They move in and out of other people’s computers without being noticed. They creep in through backdoors and smuggle valuable data out so it can be sold on the black market; they steal money, credit card data and confidential documents – without the victim noticing a thing. – Something that sounds like a Sunday evening crime story, but has long been a digital problem as well, is hackers using complex software to access other people’s systems and single-handedly managing to gain control of their victims’ computers. The rootkit is the accomplice in such activities, keeping watch and disguising the actual miscreants’ nefarious deeds as far as possible.
The danger itself does not come from the rootkit, but from the malware whose traces it is covering up. A rootkit is not malware in the usual sense. Its specific capability lies in hiding files and processes from other applications as well as the operating system malware from virus scanners and security solutions. The ‘danger level’ of an infection with a rootkit is therefore dependent on what the intruders are planning to do and what malware they decide to place on the system through the backdoor they have broken open.
This accomplice in code form penetrates deep into the operating system and becomes active there. The word “root” therefore refers to the root rights that also bear the name of the superuser account. Originating from the UNIX world, this account is set up during installation of the operating system and grants the user general access rights. Hence it is not intended for everyday use but for all administrative tasks that need to be carried out deep in the system – at “root” level. The “kit”, on the other hand, means that it is a collection of software tools. Literally, therefore, a rootkit is something like a toolkit for administrators.
This toolkit enables cyber criminals to log into the computer without being noticed and execute administration functions. The rootkit prevents the user noticing any sign of the illegal access on the computer. Messages to the criminals are disguised on the computer, as are the associated files and processes. The rootkit also enables dangerous programs to be hidden that spy on things such as passwords, trade secrets, keyboard and mouse input, credit card information and the like.
As it can conceal so many different files and processes, a rootkit has long been far from just a rootkit. Each variant proceeds in a different way and draws on different parts of the system. The two most widely distributed types of rootkit are the user mode rootkit and the kernel mode rootkit. The kernel mode is the innermost core of an operating system. The lowest level settings are specified there and only the administrator has access to this part of the system. When a rootkit embeds itself here, attackers can remotely manipulate the computer as they want. The user mode, on the other hand, comprises significantly fewer rights and has correspondingly less influence on the operating system. The operating system can be penetrated on various levels, the depth of which depend on where the rootkit is located. It is true that complex kernel rootkits are rarer, but at the same time they are harder to discover and remove than user mode rootkits.
When criminals succeed in smuggling such a rootkit onto a computer, they already have one foot in the door. If they also manage to spy on the passwords for the computer, and they have the right malware, they hold the key to your system and can let themselves in at any time. If all the coming and going happens with the protection of a rootkit, experts often refer to a “backdoor” to the system having been opened. Backdoors enable hackers to install or launch more software, access data and change settings.
What intruders can do with the help of a rootkit differs greatly. A well-known example of such an unwanted guest on third-party computers is the Sony scandal. It came to light in 2005 that Sony was using copy protection on various music CDs in which a rootkit was supposedly hidden. This rootkit manipulated users’ operating systems to prevent CDs from being copied. Antivirus and anti-spyware software were blind to this program. Furthermore, the software secretly sent the users’ private listening habits to Sony – all under the rootkit’s protection. Consequently, Sony not only acquired enormous knowledge about the users, but also caused a major scandal. Instead of protecting its copyright, Sony significantly infringed data protection – and potentially made it easier for hackers to get in through security holes opened in this way.
Special boot CDs help with detecting rootkits. G DATA security solutions provide the option of creating a Linux-based boot CD that can be used for booting up the computer remotely from the installed operating system. The system can be scanned by the virus scanner contained on the CD in a condition where the rootkit that may be present on the hard disk is not active and so can be discovered more easily. In this state, the disguising function is ineffective and the rootkit’s cover is blown open – along with that of its criminal accomplices.