Rootkits by definition are a collection of tools used, by hackers and attackers, to gain access and “maintain command / control over any computer system” they are installed (Dunham, 2006, 2007: Zimerman, 2010). In other words, rootkits are stealth malwares that modify core system files in a manner that the user may not easily know (see Liu & Cheng, 2009, Zimerman, 2010 and Van Oorschot & Wurster, 2012). Rootkits are not only hidden systems problems; they are also a nightmare both now and in the future.
In the modern world, computer security is marred by a series of threats including hacking, Trojan horses, key loggers, sniffers, password crackers, phishing, botnets, malware and spywares to mention but a few (Zimerman, 2010). Rootkits are additions to this menace. The problem with rootkits is the fact that they are designed to malevolently tamper with the existing file system without making tangible changes that can be detected by conventional antivirus software (Van Oorschot & Wurster, 2012). Take for example GinWui, it can install at kernel-level, create executable files, and modify WINGUIS. DLL to suit its intended functionality (Dunham, 2006, 2007: Zimerman, 2010). In addition to this, the rootkit is capable of utilizing the DoHook functionality and thereafter delete initial files replacing them with malicious files that perform the same functionality with added functions to open backdoors (Dunham, 2006, 2007: Zimerman, 2010).
Once in the system, it is possible to “create, write, read, delete as well as manage all directories and files” in the system (Dunham, 2006, p. 3, 2007: Zimerman, 2010). Secondly, the rootkit can make as many changes in the windows registry as possible (Dunham, 2006, p. 3, 2007: Zimerman, 2010). Thirdly, the rootkits can manipulate views of files, services and processes within the infected computer including start and stop processes (Dunham, 2006, p. 3, 2007: Zimerman, 2010). Occasionally, the rootkits can “take snapshots of the infected system” and store in a hidden file system, which can be retrieved later (Dunham, 2006, p. 3, 2007: Zimerman, 2010).
In some instances, rootkits can itemize open windows and create its own replica application windows (Dunham, 2006, p. 3, 2007: Zimerman, 2010). Rootkits may also lock, shutdown or restart windows at their own volition (Dunham, 2006, p. 3, 2007: Zimerman, 2010). Since rootkits create backdoors, they can then create pipes that have the ability to read files within the infected computer (Dunham, 2006, p. 3, 2007: Zimerman, 2010). This means that they can easily initiate a remote command shell that incidentally enumerates network resources (Dunham, 2006, p. 3, 2007: Zimerman, 2010).
In Linux, Symbian-based OS and Mac OS, the rootkit affects the sys_call function by affecting the /dev/kmem function that offers access to a system running kernel memory region (Liu & Cheng, 2009; Van Oorschot & Wurster, 2012).
Where can you find rootkits?
Rootkits are classified in two categories. The first category is rootkits fashioned for user-level modifications like under /usr/bin/ls or /usr/bin/ps or /usr/bin/login (Liu & Cheng, 2009). The other category is the kernel-level rootkits that can easily be installed on kernel space like sys_call function with IDT, process lists and kernel code modifications (Liu & Cheng, 2009), below OS kernel like hypervisor-based rootkits with a good example being subvirt or bluepill (Van Oorschot & Wurster, 2012). Currently, there are further modifications underway where there are rootkits specifically designed for below hypervisor, which are directed towards firmware/ devices, for example, stuxnet (Van Oorschot & Wurster, 2012).
History of rootkits
According to Liu and Cheng (2009), the term rootkit was originally conglomerated to Linux/Unix operating system whereby most UNIX executable files such as ps, password, ls and netstat were first compromised by malicious hackers and then planted on unsecure computers. Over the years, rootkits have gained momentum with improved stealth techniques in application.
Future of rootkits
The future of rootkits is worrying. According to Kaspersky Lab reports, as of end of 2009, there were over 106 types of malwares that had more than 514 variants (Van Oorschot & Wurster, 2012). These malwares were specifically targeted towards mobile phones now called mobile malware (Van Oorschot & Wurster, 2012). At the current state of rootkits, it has become possible to install them on mobile phone platforms and initiate processes like snooping on private calls, emailing sensitive information and documents to attackers and exhausting battery (Van Oorschot & Wurster, 2012). In addition to this, by using the GPS on mobile phones, rootkits are able to track and locate a user and in some cases, they have been found to stealthily enable microphone and cameras on the phone (Van Oorschot & Wurster, 2012). Ostensibly, to state is the fact that rootkits are not only here to stay but also their activities is bound to get complex by the day.
In conclusion, rootkits are a serious problem especially in computing given the fact that they can embed themselves on core operating system files, make modifications, and delete vital files yet remain undetected even when using sophisticated antivirus software. The evolution of rootkits has been and will remain to be a nightmare unless systems designers rethink their core design systems in light of the imminent threats.
Dunham, K. (2006). Year of the rootkit. Information Systems Security, 15(6), 2-6. Retrieved from http://search.proquest.com/docview/229563212?accountid=45049
Dunham, K. (2007). OrderGun.A: a sophisticated rootkit. Information Systems Security. 16(2), 123-6.
Liu, S., & Cheng, B. (2009). Cyber-attacks: Why, what, who, and how. IT Professional Magazine, 11(3), 14-21. doi: 10.1109/MITP.2009.46
Van Oorschot, P., C., & Wurster, G. (2012). Reducing unauthorized modification of digital objects. IEEE Transactions on Software Engineering, 38(1), 191-204. doi: 10.1109/TSE.2011.7
Zimerman, M. (2010). Protect your library's computers. New Library World, 111(5), 203-212. doi: 10.1108/03074801011044070