Rootkits are a class of malicious software (malware) which obscures the presence of an attacker on a compromised system. Rootkits often use the lowest levels of an operating system to obscure the presence of spyware, viruses or Trojans, and give the attacker some degree of control over the system through the interplay of different programs. Attackers enter the system through bugs and security gaps and can hide their presence with a rootkit without the user of the system noticing it. The rootkit, however, is only the part of the attack that serves as camouflage. It is not intended to prevent the actions of the legitimate user, but rather to ensure that the hacker’s attack is not detected, regardless of whether the attacker performs logins, processes changes, or copies files. Rootkits are also called camouflage viruses or Trojan horses.
The term rootkit refers to a collection of tools and applications that allow access to a computer or network at the level of an administrator. Root refers to the admin account of Unix- and Linux-based operating systems, while kit denotes the components that implement it on the system. Since Unix and Linux operating systems were based on a modular concept, individual components and commands were used for attacks in the 1990s. Unix commands like Ps (process status) and Password (password change) give the attacker, for example, an overview of all running processes and allow a password change if they have been modified accordingly. These classic rootkits are also referred to as application rootkits because they are based on the Unix and Linux program libraries and always focus on individual applications or system components.
In this way, an attacker selectively intervenes in the system and uses these elements in the system architecture for an exploit because the attack takes place on the lower layers of a system and the attacker impersonates the admin, rootkits remain mostly undetected, unless they can be tracked by specialized software. There are now rootkits for many different stationary and mobile operating systems, including Android and iOS. But not all rootkits are characterized by the intention of compromising a system and obscuring this infiltration. Within the scope of digital rights management, for example, there were cases where manufacturers used different rootkits to hide copy protection and copyright mechanisms from the user and to implement DRM mechanisms in the system. Official stress and security tests of computers, software, and networks can be implemented just as well with rootkits. However, the goal here is to find any security gaps and not their malicious exploitation.
Rootkits usually consist of several components, which carry out specific tasks and are adapted to the respective operating system. The following is a possible sequence:
Rootkits are generally distinguished by which areas of a system they affect and how well they can hide.
In most cases, it is difficult to identify rootkits. Antivirus software, firewalls, and various detection tools can detect harmful software. But rootkits, as such, hide in the system and try to pretend to the user that they are part of the system. For this reason, detection tools (intrusion detection systems, IDS) have to be specially designed to track rootkits. This also means that the system can be cleaned only after uninstalling a rootkit. Rootkit detection tools are provided by many manufacturers. An incomplete selection:
These scanners and analysis solutions can identify rootkits, but they do not always clean the infected system. The most effective remedy against rootkits is therefore a reinstallation of the operating system in safe mode. Under certain circumstances even the BIOS has to be cleaned up.
In addition, security experts recommend a degree of skepticism on the part of users, as well as current software. Email attachments, phishing attempts, and websites should not be clicked without a critical look at the authenticity of the offer and any protection and operating programs should be up-to-date. This is the only way to avoid bugs and security gaps which are utilized by rootkits to get into the system.