Malware 101: File system evasion — rootkits and bootkits

While endpoint anti-malware solutions can be a powerful tool for detecting and stopping malware, they are still bound by the rules and limitations that apply to all software that runs on a system. Malware, too, is usually bound by these rules and limitations, but malware authors don't like to play by the rules and the most effective way to overcome these rules (aside from exploiting bugs in the software) is to rewrite the rules. It’s even more effective is to live deep in the system in the same place as the rules.

How rootkits and bootkits are used in malware

Rootkits operate at the highest privilege level on a system — root or admin. This level of access can allow the malware to control the system, including any anti-malware software on it and even the signals that anti-malware software relies on to facilitate malware detection. This level of access also allows a successful rootkit infection to remove traces of the infection happening by altering system alerts or logs that might have indicated its presence. In addition, this level of access allows the malware to modify any file on the system, including the files that make up the core of the operating system — the kernel. Rootkits also sometimes embed themselves in firmware — the software built into hardware components that allows them to function and interface with the systems they are attached to.

One particular type of rootkit is both common and specific enough to warrant its own classification — the bootkit. Bootkits infect the boot sector — the code used to boot the system and load the operating system, such as the master boot record (MBR). Not only does this ensure the malicious code is run prior to the operating system, it also makes the bootkit undetectable by standard operating system processes. The Elk Cloner and Michaelangelo viruses mentioned in a previous article were also bootkits since they hid in the boot sector. Not every bootkit is a boot sector virus, however, because a virus propagates itself to other files whereas a bootkit simply resides in the boot sector to evade detection and make remediation more difficult.

How security has adapted to try to stop rootkits and bootkits

Bootkits have become less common over the years as new security measures such as secure boot offered by newer BIOS specifications like UEFI have made it more difficult to infect the boot sector. These protections enforce code signing for any updates made to the boot sector. This security can be disabled in BIOS settings, however, so it isn't always effective on all systems. Some endpoint protection and anti-malware offerings have also adapted over the years to rootkits and bootkits to better protect users. The use of heuristic data, memory dumps, and in some cases even turning the protection software into a rootkit as well in order to enable better protections against such malware has improved the ability to detect rootkits.

Of course, rootkits can simply disable the protection software if programmed to do so, and thus in some cases it is more effective to scan for rootkits using an external tool or operating system that is live booted — booted from external media such as a CD-ROM or USB without booting the installed operating system, which allows the disk to be analyzed without any interference from it.

To hide effectively and alter the signals generated by a system requires a large amount of knowledge of how the system itself works, making writing an effective rootkit a difficult task that not all malware authors are capable of. However, for those with this level of knowledge and skill, the results can be highly effective. Firmware rootkits especially can be particularly difficult not only to detect, but also to remediate. In some cases, remediation requires replacing the hardware component entirely. In other cases and with kernel rootkits, reinstalling the entire system software from scratch is often required.

How successful attacks are repurposed and reused

While malware is generally most effective when created from scratch so as to not include code fragments that might already be detected by signature scanning, with complex malware such as rootkits it is not uncommon for malware authors to utilize widespread and effective malware samples as a basis for their own malware. The Stuxnet Worm, which was also a rootkit, was not only one of the most notorious rootkits in history, but given its level of sophistication, it was widely reused in the development of other malware — most notably Duqu and Flame. The zero-day exploits it utilized and introduced into the wild were even more widely reused.

Given malware has no copyright restrictions — and malware authors wouldn’t honor such restrictions in the first place if they did exist — it is not uncommon for malware to be repurposed into new variants or for components of it to be reused. Occasionally the source code for a particular variant is even leaked or released, leading to new variants based on it.

Evasion is a particularly valuable category of malware to those writing malware. Using evasion techniques aids in eluding security software, which in turn increases the chances of success for the malware as a whole. Even the most well-crafted objectives are of no use if the malware gets blocked before it can achieve them. While many campaigns rely on volume rather than sophistication to achieve the attackers' goals, more advanced attackers with more specific goals such as advanced persistent threats (APTs) will often invest the time and effort to evade detection, especially when the malware targets only a few or even just one entity.

You can read the rest of the Malware 101 series here.