Data Leaks: What you Should Know about Rootkits - ITS Tactical
 

Data Leaks: What you Should Know about Rootkits

By Jason Robert

3 of 4 in the series Data Leaks

This week the Data Leaks series explores another troubling piece of hackery, the rootkit. Today we are going to investigate what they are, what they do, and why you should care about them.

Unfortunately, there will be neither be a “how to detect them” or a “what to do about them” segment. Why? Despite the existence of rootkits on traditional computing platforms for years, i.e. desktops and laptops, the ability to detect and/or prevent their installation is a hard problem. Personally, I’d rather tackle world peace than the rootkit problem–it is that hard to solve.

Targeting the Masses

Hackers, in their eternal quest for personally identifiable information, target the masses. For years the sole focus was on desktops and laptops. Nobody knows exactly how many traditional computing devices are in use today. Some research firms like Gartner and IDC track the number of units sold, but that isn’t a realistic way to measure given the short lifespan of most computers.

The same measurement problem exists for cellular phones. Last year a UN study concluded that at start of 2009 there were approximately 4.1 billion mobile subscriptions. The study fell short since it didn’t categorize the mobile subscriptions. Assuredly, a measurable percentage is still operating in the analog realm, but the advent of the iPhone and Google’s Android operating system has propelled smart phones to the forefront. This is just the type of target that makes a hacker salivate profusely.

What is a Rootkit?

In computing, a user with root access is a super-user with the opportunity to exert god-like powers over the operating system. Modern operating system kernels are fat, meaning they require thousands upon thousands of files just to reach the point where custom user software can be installed, like the word processor I’m using to write this article with. Not even the most savvy root user can name and recite the purpose of every file that comprises the operating system’s kernel.

A rootkit is a set of software libraries that hide among the masses, carefully crafted to blend into its environment. The primary purpose of these files is to give a hacker root access to either a subset of or the entire kernel. Obtaining root access on a system is a hackers wet dream.

Detecting Rootkits

Why are rootkits so hard to detect? Shouldn’t it be as simple as comparing the list of expected files against unexpected files? Think about trying to find someone you’ve never met before in a train station, during rush hour, and all you know is that they might show up for the meeting. Rootkits are that hard to detect; you may be staring right at it and yet have no idea it is malicious in nature

Succinctly, rootkits represent software that can execute with administrator privileges and do so without the user noticing the background activity.

The rootkit first hit mainstream media and garnered much attention when Sony BMG introduced a new form of CD copy protection in 2005.   Merely inserting the CD into your computer to play the music resulted in the secret installation of a rootkit into the Windows OS. Sony broke so many rules. The software was installed before the EULA was displayed to the user, the EULA made no mention of the rootkit, and there was no way to uninstall the software after the fact.

How Rootkits Work

This brings us to the second part of the article, a discussion about what rootkits do once installed. A better way to frame the question is what can’t a rootkit do once it is installed. Many rootkits, like the one from Sony BMG, are written for a specific purpose. Sony was at war with Napster at the time, and they felt compelled to aggressively protect their music. Sony had hoped to take the fight to Napster through a proxy, the customer. Sony had altruistic goals; their rootkit wasn’t intended to steal data, but to protect data. This doesn’t change the fact that they installed kernel-level software, without the user’s knowledge or noticing, that took effectively root-level actions.

At DefCon18 in Las Vegas last month, an Android rootkit was demonstrated and released to attendees on a DVD. What can this rootkit do? It can take full control of your mobile phone. A ComputerWorld article describes the powerful rootkit in great detail. Literally, the hacker can dial an offshore sex hotline that charges $19.95 per minute, and the user has no idea that their phone is in the middle of a call.   The rootkit suppresses the user interface changes that one normally expects to see when their phone is actively being used on call.   The Android OS isn’t the only smart phone platform under attack.   The iPhone and iPad from Apple have also been targeted.

There is far greater concern about a rootkit on a mobile device than on a desktop computer. Our phones go with us everywhere–to work, on a date, to the restroom, everywhere. Unlike our stationary desktops and portable laptops, our mobile phones have built-in GPS, cameras, and microphones. It means that a rootkit on the right mobile phone could help a hacker steal proprietary information from your employer. Unbeknownst to you, that meeting discussing the next generation of kit was secretly recorded and sold to a competitor for a price. It means that a hacker can deduce that your home is empty because the GPS of your cell phone says you’re at the movies, and your calendar reads “Date night with hot lips!”

What can be done?

Nervous? I am, but sadly there isn’t much that can be done. The reality is that these hacker exploits are real and tangible. They have been openly demonstrated in front of thousands. Worse, the manufacturers, and not just Apple and Google, don’t have any silver bullet solutions. In the case of the Android OS, security firms like Symantec have been hard at work designing Smartphone Security, a beta application available at the Android Market. However, Apple’s clenched grip around its OS to date has prevented security companies from launching equivalent applications on the iPhone/iPad. Only two Symantec applications exist in iTunes today, neither of which actually scan or defend.

Even the US government is overtly concerned about the problems of relying on the provenance of software as the only metric of determining if it is safe. Just because my software came from Apple does not mean it is secure, nor does it mean that a hacker can’t easily subvert it. Apple like every other company relies on employees and contractors that span the globe. The Intelligence Advanced Research Projects Agency (IARPA), the sister agency to the more well known DARPA, routinely posts open solicitations for how to vet and establish the trustworthiness of both software and people.

Staying informed is key, and this is the central theme in the Data Leaks series. Understanding the threat is always the first step in being able to counter the threat.

Next week we wrap up the Data Leak series with a look at Location Based Services, the Minority Report like technology that would allow companies to target advertisements and services to you as an individual, wherever you go.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.

Discussion

  • chris paterson

    That’s scary shit. Thanks for the heads up, Jason. I’m about to pull the trigger on a Droid x but I want to have as much info as possible.

    How does a rootkit get installed in the first place? Does it just invisibly piggy-back on an App?

    • Jason Robert

      Bergman is spot on about the delivery. It could be a viral (pun intended) holiday app, or in some cases (historic) merely clicking on a web page URL could trigger the download. Often a rootkit will be idle until activated by the hacker. For example, a text message or phone call could activate it after the fact- and yet neither would show up in your log files. I’m an iPhone guy myself, but at this stage I wouldn’t base my buying decision on rootkit risks.

    • chris paterson

      Thanks Fellas. I’m glad I finally found a group I can gleen some decent info from.

  • Bergman

    Typically a rootkit will come in much like a Trojan Horse type virus. It either claims to be something else, or something else installs it while doing something innocuous or desirable that is unrelated to the rootkit. A good example of the latter is the animated Christmas tree programs that circulate around Christmas. There’s quite a few that are safe and harmless, but the most popular ones tend to either contain viruses, or exist solely to do so while distracting an end user.

  • Graham Monteith

    I love how the guy is on the computer but he is wearing a mask haha. This is a good read though. Thanks ITS Tactical!

  • Michael Hyde

    What about Black Berry’s? Is RIM on top the game here?

    • Jason Robert

      Michael,

      I haven’t seen or heard much on RIM. I guess it is like Mac a couple years ago- not popular enough for targeting. iPhone and Android are the main focus in my opinion.

  • Nate

    So I take it an ipod touch would be targeted too? This world is getting nastier by the day!

    • Jason Robert

      Nate,

      Rootkits are viable on any computing platform. The Touch lacks a GSM capability so the value there would be much less than say an iPhone. In other words, a phone can be accessed at 2am while you sleep, while the touch only when you and the hacker were on the same subnet- unless you’ve dedicated a static IP address to your touch ~LOL~.

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.