahead, then they are winning.

Share and Enjoy:

Tags: Malware, Mark Russinovich, rootkits, Virtual Machines, Virtual PC, VMWare Player

Comments are closed.

Entertainment (6)

Environment (4)

Leftovers (5)

Random Thoughts (2)

Tech Zone (35)
March 2010 (1)

February 2010 (1)

January 2010 (10)

December 2009 (8)

November 2009 (1)

October 2009 (5)

September 2009 (10)

August 2009 (4)

July 2009 (6)

February 2009 (1)

January 2009 (1)

December 2008 (1)
Copenhagen Agreement Unlikely (2)
Rick: Yet another update: Depending on who you read, the Summit was a step in the right direction, or...

Rick: Update: Word is they have reached a tentative agreement in Copenhagen. But as one Republican said,...
Alternet Headlines
- Please, Tom Friedman: We Can’t Afford Any More Columns on “More than 100 percent clean coal”
  You can’t but help admire Tom Friedman’s enthusiasm for technological innovations. The NY Times columnist and mega-bestselling author has probably interviewed more scientists, engineers and entrepreneurs about high tech clean energy ideas than anyone in the last few years. But instead of interviewing only corporate CEO’s and clean tech innovators, it’s time […]
- What Is So Nuclear About Majority Rule?
  During the Bush administration, “reconciliation” was used to pass the 2001 Tax Cuts, which primarily benefitted wealthy Americans. The final vote was 58 to 33. Then in 2003, Bush used reconciliation again to pass the second Bush Tax cuts, which once again primarily benefitted wealthy Americans. The final vote was 50 to 50, with Dick Cheney [...] […]
- Working Families Still Squeezed
  There were grumblings from all corners of the AFL-CIO at its winter meeting in Orlando recently. “Disappointment”, “disillusionment”, “unengaged”, these words and worse peppered press reports describing labor’s view of President Obama and the Democrats. Organized labor spent $200 million to help elect the president and support of its 15 million members is [. […]
- How Do You Want To Die? The Future of Health Care Depends On Your Answer.
  Larry Beresford challenges the latest meme that hospice patients have declined in number recently. He notes that, among others, Tim Cousounis at Palliative Care Success and the Urban Institute’s Howard Gleckman, who wrote a recent article for Kaiser Health News, have examined hospice enrollment and concluded the same thing. It is in decline. The reasons they […]
- Jon Stewart: Iraqi Elections Are a Success Because Only a Few Candidates Were Assassinated
  On Monday’s Daily Show, Stewart called into question the mainstream media’s amnesiac view of Iraq’s elections. And correspondent John Oliver has a lot of people he wants to thank for the initial invasion. The Daily Show With Jon Stewart Mon – Thurs 11p / 10c Arabian Rights www.thedailyshow.com Daily Show Full Episodes Political Humor Health Care Reform Repor […]
- NY Rep. Eric Massa Ends His Career on a Sour Note
  It’s been sad to watch freshmen Rep. Eric Massa’s (D-N.Y.) struggles of late. Just six days ago, Massa announced he would retire due to serious health concerns. He acknowledged rumors about a pending ethics investigation, but angrily denied the allegations. A day later, his denials softened a bit, and he conceded he [...] […]
Ecological Internet Inc. Climate Ark
- James Hansen keen on next-generation nuclear power
  Australian: RENEWABLE energy won't save the planet so it's time to go nuclear, according to one of world's most high-profile climate scientists. "We should undertake urgent focused research and development programs in next generation nuclear power," said atmospheric physicist James Hansen, head of NASA's Goddard Institute for Sp […]
- EU climate chief: global deal unlikely before 2011
  Associated Press: The European Union's climate change chief says a global deal on reducing greenhouse gas emissions may not be possible before 2011. EU Climate Commissioner Connie Hedegaard says it would be risky to expect a legally binding deal to emerge from the planned December U.N. climate summit in Cancun, Mexico. Hedegaard told the European Parlia […]
- New study reveals scale of "outsourced emissions"
  Business Green: The extent to which the UK and other industrialised nations are "outsourcing " their carbon emissions to developing countries was again highlighted today with the publication of a major new report revealing that goods and services imported into developed countries typically account for around a third of their total carbon footprint. […]
- EU faces court challenge over biofuels reports
  Reuters: Four environmental groups have sued the European Union's executive for withholding documents they say will add to a growing dossier of evidence that biofuels harm the environment and push up food prices. The lawsuit, lodged with the EU's General Court, the bloc's second highest court, alleges several violations of European laws on tra […]
- Obama to push climate change in White House meeting
  Reuters: President Barack Obama will corral on Tuesday key Republican and Democratic senators whose support is critical for passing a climate change law, seeking to jump-start stalled efforts to overhaul energy policy. Obama called the White House meeting with top lawmakers and members of his cabinet to reinvigorate one of his policy priorities, which even h […]
- Climate forest deal in sight: Indonesia
  Agence France-Presse: Wealthy and developing nations should be able to seal an agreement this year on deforestation, unlocking a key part of the next treaty on global warming, Indonesian negotiators said Monday. At December's Copenhagen climate summit, six nations pledged a total of 3.5 billion dollars to help developing countries fight the loss of fore […]
Science Daily
- Lacosamide validated as promising therapy for uncontrolled partial-onset seizures
  A recent multi-center study has confirmed earlier study results that 400 mg/day of lacosamide provides a good balance of efficacy and tolerability for patients with uncontrolled partial-onset seizures, and doses of 600mg/day may provide additional benefit for some patients. […]
- Infectious virus hidden in chromosomes can be passed from parents to children
  In some individuals the common herpes virus HHV-6 can integrate into structures at the end of chromosomes and be reactivated to an infectious form. […]
- Cancer mortality has declined since initiation of 'war on cancer'
  A new American Cancer Society study finds progress in reducing cancer death rates is evident whether measured against baseline rates in 1970 or in 1990. The study finds a downturn in cancer death rates since 1990 results mostly from reductions in tobacco use, increased screening allowing early detection of several cancers, and modest to large improvements in […]
- Earthquake in Chile: A complicated fracture
  The extremely strong earthquake that struck Chile Feb. 27 was a complicated rupture process, scientists say. Quakes with such magnitude virtually penetrate the entire Earth's crust. After closer analysis of the seismic waves radiated by this earthquake during the first 134 seconds after start of the rupture, the researchers came to the conclusion that o […]
- Mathematical model may offer better understanding of embryonic development
  A mathematical model can predict complex signaling patterns that could help scientists determine how stem cells in an embryo later become specific tissues, knowledge that could be used to understand and treat developmental disorders and some diseases. […]
- Researcher presents risk-free treatment for low female sexual desire
  Researchers are currently testing a new drug, flibanserin, which was developed as an antidepressant and affects neurotransmitters in the brain, to treat women with low sexual desire. However, experts are concerned about the side effects of this possible treatment. Now, a researcher has found evidence that a low-cost, risk-free psychological treatment is effe […]

What is a rootkit and why should I be concerned?

Alternet Headlines

Ecological Internet Inc. Climate Ark

Science Daily

My latest tweets

ESET

Links