Security Matters: Rootkit Attacks and How to Prevent Them

October is National Cyber Security Awareness Month.


Hacker using all-hack button

"You've been infected with a rootkit." The chilling verdict is often delivered by cybersecurity experts on TV drama series, but what does it actually mean? Each year, systems around the world fall victim to this particularly insidious form of malicious software and fall under the control of attackers intent on jeopardizing the confidentiality, integrity and/or availability of sensitive information and systems. What steps can security professionals take to deploy preventive and corrective tools designed to avoid and eradicate rootkit infections?


Rootkits vary in implementation but share a common characteristic: They all reach deep into the operating system and manipulate low-level functions to perform insidious actions. The earliest rootkits sought to gain elevated system privileges while more recent rootkits focus on manipulating monitoring capabilities to avoid detection. Whatever their intent, rootkits are extremely dangerous because of the low-level access they gain.


Rootkits embed themselves so deeply into the operating system that detecting them becomes a very serious technical challenge. They're often able to deploy anti-detection countermeasures that make everything appear normal to antivirus software.


Rootkits are the electronic equivalent of the old cartoon trick of hanging a picture of an empty corridor in front of a security camera in an attempt to deceptively say "Nothing to see here!" Fortunately, security administrators have a variety of tools at their disposal that can protect against this dangerous threat.


What is a Rootkit?


The very first rootkits appeared on the scene a quarter-century ago and had a very specific purpose. They were designed to take a normal Unix user-level account and exploit operating system vulnerabilities to transform that account into one with privileged administrative access.


The superuser account on Unix systems is known as "root" and the kits designed to carry out these exploits gained the moniker "rootkit." While the purpose of rootkits evolved over the years, the name stuck and continues in use today for any set of tools that manipulate low-level functions as they wage warfare on enterprise information systems.


Modern rootkits often use their privileged access to hide evidence of malware infections. They might work at the user level or reach deep down into the operating system kernel. Some rootkits go even deeper, plunging down into the hypervisor of virtualization platforms and gaining such deep access that even the operating system is unable to identify the presence of malicious software.


These rootkits may capture hardware calls issued by the guest operating system and manipulate them in a way that is virtually undetectable from the operating system's perspective. When antivirus software or other security tools run on the infected system, the rootkit intercepts its requests for information and feeds back false data that simulates normal system activity.


Security concept lock with circling words

In 2012, security researchers discovered one of the most insidious rootkits in history. The Stuxnet worm, a piece of malicious code allegedly developed in a joint US-Israeli military operation, spread from system to system around the Middle East, seeking out Siemens programmable logic controllers (PLCs) used in industrial applications. Stuxnet had a specific target: the Siemens PLC controlling uranium enrichment centrifuges at an Iranian nuclear facility.


Once Stuxnet infected the target system, it overrode normal monitoring controls, tricking system operators into believing that everything was functioning normally. After injecting this false sense of security into the monitoring systems, Stuxnet spun the centrifuges at dangerous speeds until they destroyed themselves. This rootkit is particularly unique because it not only avoided detection until the last minute, but also caused physical destruction of equipment.


Defending Against Rootkits


While the Stuxnet rootkit targeted sensitive military computer systems, other rootkits have more mundane purposes, targeting systems run by businesses and individuals around the world. A small proportion of rootkits have sophisticated intelligence-gathering missions while many others simply seek to steal credit card numbers and passwords or even cheat at online games.


No matter what the purpose of this malicious code, rootkits pose a serious threat to system security and warrant the use of strong security controls designed to prevent them from gaining a foothold on enterprise networks.


System hardening is the best defense against rootkits and other types of malicious code. Malware needs a gap to gain an initial foothold on a system and rootkits often find this starting point when system administrators misconfigure a security setting or fail to apply patches in a timely manner.


The use of configuration management and vulnerability scanning tools help enterprises determine whether updates are effectively deployed throughout the organization. Administrators who pay careful attention to security controls and apply updates promptly after release find themselves in a well-defended position where they are unlikely to fall victim to a rootkit-based attack.


Some rootkits gain a foothold through more conventional methods, such as sending infected files as e-mail attachments or posting them on commonly visited websites. In those cases, traditional antivirus software still serves as an important front line of defense.


When vendors first detect a new strain of malicious code, they analyze samples for common patterns and create updated signatures that allow antivirus software to detect potential infections and quarantine suspect files before protected systems execute them. Prompt security patching and updated antivirus software pack a powerful one-two punch against rootkit infections.


New Development


Business discussion around table with laptop

Windows 10 introduces a powerful new feature designed to protect systems against rootkit infection. Device Guard takes advantage of virtualization to ensure that only code digitally signed by Microsoft may run on hardware supporting the technology.


Each time a user attempts to execute a program, Device Guard verifies its authenticity using a security engine that is isolated from the operating system and allegedly uncompromisable. The use of virtualization to isolate the Device Guard decision-making mechanism protects this security engine even if an attacker manages to compromise the rest of the operating system.


Rootkits are powerful weapons in the hands of attackers and require careful attention from information security professionals. Organizations that promptly apply security patches, deploy antivirus software and take advantage of emerging technologies such as Windows 10 Device Guard will find themselves well-positioned to defend against this threat and preserve the confidentiality, integrity and availability of sensitive information and systems.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.