Rootkit Definition

A rootkit, also sometimes written as root kit, is a set of software tools inserted by an intruder into a computer in order to allow that intruder to enter the computer again at a later date and use it for malicious purposes without being detected. These purposes include (1) collecting data about computers (including other computers on a network) and their users (such as passwords and financial information), (2) causing such computers to malfunction and (3) creating or relaying spam.

There are several ways in which computers can become infected with rootkits, as is the case with other types of malware (i.e., malicious software), including via downloaded programs, via e-mail attachments and even by visiting certain web sites. Rootkits can also be inserted by a skilled intruder who obtains physical access to a computer for even just a few minutes, such as by loading from a special disk or USB key drive.

Rootkits facilitate reentry for the intruder by installing a backdoor (i.e., a hidden method for obtaining access to a computer). This can be a remote access daemon, such as a modified version of telnetd or sshd, that is configured to run on a different port than the one that these daemons listen on by default. A daemon is a type of program that runs unobtrusively in the background, rather than under the direct control of a user, waiting to be activated by the occurrence of a specific event or condition.

Fundamental to the operation of any well-designed rootkit is the ability to hide or remove any traces of its insertion, existence and activities. For example, it can modify system logs so as to not record or to delete all references to its insertion, to subsequent logging in by the intruder and to processes (instances of programs in execution) run by the rootkit. Merely erasing or deleting log files, which is sometimes done by unskilled intruders, can be a clue that something is wrong.

A basic way in which rootkits make themselves extremely difficult to detect is by replacing several standard system utilities, such as find, ls, netstat, passwd, ps, w and who, with modified versions. For example, a modified version of ls, which is used to list the files and directories contained in any designated directory, might not display certain files that the developer of the rootkit wants to keep hidden, and a modified version of ps, which is used to list the processes currently on the system, might be designed to not display those processes that are launched by the rootkit.

Numerous rootkits and variations of them have been developed, and they are available for a wide variety of operating systems. They can be classified into application level, kernel level and BIOS level kits. At present, almost all rootkits fall into the first two categories. In the case of application level kits, some genuine application program executable files (i.e., the files that contain the ready-to-run version of the program) are replaced with fake ones. In the case of kernel level rootkits, a portion of the kernel (i.e., the core of the operating system) code is replaced with modified code. On Linux systems this is often accomplished through the use of loadable kernel modules (i.e., object code files that can be used to extend the kernel). Genuine system calls (i.e., requests made via a software interrupt by an active process for a service performed by the kernel) are often replaced by modified ones.

Considerable skill, and often a great deal of persistence as well, is required to break into computers for which good security practices are being followed and successfully install rootkits. However, such installation can be highly rewarding for intruders, who often devote substantial time and effort to this task.

Although rootkits, by their very nature, can be very difficult to detect, there are several programs that can be useful in this regard. Among the more commonly used such programs on Linux and other Unix-like operating systems are chkrootkit and rkhunter.

However, even with such tools, it is still very difficult to be fully certain that any rootkits have been detected and that any suspected rootkits have been completely eliminated. Thus, if there is suspicion that a computer has become infected, the most prudent solution generally is to reinstall the operating system, application programs and data from reliable backup sources and take steps to minimize the possibility of reinstallation of rootkits. But even these steps are are not sufficient in the case of BIOS rootkits.

A BIOS (basic input output system) is a small program that controls a personal computer's hardware from the time the computer is started until the main operating system takes over. BIOS rootkits are considered next generation rootkits, in that they are still not widely deployed but may become much more common in the future as BIOSs become more complex and designed for ease of updating. Not only are BIOS rootkits considerably more difficult to install, but they are also much more difficult to detect and remove. Because the BIOS is stored in a memory chip rather than on the hard disk drive (HDD), such rootkits can survive even a complete reformatting of the HDD and a reinstallation of the operating system.

Among the most important steps that can be taken to prevent the planting of rootkits are selecting a relatively secure operating system and restricting physical access to the computer and network. It is much easier for operating systems with inherently weak security, such as the Microsoft Windows systems, to become seriously infected with rootkits than it is for operating systems with fundamentally strong security, most notably Linux and other Unix-like operating systems. This is mainly because the latter have an integral system of file access permissions which restricts access to the root account, which rootkits need to do their most severe damage. It is also because most rootkits have been developed for use with the Microsoft Windows systems, due to their much more widespread use and greater ease of infection.

Created May 14, 2007. Updated September 12, 2007.
Copyright © 2007 The Linux Information Project. All Rights Reserved.