A rootkit represents a significant threat as it can provide attackers with ongoing, privileged access to a system without detection. A rootkit is designed to hide the fact that an operating system has been compromised by concealing malicious software, making detection and removal particularly difficult. They can intercept and modify system calls, alter system files and processes, and hide their presence by manipulating the operating system’s functions.
Rootkits often enable the attacker to execute files, access logs, monitor user activity, and open backdoors to the system. They can be installed through phishing attacks, exploiting system vulnerabilities, or by an attacker who has already gained access to a system by some other means. Once installed, a rootkit can intercept hardware “calls” to the disk, and it can alter the return values of system calls to make it appear that the system is operating normally when it is, in fact, under attack.
Due to the stealthy nature of rootkits, they are often not detectable by standard antivirus software. More sophisticated methods, like behavioral-based detection, integrity scanning, signature scanning, and difference scanning (comparing against known good system files), are required to detect and remove rootkits. Furthermore, in some severe cases, the only reliable way to remove a rootkit is to reformat the system’s drives and reinstall the operating system.
The term “rootkit” originates from combining the word “root,” which is the traditional name for the privileged account on Unix and Unix-like operating systems, with the word “kit,” which refers to the software components that implement the tool.
Key Characteristics:
- Grants unauthorised root-level access to the attacker
- Hides its existence and malicious activities from users and system administrators
- Difficult to detect and remove
- Can modify system functions and intercept system calls
Examples:
- Real-World Example: The Sony BMG copy protection rootkit scandal of 2005, where Sony BMG music CDs surreptitiously installed rootkit software on users’ computers to prevent illegal copying but also exposed users to serious security risks.
- Hypothetical Scenario: An attacker employs a rootkit that infects a company’s server, hiding itself from system monitoring tools while allowing the attacker to exfiltrate sensitive data over a period of months without being detected.
Related Terms:
- Backdoor: A method used by rootkits to gain access and control over a computer system or network.
- Antivirus Software: Security applications that typically fail to detect rootkits due to the latter’s stealthy behaviour.
- Privileged Access: The level of access rootkits aim for to execute their malicious intent.
- System Call: The programmatic way in which a computer program requests a service from the kernel of the operating system, which can be intercepted by rootkits.