Root Kits :: Demystifying Spyware/Malware Security Series - Part 6

Root Kits - An Overview

What are these things seems to be an appropriate place to kick off our discussion so let's start with some definitions. From the 2005 work, "Root kits - Subverting the Windows Kernel" by root kit illuminati Greg Hoglund and James Butler we have

A root kit is a "kit" consisting of small and useful programs that allow an attacker to maintain access to "root," the most powerful user on a computer. In other words, a root kit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.

Tapping Wikipedia for a second definition yields,

A root kit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Root kits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

Then outlining the common threads of these definitions yields that root kits are:

1. A kit or collection of software tools.
2. The tools are used by a third party, who is typically an attacker, to maintain access to the administrative (root) account of the operating system.
3. These tools also conceal the third party's access to and presence on the compromised computer system.

Early Root Kits and How They Work

The first root kits appeared on the scene around the early 1990's, were used to attack the numerous variations of the UNIX operating system and took a rather simplistic, but reasonably effective approach of replacing key system utilities with modified versions.

The target utilities where naturally enough those tools that a UNIX system administrator would likely use to search for a root kit or that would in the process of normal administration reveal the root kits presence. The modified versions appeared to function just as the original utility that was replaced with the exception that all the components of the root kit package would remain hidden. Root kits for the Windows operating system appeared in the late 1990's and will be the focus of the balance of this article when referring to operating system specifics.

Since that time the growing capabilities of security tools such as anti-virus, anti-spyware and other anti-malware software has required that root kit programmers working with the Windows operating system adopt more sophisticated techniques that we'll cover a bit later after some preliminary explanations.

Windows Operating System Overview

To better understand the issues surrounding root kits it's first necessary to have a general understanding of the design of the Windows operating system. The most fundamental division of the Windows OS has two components being what's referred to as "user mode" and the other the "kernel mode."

To keep this introduction as non-technical as possible we'll by pass the details of the actual architectural components of each area and offer the following simplistic definitions.

User mode: The area where user applications such as word processing programs and similar are run.

Kernel mode: The core components of the Windows operating system.

To help with visualizing this we include this graphic representation from "Microsoft Windows Internals" by Mark Russinovich.
As this is meant to be as non-technical an introduction suffice that while root kits can be run and exist for both modes those that run in the user mode are more easily detected by defensive software while those that operate in kernel mode can be made to be very difficult if not impossible to detect thus posing a greater threat.

Prevention

The best steps to preventing root kits from getting installed on your computer system are to follow the basics of good computing security practice being:

1. Install a quality antivirus software with a proven track record for detection. I would note that many of the "big-name" products have rather bad track records in a number of areas. It's worth a bit of reading and comparison.
2. A solid anti-spyware product such as Webroot Spy Sweeper or PC Tools Spyware Doctor. With all respect to the programming skills of the developers of some of the better known free anti-spyware products in our opinion this is an area where "free" doesn't cut it given the risks. You want the maximum protection you can get which requires a commercial grade product such Spy Sweeper or Spyware Doctor.
3. Have proper firewall protection in place. At a minimum have a software firewall such as Zone Alarm or similar with the more preferred being a basic hardware unit such as those made by NetGear or Linksys. These can be had in the $45-85 (USD) range and give reasonable protection to your network. The ideal setup is to have both if you don't mind taking a bit of time to fine tune the software firewall's configuration.
4. Use a non-administrative group account for daily computer use such as surfing the web and similar. Unfortunately Microsoft has encouraged a bad habit in making the user account used for installation automatically an Administrator account. Yes it is easier to run as an administrator as it doesn't create any inconvenience of permissions when a user needs to do something that requires Administrator privileges. It likewise doesn't inconvenience malicious software with insufficient permissions when it attempts to install on your computer.