EngEd Community

Section’s Engineering Education (EngEd) Program fosters a community of university students in Computer Science related fields of study to research and share topics that are relevant to engineers in the modern technology landscape. You can find more information and program guidelines in the GitHub repository. If you're currently enrolled in a Computer Science related field of study and are interested in participating in the program, please complete this form .

Overview of Rootkits

January 27, 2022

In this modern digitized world, it has become almost impossible to achieve privacy and security. As much as data has become crucial, its protection has become even more valuable.

Today, securing our data and information is our top priority. There are numerous ways in which someone can get unauthorized access to systems and steal data. Rootkits are one such method.

What are Rootkits?

Rootkits are malicious software that targets the operating system, firmware, or various system applications to gain root privileges.

They can go undetected by the system and deploy various malware that allows them to steal data.

Rootkits typically target the kernel or core of the operating system because they can use their significant power to attack the entire system, which implies they acquire access to the low-level machine code.

Rootkits are exceptionally good at disguising themselves from system security mechanisms and evading all subsequent system scans for abnormal behavior. This allows them to influence the operating system by convincing it that there are no threats and that the system is safe.

The malware helps the hackers to steal personal data and financial information once they have gained illegal access to computers.

Although this may sound concerning, rootkits can sometimes be put to good use. For example, they are purposefully deployed during the research and development phase.

In this stage, the rootkits are installed to see how the system reacts to them. Then a report can be formulated, analyzed, and used to improve computer systems to avoid any future threats.

How it affects our systems

Once the rootkit is on the system, it makes the operating system vague about its presence.

It achieves this by avoiding standard operating system services such as detecting and tracking unusual activity and other third-party applications such as anti-virus software and anti-malware components.

Capturing keystrokes is one of the destructive acts rootkits may accomplish. This may assist fraudsters in obtaining your online account credentials, which they can use to disable the online security features.

This causes performance slowdown, bootloader anomalies, data loss, and a variety of other problems.

Types of rootkits

Rootkits are classified into several types based on the part of the system they affect and how they operate. Here are some of the most concerning rootkits:

Kernel-mode rootkits

Rootkits that target the kernel of the operating system are called kernel-mode rootkits.

The kernel is the core of the operating system, therefore a rootkit on that section equals a serious threat. The rootkit can simply add or remove a significant chunk of the operating system and its associated modules.

Kernel rootkits are more difficult to detect and remove since they operate on the kernel. They are immediately regarded as vital as the operating system.

In this condition, no aspect of the system can be trusted because they can now change how the operating system works as a whole.

Bootkits

Bootkits are a type of kernel-mode rootkit that affects the system’s booting mechanism. Rootkits of this type replace the original bootloader with the infected one.

This allows hackers to access the system’s startup code. This launches the rootkit even before your computer’s operating system is fully loaded. As a result, the rootkit is executed when the machine ultimately boots up.

Firmware rootkit

A firmware rootkit is a type of rootkit that exploits essential hardware such as routers, drives, and so on. It takes advantage of the firmware because it is unaffected by unit testing and security software.

Before deploying a software update, the system is reviewed for quality and tested to maximize code coverage.

During this stage, the majority of harmful files and codes are eliminated from the system. As a result, this type of rootkit latches onto the firmware and uses it as leverage.

Preventive measures

As previously stated, the rootkit hides among other system modules in the operating system, making it not vulnerable to detection.

Detection software can only identify those rootkits if there is a flaw in the rootkits’ ability to hide. It becomes impossible to find them if they are flawless in hiding or if they latch themselves onto the kernel.

1. Memory dumping

In this case, the memory dump analysis method would be useful. A memory dump is a process of dumping all information contained in RAM onto a storage drive.

These dumps can be helpful to recover relevant data and information about the rootkits regarding their issues, flaws, and whereabouts in the system.

2. Behavioral analysis

Rootkits can also be discovered through behavioral analysis. Instead of looking for rootkits, we search for rootkit-like behavior.

Since rootkits hide and can be difficult to detect, learning about their behavior can be beneficial. The root cause can be discovered using the acquired data, patterns, and algorithms. Although this procedure may not always produce viable results, it is still worth trying.

3. Kernel shut-down

Taking down the kernel will help in the identification of a kernel-mode rootkit. Since the rootkit gets decommissioned when the kernel is turned off, it becomes harder for it to hide. This helps in eliminating the rootkit from the memory dump.

4. Principle of least privilege

The principle of least privilege is another strategy that can benefit in tackling the problem of rootkits.

It simply involves giving the user access to only those parts of the system that they need to execute any computing operation.

This prohibits the user from modifying any key files or modules on the operating system that could compromise the device’s core functionality. This also prevents the installation of any unwanted software into the kernel.

Conclusion

Rootkits are not harmful when our systems are secure and files are protected and backed up regularly. Our initial goal should be to enhance our system’s infrastructure.

Proper actions should be taken to prevent rootkits from being installed. Using antivirus software, installing security updates regularly, downloading software from official websites and trusted sources, as well as inspecting the operating system’s behavior or performance are some of the basic and effective security procedures.

Further reading


Peer Review Contributions by: Geoffrey Mungai