Data Leaks: What you Should Know about Rootkits

This week the Data Leaks series explores another troubling piece of hackery, the rootkit. Today we are going to investigate what they are, what they do, and why you should care about them.

Unfortunately, there will be neither be a “how to detect them” or a “what to do about them” segment. Why? Despite the existence of rootkits on traditional computing platforms for years, i.e. desktops and laptops, the ability to detect and/or prevent their installation is a hard problem. Personally, I’d rather tackle world peace than the rootkit problem–it is that hard to solve.

Targeting the Masses

Hackers, in their eternal quest for personally identifiable information, target the masses. For years the sole focus was on desktops and laptops. Nobody knows exactly how many traditional computing devices are in use today. Some research firms like Gartner and IDC track the number of units sold, but that isn’t a realistic way to measure given the short lifespan of most computers.

The same measurement problem exists for cellular phones. Last year a UN study concluded that at start of 2009 there were approximately 4.1 billion mobile subscriptions. The study fell short since it didn’t categorize the mobile subscriptions. Assuredly, a measurable percentage is still operating in the analog realm, but the advent of the iPhone and Google’s Android operating system has propelled smart phones to the forefront. This is just the type of target that makes a hacker salivate profusely.

What is a Rootkit?

In computing, a user with root access is a super-user with the opportunity to exert god-like powers over the operating system. Modern operating system kernels are fat, meaning they require thousands upon thousands of files just to reach the point where custom user software can be installed, like the word processor I’m using to write this article with. Not even the most savvy root user can name and recite the purpose of every file that comprises the operating system’s kernel.

A rootkit is a set of software libraries that hide among the masses, carefully crafted to blend into its environment. The primary purpose of these files is to give a hacker root access to either a subset of or the entire kernel. Obtaining root access on a system is a hackers wet dream.

Detecting Rootkits

Why are rootkits so hard to detect? Shouldn’t it be as simple as comparing the list of expected files against unexpected files? Think about trying to find someone you’ve never met before in a train station, during rush hour, and all you know is that they might show up for the meeting. Rootkits are that hard to detect; you may be staring right at it and yet have no idea it is malicious in nature

Succinctly, rootkits represent software that can execute with administrator privileges and do so without the user noticing the background activity.

The rootkit first hit mainstream media and garnered much attention when Sony BMG introduced a new form of CD copy protection in 2005.   Merely inserting the CD into your computer to play the music resulted in the secret installation of a rootkit into the Windows OS. Sony broke so many rules. The software was installed before the EULA was displayed to the user, the EULA made no mention of the rootkit, and there was no way to uninstall the software after the fact.

How Rootkits Work

This brings us to the second part of the article, a discussion about what rootkits do once installed. A better way to frame the question is what can’t a rootkit do once it is installed. Many rootkits, like the one from Sony BMG, are written for a specific purpose. Sony was at war with Napster at the time, and they felt compelled to aggressively protect their music. Sony had hoped to take the fight to Napster through a proxy, the customer. Sony had altruistic goals; their rootkit wasn’t intended to steal data, but to protect data. This doesn’t change the fact that they installed kernel-level software, without the user’s knowledge or noticing, that took effectively root-level actions.

At DefCon18 in Las Vegas last month, an Android rootkit was demonstrated and released to attendees on a DVD. What can this rootkit do? It can take full control of your mobile phone. A ComputerWorld article describes the powerful rootkit in great detail. Literally, the hacker can dial an offshore sex hotline that charges $19.95 per minute, and the user has no idea that their phone is in the middle of a call.   The rootkit suppresses the user interface changes that one normally expects to see when their phone is actively being used on call.   The Android OS isn’t the only smart phone platform under attack.   The iPhone and iPad from Apple have also been targeted.

There is far greater concern about a rootkit on a mobile device than on a desktop computer. Our phones go with us everywhere–to work, on a date, to the restroom, everywhere. Unlike our stationary desktops and portable laptops, our mobile phones have built-in GPS, cameras, and microphones. It means that a rootkit on the right mobile phone could help a hacker steal proprietary information from your employer. Unbeknownst to you, that meeting discussing the next generation of kit was secretly recorded and sold to a competitor for a price. It means that a hacker can deduce that your home is empty because the GPS of your cell phone says you’re at the movies, and your calendar reads “Date night with hot lips!”

What can be done?

Nervous? I am, but sadly there isn’t much that can be done. The reality is that these hacker exploits are real and tangible. They have been openly demonstrated in front of thousands. Worse, the manufacturers, and not just Apple and Google, don’t have any silver bullet solutions. In the case of the Android OS, security firms like Symantec have been hard at work designing Smartphone Security, a beta application available at the Android Market. However, Apple’s clenched grip around its OS to date has prevented security companies from launching equivalent applications on the iPhone/iPad. Only two Symantec applications exist in iTunes today, neither of which actually scan or defend.

Even the US government is overtly concerned about the problems of relying on the provenance of software as the only metric of determining if it is safe. Just because my software came from Apple does not mean it is secure, nor does it mean that a hacker can’t easily subvert it. Apple like every other company relies on employees and contractors that span the globe. The Intelligence Advanced Research Projects Agency (IARPA), the sister agency to the more well known DARPA, routinely posts open solicitations for how to vet and establish the trustworthiness of both software and people.

Staying informed is key, and this is the central theme in the Data Leaks series. Understanding the threat is always the first step in being able to counter the threat.

Next week we wrap up the Data Leak series with a look at Location Based Services, the Minority Report like technology that would allow companies to target advertisements and services to you as an individual, wherever you go.