Rootkits are a particularly insidious form of malware because they load before an operating system boots and can hide from ordinary antimalware scans and protection. Their ability to elude detection also makes them extraordinarily difficult to remove and clean up after.
By design, rootkits are difficult to find. For your humble authors, even the slightest hint of possible rootkit infection is reason enough to reinstall from a verified clean and current backup. If we can't pinpoint when the infection occurred, in fact, we treat all available backup images as infected and discard them. This provides added impetus to separate data from OS files and to make regular but separate backups of each as well. Thus, loss of the OS/runtime environment won’t also force disposal of data files.
In this story, we’ll take a look at how rootkits work, some common symptoms of rootkit infection, and tools and resources for detecting and removing rootkits.
Wikipedia defines a rootkit as “a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of ‘root’ (the traditional name of the privileged account on Unix-like operating systems) and the word ‘kit’ (which refers to the software components that implement the tool).” Please note that the term “tool” in the previous sentence refers to the rootkit itself and reflects the increasing tendency for malware creators to make use of code libraries and various other kinds of programming building blocks to construct such things, including rootkits.
Generally, rootkits can be divided in two categories: user mode and kernel mode. (The most renowned rootkit, Hacker Defender, is an example of a user mode rootkit.) In the Windows operating system, ordinary programs run in user mode, which can only make mediated calls on operating system services and resources. Privileged programs and the operating system run in kernel mode, which can make direct access to operating system resources and can interact directly with other operating system services. Thus, kernel mode rootkits essentially operate as if they were part of Windows itself.
That’s what makes any kernel mode rootkit so dangerous and so difficult to detect and remove. Such a rootkit modifies the Windows kernel. It makes itself “persistent,” which means it activates every time a user boots the PC. This means a rootkit can run everything from keyloggers to backdoors. And because it can access the OS kernel and its APIs, a rootkit can hide itself by intercepting any system call that includes a filename or any other data that might reveal its existence. If a call involves any data that might reveal the rootkit to a user, it will be hidden or supressed, so the user sees nothing alarming or out of the ordinary.
Like any other program, a rootkit requires user interaction or system compromise to take up residence on a PC. The most common infection mechanism is to trick an unsuspecting user to download and install a file or program of some kind (e.g., an image, an executable file, a PDF file, a macro, and so forth), often from a website or an email attachment. Thus, the first rule of security all employees should learn when they’re granted access to corporate computers is never to open attachments in emails from unknown senders and only to download or install software approved by the IT department (preferably from an IT-provided download or shared file). Endless heartache and cleanup effort could be spared if users followed these simple rules.
Once a rootkit is installed on a PC, it can take steps to mask its presence (such as inserting itself into otherwise benign programs normally present on PCs, or even as part of the Windows operating system itself). Generally, rootkits operate at the highest levels of privilege they can acquire, which usually means Administrator, Trusted Installer, or System levels. This means that, once installed, rootkits can do just about anything they want to an infected Windows system, including installing programs of their own choosing, stealing account and identity information, and “phoning home” to upload illicitly obtained and perhaps sensitive or valuable information to third parties across the internet.
The original rootkits took their name from various maliciously modified administrative tools in the Unix environment designed to grant unauthorized parties root level access to such systems. According to Wikipedia, the earliest known rootkit dates back to 1990, written for SunOS by Lane Davis and Steven Dake. It subverts attempts to compile the Unix login command and adds a backdoor password known to attackers in addition to whatever password the user assigns.
The first Windows NT rootkit dates back to 1999, in the form of a Trojan horse called NTRootKit created by Greg Hoglund (he is also the co-author, with James Butler, of an excellent book on this subject: Rootkits: Subverting the Windows Kernel, Addison-Wesley, 2006, ISBN: 0321294319). You can consult the Rootkit List at Bleeping Computer for the most current and complete list of rootkits identified from the wild. Of these items, the Rustock rootkit (identified as Backdoor.Rustock in the preceding resource) is probably the best known and most feared in the current rootkit arsenal.
A typical symptom of rootkit infection is that antimalware protection stops working. You will get alerts about various causes that prevent antimalware from protecting your PC. If an antimalware application simply refuses to run, you have reason for concern, because this is often an unequivocal indicator that a rootkit infection is active.
Another clear symptom is when Windows settings change independently, without any user interaction. If you notice unexpected behavior, such as pinned items changing on the Taskbar or background images changing or disappearing (such as on the lock screen or in the screen saver), that might also indicate a rootkit infection.
Frozen input devices can also signal infection. If you suddenly get no response from your mouse or keyboard, lasting from a few seconds to few minutes, check to see if USB devices and other I/O devices keep disconnecting and reconnecting. If such behaviour occurs in tandem with inoperative antimalware programs and/or mysterious changes to Windows settings, rootkit infection becomes a distinct possibility.
Finally, monitor your network usage. When a system is idle, there should be only minimal network traffic. If, however, your machine sends and receives a lot of data when apparently idle, this might indicate an infection. Use Resource Monitor to check which processes or services are involved with the traffic. Do not trust the process or service names shown. Instead, you must try to determine whether those processes or services have valid, understandable reasons to access the network. If not, such behavior may signal a rootkit masking itself as a normal Windows process (or processes).
Because a rootkit runs at such high levels of privilege and often hides itself from notice and can even actively subvert antimalware tools, detecting rootkits can be tricky. In fact, rootkit detection usually requires special tools or specific add-ons to antimalware packages. Rootkit detection methods are often based on detection by inference as well as outright detection of specific files or signatures.
In most cases, running rootkit detection software requires booting a suspect system to an alternate operating system that is trusted to be clean and uninfected, then using runtime tools in the alternate boot environment to seek out rootkit components and elements using disk forensic examination tools.
Other detection methods include behavioral observation (looking for access to highly secure system files, unusual patterns of program or API usage, illegal or out-of-bounds control transfers, and other signs of subversion). In the same vein, some rootkit detection tools also perform difference scanning (comparing known, good, clean versions of files from a trusted reference source to what appears as “the same files” on a suspect system), or performing memory dump analyses (to look at the calls that programs make at runtime and to inspect the values or variables they pass while doing so).
The best way to determine if a PC is infected with a rootkit is to run a rootkit scanner. There are numerous such tools suitable for IT admins or power users. In fact, all major antimalware vendors, from Avast (Malwarebytes) to Symantec (Norton Power Eraser) to Kaspersky offer rootkit scanning facilities to subscribers or users. There are also many third-party rootkit scanners available, some free, some not.
Our personal choice is GMER, a freeware application from well-known antimalware company Avast. It is a relatively lightweight and robust rootkit detection tool. At just 372KB in size, it does not require system restart or an alternative, trusted OS boot to run.
GMER requires users to have a decent working knowledge of Windows and its kernel. Otherwise, its results may be somewhat difficult to interpret. That said, although the application itself includes no help file, its online documentation lists trace outputs for most common (already known) rootkits that can infect Windows (See Rootkits for that comprehensive list, and the FAQ for details on handling the Rustock rootkit).
It bears repeating that, while it might be overly cautious, we most often don't attempt detection and repair of a PC we suspect of being infected and instead deploy a new clean image. This takes about the same amount of time as a thorough rootkit scan and produces a guaranteed clean system. Deploying a clean image is, as far as we are concerned, the best rootkit removal method of all. But of course, if you don’t maintain a current set of replacement images as we do, you will have no choice but to attempt repair and recovery.
Bleeping Computer maintains a set of links (11 in all) to a variety of rootkit removal tools, which it refers to as “anti-rootkits.” MajorGeeks offers an even more comprehensive list that includes entries from most major antimalware vendors as well as more special-purpose tools (22 in all, but some show release dates as far back as 2006). Some of these tools aim at specific rootkit varieties or types, others are more general purpose.
Sometimes detection will automatically prompt users to initiate rootkit removal and cleanup; sometimes a detection tool will recommend a specific but different tool for removal and clean-up. If a clean replacement image is not available as a safer alternative, one has no choice but to work through the steps required to use a specific tool and hope for the best.
Rootkits are not only hard to detect, they can also be difficult to remove. If your efforts to handle removal prove unsuccessful or incomplete, you can turn to others for expert help. If your employer has an antimalware subscription of some kind, you can try the tech support staff from the antimalware provider to obtain assistance, additional tools and further troubleshooting or removal instructions to help move the process along.
For those who may not have access to such tech support, numerous online forums are available where help may be requested. You can email the makers of your chosen rootkit removal tool to ask for further help and support. Or you can turn to one of these online forums where the help is free and reasonably expert, if not always blazing fast (you get what you pay for applies here as elsewhere, and you must often exercise patience to save money in situations like these):
- Bleeping Computer operates an active and vibrant set of support forums, organized by Windows versions. They also offer a wide range of virus and malware removal guides, where you can search on rootkit for specific, related instructions and information. You can also follow their recipe for reporting possible infections, file the necessary digital reports, and request assistance from forum members.
- TenForums.com is our favorite Windows 10 self-help site (EightForums.com and SevenForums.com ditto for those other versions). Each such site has a silo on AntiVirus, Firewalls, and Security (Win10), and you can search on rootkit there as well.
- MalwareTips.com operates forums and offers tutorials across the whole spectrum of malware, including rootkit removal tutorials and instructions. Their Malware Analysis forum offers structured help in dealing with malware infections of all kinds.
Life after rootkits
Indeed, though the process can be time-consuming and arduous, rootkits can be overcome. Careful practice of safe computing is the best way to avoid such trouble, but if and when a rootkit crops up, you can work your way through the removal and recovery process.
Once again, we urge those attempting such clean-up efforts to ponder carefully wiping their drives and starting over rather than taking the removal route. This will often take less time and produce a known clean system, whereas rootkit removal always leaves at least a slim possibility that remission will give way to reinfection. But when key data or otherwise unrecoverable applications may be at stake, you’ll have to take your chances. In that case, good luck in achieving an entirely positive outcome!