By: Gabriel Schram
June 29, 2021
What Is A Rootkit And How Does It Work?
By: Gabriel Schram
June 29, 2021
Operating systems provide different access levels to users based on their privileges, and certain mechanisms remain in place to protect their permissions. There are varying levels of user privilege which determine their level of access to an operating system. Higher levels of access are equivalent to more capabilities on the given machine. The highest level of permissions on a Windows operating system is administrator or admin. For Unix and Linux systems, the highest level of access is root. Root or Administrator level privileges allow access to all commands, files, configuration settings, and other user accounts on the operating system.
A rootkit refers to potentially malicious software that enables access to the kernel of an operating system and conceals itself along with other software. Rootkits allow for bad actors to deliver malware that often goes undetected by antivirus. They allow users to change security settings, steal personal information, and easily obtain passwords. The tactics, techniques, and procedures for rootkit infections vary and have shifted in recent years with advancing technology. However, social engineering and critical system updates remain top risks for compromise. Once inside a system, they are extremely difficult to detect and remove. While options for removal exist, they are limited. The best way to prevent a rootkit infection is to reduce the potential for malicious compromise through system hardening and proactive cybersecurity.
How Do Rootkits Work?
Rootkits work well for threat actors because they function stealthily and hide actions taken within the compromised system. They remain intact and keep persistent control using DLL injections. On Windows machines, Dynamic-Link Libraries (DLLs) are a major component of certain software functionality. DLLs aid in the efficiency of program usage, memory allocation, and load times. DLL injection is the insertion of malicious code in a running process on a Windows machine. Alternatively, rootkits maintain persistent access through driver manipulation. Driver manipulation is the malicious compromise of kernel-mode device drivers on the operating system; these drivers typically require admin or root privileges. While rootkits are not inherently malicious, they provide their users with defense-evading techniques. This includes altering system settings and configurations, maintaining persistent access, and concealing other variants of malware. Specifically, rootkits can evade antivirus, application controls, signature-based detection, and system access controls (MITRE ATT&CK, 2020). More accurately, they intercept and modify system API calls. These are critical in supplying the operating system with information about running processes such as requests to external programs. Rootkits can be unique in some features, but many tend to be used for stealthy intelligence gathering; many wait for remote commands from a command and control server.
Threat actors tend to use phishing campaigns, malicious links, and drive-by downloads as a means to compromise a system initially. For rootkits to be successful, the attacker needs to obtain root or administrator-level privileges. This is done through the process of privilege escalation.
Examples of Rootkits
- LoJax - Identified as a Unified Extensible Firmware Interface (UEFI) variant of rootkit malware. It infects system firmware before the operating system loads. It was used by APT 28 to maintain remote access to targeted enterprise systems and government agencies (ESET, 2018).
- Ramsay - Malware designed for espionage. Later versions feature a rootkit meant to steal sensitive data from networks and air-gapped systems (Sanmillan, 2020).
- Uroburos - Rootkit variant that Turla, a Russian-based organization, used. Uroburos features an encrypted virtual file system. It excelled at stealing files and was capable of capturing network traffic(G-Data, 2014).
- HiKit - A rootkit used by a Chinese-based espionage group called Axiom. HiKit was meant for intelligence gathering and functioned similarly to a remote access trojan (RAT) (Novetta, 2014).
- Stuxnet - worm developed to target the Supervisory Control and Data Acquisition (SCADA) systems of Iran's nuclear facility. It featured many modules, including a rootkit meant to conceal its payload and propagation (Zetter, 2014).
What Can Be Done About Rootkits?
Rootkits exploit system-level features, which can make mitigation and removal difficult. However, certain measures can improve capabilities for detection, such as monitoring for unrecognized DLLs and services. Moreover, any changes made to the Master Boot Record (MBR) of the operating system should be examined closely.
Initial infection and privilege escalation are prerequisites to a rootkit infection. Social engineering is an effective tactic used by bad actors and typically comes in phishing, spear-phishing, and malicious links. Users must remain aware and vigilant of these types of campaigns. Users must be cautious of emails from outside their organization and should never click on untrusted links. They should also closely monitor for suspicious access requests, which could be indicative of a compromise. Drive-by downloading is another popular method of compromise that refers to the unauthorized installation of programs or software. These typically occur when users visit untrusted malicious websites or click on malicious links. Drive-by downloads typically take advantage of unpatched and vulnerable operating systems. In addition to keeping systems up to date, users must be extremely cautious of download sources.
Reducing the attack surface for initial compromise is important, but privilege escalation should be difficult for bad actors through internal network segmentation. Additionally, user accounts should have only the necessary amount of access needed for their job; this adheres to the principle of least privilege. Re-installation of an operating system infected with a rootkit is often the best option if it is deep in the machine; this can also be done by booting from an external drive. Some companies offer rootkit detection and removal tools, particularly for Windows systems.
Rootkit variants are still being used in conjunction with other malware. Combining them greatly increases the potential for stealthier cyber attacks. Rootkits can go undetected for an extended period. Their core uses are to gather intelligence on infected systems; this makes them a major threat to government agencies, critical infrastructure, and enterprise environments. Older versions of known rootkits can be improved, and advancing technology can potentially automate gaining admin or root privileges. Their potential to conceal dangerous malware variants makes rootkits a cause for concern in the foreseeable future.
ESET. (2018). Lojax. ESET Research White Papers, Retrieved from https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
G-Data. (2014). Uroburos - highly complex espionage software with Russian roots. Retrieved from https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots
MITRE ATT&CK. (2020). Rootkit. Retrieved from https://attack.mitre.org/techniques/T1014/
Novetta. (2014). Hikit analysis. Retrieved from https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf
Sanmillan, I. (2020). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved from https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
Zetter, K. (2014, An unprecedented look at stuxnet, the world's first digital weapon. Wired, Retrieved from https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/