A rootkit is the combining of two words. The first is “root”. Root is the default username for the administrator account on the traditional Unix operating system. The second word is “kit”. Kit is short for toolkit, referencing the modules used to deliver the tool. A rootkit is a hidden program that enables root or administrative access to your system. Rootkits were originally administrative tools for Unix based operating systems used by intruders to achieve root access to a system. Intruders would replace the standard administrator tools of a Unix system with a rootkit they created. This custom rootkit would give a trespasser root access of the system while hiding their activities. Today rootkits are created by criminals for Windows operating systems as well. Rootkits are very stealthy and difficult to detect.
Rootkits are also very difficult to install as you must already have root or administrative access to the computer. Typically a criminal will get access to a system by stealing the password. They will then log into the computer and install the rootkit. Once the rootkit is on the system the criminal can hide their break-in while maintaining admin access. With administrative access a criminal has total control over a system. This means they can change the system, hijack the system, conducts crimes from the system, steal information from the system or just about anything without being detected. What makes a rootkit so difficult to detect is that the software used to detect the rootkit can be sabotaged by the rootkit. Rootkits are most detected with antivirus software that detects malicious behavior. This is known as heuristic scanning which we cover in the section on antivirus software.
There are at least five types of rootkits.
User-mode rootkits operate as a user with other programs instead of as system programs. These rootkits mask themselves inside of legitimate programs by adding code into other programs. One method is to appear as a program add-on. Windows Explorer, Firefox, Safari and other browsers have small programs you can download to add functionality to the standard browser. They accomplish this by making available an application programming interface (API). The API specifies how the browser’s components will interact with other software. Thus allowing vendors to create small program to add functionality to the browser. A criminal can replace part of the code for a browser add-on with a rootkit. Browsers are not the only programs with API’s. All programs have them.
Kernel-mode rootkits add or replace portions of the operating system like the kernel or device drivers. Operating systems allow for kernel-mode device drivers. The types of drivers work using the same access rights as the operating system itself. Many kernel-mode rootkits are created as device drivers. This gives a kernel-mode rootkit unrestricted access to a system. This type of rootkit is difficult to create because the code involved is very complex. This complexity of code often results in bugs. Any bug in a program operating at the kernel level has a grave effect on system stability. The bugs in these types of rootkits is what often leads to their discovery. Well written kernel-mode rootkits are extremely difficult to detect and remove because they operate as part of the operating system.
A bootkit compromises the startup portion of an operating such as the Master Boot Record (MBR), Volume Boot Record (VBR), Disk Partition Table or boot sector. A bootkit can even compromise a system using an encrypted disk. A criminal can install a bootkit on a computer by replacing the real boot loader with a bootkit he controls.
A firmware rootkit creates malicious software that injects into the hardware. This is done by using the devices firmware to create the continuous appearance of the rootkit in the hardware. The most commonly infected hardware devices are network cards, hard drives, or the system BIOS.