Rootkit Evolution
by Alisa Shevchenko - Virus analyst, Kaspersky Lab - Monday, 1 September 2008.
Rootkits – mass production

As rootkits evolved, they were also being embedded in malicious programs. In those days it was difficult to create stealth technologies independently, because little was written about this field: as a result, the small number of malicious rootkits could be divided into three categories:
  • Trojans which used ready-made tools and libraries to hide themselves. The overwhelming majority of these Trojans used Hacker Defender and FU.
  • Ready-made malicious rootkits which could be downloaded or purchased and which could be modified by the user. Haxdoor is one example. Like HacDef, Haxdoor was very popular in the fall of 2005; Kaspersky Lab was adding around ten new signatures daily to protect against new variants of Haxdoor.
  • Custom rootkits developed for targeted attacks. AV vendors usually learned about these rootkits directly form customers, mostly large enterprises. Typically, virus analysts conducted on-site manual forensic investigations after network administrators couldn't identify the cause of the problem. This group of rootkits was extremely small, but the samples showed a high level of technical sophistication.
By 2005, almost 80% of extant rootkits were variants of HacDef and Haxdoor. Rbot and SdBot were the first multi-functional backdoor Trojans to include built in rootkit technologies. The motive was clear; any technologies that improved the overall functionality of a commercial Trojan resulted directly in additional financial gain for the author and/or controller. Thus bot masters were the first to latch on to stealth/rootkit technologies.

By 2006 we saw rootkit technologies being built into common email worms such as Bagle; Trojan-Spy programs such as Goldun; and Mailbot programs, such as Rustock. This development proved to be a serious challenge for AV vendors. However, by the time using rootkit technologies in Trojans became standard there were a number of anti-rootkit tools, both standalone and in products. The balance of power was restored.

Rootkits and scandal

By 2005 the use of rootkit technologies in malware was so widespread that it fell under the gaze of the mass media and, naturally, security vendors. Microsoft representatives brought up the topic at RSA. The numerous scandals related to rootkit-like technologies found in various software and hardware products in 2006 clearly demonstrates how rootkits have become a public issue.

1. The Sony DRM copy protection on some CDs hid its files from users. Moreover, the technology was implemented in such a way as to create a serious vulnerability: anyone could name their own files in a certain way and the files would be hidden by the Sony DRM technology.
2. Symantec included a similar feature in their products: they used a directory that was hidden from users. This incident is rather amusing; Symantec's 'protected basket' was documented by the company and was easy to disable. In fact, the concept of hiding files in this hidden folder is really not much more interesting than the concept of hiding files in the depths of the system directory tree, where no user ever looks.
3. The next to fall victim to rootkit related scandals was Kaspersky Anti-Virus itself; the product turned out to store certain data in file streams, i.e. in parts of the file system that are hidden from users. Although it's not clear exactly what threat this posed, the use of the term ‘rootkit’ scared a lot of people.

Anti-rootkit hysteria

Another important aspect of the evolution of rootkits was the parallel anti-rootkit hysteria. By mid-2006 all major AV vendors had acknowledge it was necessary to react to the threat posed by rootkits. And every company reacted in its own way. Some vendors modified their products to access hidden objects during regular anti-virus scanning. Others released standalone anti-rootkit tools. Still others compromised by including anti-rootkit scanning in their products, making this function accessible via the product interface.

Truth be told, no one was particularly successful – it was simply a matter of locking the stable door after the horse had bolted. In the context of the escalating situation, F-Secure, whose anti-rootkit tool was released soon after Rootkit Revealer by Sysinternals, was one of the first major vendors to take action of note. The F-Secure tool only detected hidden processes, but was based on proof of concept technologies.

Vendor independent anti-rootkits

Vendor independent anti-rootkit tools appeared even earlier, around 2005. Unlike the solutions from AV vendors, who needed to make it obvious that they were protecting their users, the writers of free tools simply wanted to uncover as much hidden data as possible. Therefore, vendor independent tools were more professional, more powerful, and better able to react appropriately to the changing environment.

The first anti-rootkit tools were designed to reveal a single type of object e.g. hidden files. As time went on, they became increasingly multi-functional and used a systematic approach. Today, the most useful general anti-rootkit tools are GMER and Rootkit Unhooker, the latter is no longer supported. Both tools make it possible to conduct a rapid, superficial analysis from a number of angles of the condition of a system. They can also be used, if necessary, for deeper, more specialized analysis.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th