Does Your Server Have a Rootkit? [Server Security Resource]
Any system, which is not well protected, will always have a high probability of getting compromised. Once compromised, the attacker will invariably leave a payload or install software to gain control over the system to ensure that s/he can come back later to ‘check on things’. One of the common yet sophisticated techniques is to use something called a rootkit. Rootkits exist for both of the most commonly used operating systems – windows as well as linux. An old myth, that linux is free of malware, needs revision.
What exactly is a rootkit?
Etymology: Rootkit is a concatenation of the words root (referring to the highest privileged access account in *nix) and kit (tools). It is a stealth malware which is difficult to detect. A rootkit can help hide malicious programs – which can do almost anything on the target system – install backdoors, escalate privilges, record keystrokes, send data back to the attacker or execute programs.
While the early rootkits existed in the user space, had restricted memory access and instruction set availability and were relatively easy to detect, the new generation rootkits are extremely sophisticated. Kernel rootkits can reside at ring 0 – where they have full access to all memory and the entire instruction set. They hide by way of intercepting communication between different components of the operating system and altering that communication. So a simple
will not help in identifying any unwanted processes on a linux box. Once infected, the rootkit could affect or attack the I/O manager, device/system drivers, object manager, security reference monitor or process/thread manager. Then there are also hardware rootkits; they can be very dangerous and can have a huge impact as use of hardware devices like video cards – which may have access to the DMA – could be exploited. One of the more talked about rootkits of yesteryears – Blue Pill – used chip level virtualization technology! Remember the ‘blue pill’ in The Matrix? Well, rootkits are all about alternative reality for the system and the user.
How can a rootkit infect my system?
One of the ways that some one can infect a system is by gaining access to it – by an authorized or unauthorized manner. This could be either by way of a system compromise or by intended/unintended human error! It only takes a few minutes, if not seconds, for an attacker to infect the system, in either case. The possibility of pre-infected software and hardware exists as well, especially with widely known precedents.
How can a rootkit be detected?
Rootkits are extremely difficult to detect. At times, a good system administrator may be able to analyze that the system has rootkits but still not be able to detect where it/they reside/s. Some of the methods used to detect include
- Signature based detection method
- Heuristic/behavioral detection method
- Difference based detection method
- Integrity detection method
- Alternative trusted medium method
- Memory dump method.
There are open source tools available for you to get started right away. If you are using linux, you could use free tools like zeppoo, ossec, rkhunter or chkrootkit to detect the presence of any such ‘beautiful pieces of software’. They are not perfect but they are a start. I hope that your system is not infected. Would you not like to verify it, though?
How can a rootkit be removed?
Removal of a rootkit can be a painfully difficult process and mostly practically impossible.
The best approach is to do a reinstall of the operating system!
It is a good practice to regularly check your system – desktop or server – for all kinds of malware and especially for rootkits. The best would be to automate this so that the system does a daily scan and sends you a report.
Here is a parting shot. Security practices are like contraceptives. The risk of not employing them is similar to the risk of unprotected sex with a stranger who may be carrying some thing deadly. The internet is full of strangers! Be safe.