Rootkit in a Nutshell



A rootkit is a backdoor software that is designed to provide privileged access to the illicit user, it conceals their existence and actions from users and other system processes.
The term rootkit has two component terms, one is root and other is kit. Root is Unix/Linux term that’s equivalent to admin, it means the guy has all permissions to read, write and execute files.The term kit denotes programs that allow somebody to obtain root level access to the program by executing the programs in the kit – all of this is done without end-user permission or knowledge. Rootkits have two primary functions: remote command/control (back door) and software eavesdropping.


Different types of rootkit:-

  • Application Level Rootkits:-

Application level rootkits operate inside the victim computer by changing standard application files with rootkit files or changing the behavior of present applications with patches, injected code etc.

  • Kernel-Level Rootkits:

The kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or by replacing, portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel-Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.


 Hardware/Firmware Rootkits:

Hardware/Firmware rootkits hide in hardware such as a network card, system BIOS etc.

  • Hypervisor (Virtualized) Level Rootkits:

Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization technologies). Hypervisor level rootkits host the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.

  • Bootloader Level (Bootkit) Rootkits: 

Bootloader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Bootloader Level (Bootkit) to be activated even before the operating system is started. Bootloader Level (Bootkit) Rootkits are a serious threat to security because they can be used to hack the encryption keys and passwords.



Rootkit Stealth:-

In order to be stealthy, a rootkit can and should hide many things, some of which are processes and files. Three main hiding techniques are hooking, patching, and data structure manipulation. In general, hooking is changing the execution path of a call, patching is overwriting information in an application, and data structure manipulation is changing a data structure.

Rootkit implementation techniques:-




Hooking works by changing the original execution path of some application so that the information that it receives has passed through the rootkit allowing the rootkit to scrub the data, effectively allowing the rootkit to hide, and anything else it chooses, from view.


Patching is overwriting a binary such that it performs in a different way than it originally performed. An example of malicious patching would be to analyze a program to find where the conditionals are located. One such conditional could be the Jump if Not Zero (JNZ) instruction which can be used to stop access to a program if the key entered is not correct/valid.

Data Structure Manipulation:-

Data Structure Manipulation (DSM) is modifying a data structure such that it no longer works in the same way. An example of DSM is Direct Kernel Object Manipulation (DKOM).DSM is changing the structure such that the data still exists it is just not seen or used in the same fashion.

Rootkit Example:-


 SucKIT –

SucKIT – SucKIT is a Linux rootkit designed by Silvio Cesare and includes mechanisms for reboots and a backdoor. This rootkit comes in the list of patching technique because a majority of its techniques rely on patching, however as you will see many of the ideas from other techniques are used.This rootkit installs itself by doing a search on the memory of the system to find the location of kmalloc() (the function used to allocate memory in the kernel) and the SSDT(System Service Descriptor Table).