Rootkits

When attackers successfully gain access to a system, they do not want to give it up easily. An observant system administrator is likely to notice the intrusion and take measures like taking the system offline for further investigation. To prevent this, attackers often use so called rootkits. The rootkit hides the processes, files, and network connections of the attackers. This can be done by exchanging system utilities for manipulated copies. Today, mostly kernel rootkits are used which manipulate the operating system itself to hide the attackers.

For which operating systems are there rootkits?

By the end of the 1980s, early versions of rootkits have been used by attackers to hide their presence on UNIX systems. In the following years, rootkits were developed for many UNIX flavours. By the mid 1990s, rootkits had been ported to Linux and by the end of the 1990s the first kernel rootkits have been published for Microsoft Windows. By now, a wide selection of rootkits can be found for Linux and Microsoft Windows.

How do I recognise and remove a rootkit?

A rootkit will never perfectly simulate an unmodified system and there will always be tell-tale signs of its presence. Some of these signs are very specific per rootkit, others are generic. A general method of finding rootkits is the so called Cross View method: information about the system is gained on two different ways and compared. If the rootkit manipulated just one way to retrieve the information there will be a revealing difference. Examples for rootkits and how to find them can be found here: [1], [2], [3], [4], [5].


[1] Andreas Bunten: Rootkits: Techniken und Abwehr, Tagungsband des 10. Workshop „Sicherheit in vernetzten Systemen“ des DFN-CERT in Hamburg, Februar 2003 (local copy slides / paper)

[2] Andreas Bunten: UNIX und Linux basierte Kernel Rootkits, Vortrag auf der 1. DIMVA Konferenz in Dortmund, July 2004 (local copy)

[3] Andreas Bunten: UNIX und Linux based Rootkits - Techniques and Countermeasures, Tagungsband der 16. FIRST Conference in Budapest, Juni 2004 (local copy)

[4] Andreas Bunten: Rootkits - Die Tarnkappen der Angreifer, DFN-Mitteilungen Ausgabe 70, Juni 2006 (local copy)

[5] Andreas Bunten: Rootkits, Linux Magazin Technical Review Ausgabe 10, August 2008