A rootkit is a collection of malicious software (malware) designed to infiltrate a computer system and maintain privileged access (often at root level) while remaining stealthy.
Its main mission is to mask its own presence and that of other malicious activities (such as the installation of virus, Trojan horses or unauthorised remote access) by manipulating or hijacking the normal functions of the operating system and applications.
Quick classification
- CATEGORY : 🔴 Malware
- FREQUENCY : 🔥🔥🔥
- DANGEROUS : πππππ
- DIFFICULTY OF ERADICATION : 🧹🧹🧹🧹🧹
π Features
Stealth :
- Advanced concealment dynamically modifies processes, files, registries and network connections to avoid detection by anti-virus software, and firewall processes. For example, it can hide malicious processes in the task manager by intercepting system calls (hooking technique).
- Interception and diversion The "hook": intercepts or alters system calls ("hooks") and deletes or falsifies activity logs in order to hide its tracks.
Persistence :
- Deep installation It can infect the kernel, drivers, firmware or even run at the hypervisor level, surviving reboots and updates.
- Self-reinstallation techniques Some rootkits automatically reinstall their components if an attempt is made to remove them, which makes eradication considerably more difficult.
Privileged access and remote control :
- Remote control The attacker can control the system, exfiltrate data, modify or introduce other forms of malicious behaviour (e.g., deploying "hackers"). ransomware).
π Types of rootkits
Rootkits fall into several categories, depending on how well they are installed and how they operate:
User-Mode Rootkits
- How they work: they run at application level. Although they are generally easier to detect, they can mask certain malicious activities by intercepting API calls.
- Example: rootkits used in phishing which inject malicious libraries into common processes.
Kernel-Mode Rootkits
- How it works : ils infectent le noyau du système d’exploitation, modifiant en profondeur son comportement. Leur détection est très complexe car ils opèrent avec le même niveau de privilège que le système lui-même.
- Example: the ZeroAccess rootkit, which operated in kernel mode to hide a botnet is still particularly feared for its ability to intercept system calls.
Bootkits
- How it works : They target the bootloader, such as the Master Boot Record (MBR), to load itself before the OS, ensuring persistence even after a reboot.
- Example: the Stoned Bootkit, which replaces the bootloader to intercept the encryption and persist despite a system restart.
Rootkits Firmware
- How it works : they are installed in the firmware of peripheral devices (BIOS/UEFI, routers, hard disks), making them particularly difficult to detect and remove.
- Example: BIOS-targeted rootkits that survive a full reinstallation of the operating system.
Hypervisor Rootkits
- How it works : they exploit virtualisation to place themselves under the main operating system, thus intercepting hardware calls. Their level of stealth is extremely high.
- Example: the Blue Pill concept, which installs a malicious hypervisor without the host system being able to detect the overlay.
πΏ Propagation methods
- Operation of vulnerabilities software :
Attackers exploit unpatched vulnerabilities in applications or operating systems to install the rootkit.
- Malicious downloads (drive-by downloads) :
When a user visits a compromised site or clicks on a malicious link, the rootkit can be automatically downloaded and executed.
- Fraudulent attachments and links (phishing) :
L'social engineering is used to trick the user into launching an infected program or divulging information to facilitate installation of the rootkit.
Detection and protection
- Specialised tools :
Use of modern anti-rootkits (such as Rootkit Unhooker, chkrootkit or rkhunter on Linux) which thoroughly analyse memory, system calls and critical files to detect anomalies.
- Behavioural analysis and network monitoring :
Installation of intrusion detection systems (IDS/IPS) and behavioural analysis to monitor unusual activity (for example, repeated access to hidden ports or abnormal network activity).
- Regular updates :
Applying security patches and continually updating systems and software helps to reduce the attack surface.
- Integrity check :
Tools regularly check the digital fingerprints of critical system files to identify any unauthorised modifications.
- Booting from secure media :
Use LiveCD/LiveUSB or Secure Boot solutions to boot a healthy system in order to analyse and clean up infections.
π Examples
- Sony BMG DRM (2005) :
Sony BMG had integrated a rootkit into some of its CDs, designed to limit unauthorised copying. This rootkit, hidden within a DRM system, masked its processes and modified logs, allowing subsequent malware to infiltrate. The case was widely publicised in the media and led to numerous lawsuits. - Stuxnet (2010) :
Stuxnet is one of the most famous examples of a rootkit. Designed to infiltrate and disrupt industrial control systems in Iran, it used kernel-mode rootkit techniques to hide its actions, making it extremely difficult to detect and causing critical malfunctions on nuclear centrifuges. - ZeroAccess :
This rootkit infected millions of computers by masking a botnet in the system kernel. It enabled attackers to launch attacks DDoS and perform cryptocurrency mining tasks, while remaining hidden thanks to sophisticated hooking techniques.
Recent developments
Rootkit techniques continue to evolve to circumvent modern security measures:
- Hypervisor-based rootkits : such as Blue Pill, which can intercept all hardware calls from below the operating system.
- Rootkits in firmware : exploiting vulnerabilities in BIOS/UEFI or peripherals to ensure virtually undetectable persistence.
- Hybrid approaches : combining several techniques (kernel, firmware and application) to bypass detection by traditional security solutions.
