Although in the past it was believed that viruses are designed exclusively for working with Windows, hackers who specialize in free systems have denied this claim. A rootkit operating on a Linux kernel-based system makes it vulnerable to manual or software-based attacks, and complex methods of diagnosing and cleaning the system from malware should be used to neutralize it. Linux kernel-based systems have become the de facto standard in data centers, so administrators of these systems should expand their knowledge of rootkit problems and how to resolve them to protect the infrastructure. The main purpose of this article is to inform system administrators and members of IT management teams about a potential threat, and the article itself will certainly be useful for them.

In today’s world, IT-technologies are used almost everywhere to automate repetitive tasks, starting with the purchase of goods on the Internet and ending with the withdrawal of funds from the account, thus simplifying our lives. Along with the advantages of these systems, they are also subject to various problems. Almost every user of a personal computer knows about the dangers of viruses. Even people who are not familiar with the principles of computer operation know that their data is at risk of damage, deletion or theft, therefore it is necessary to create backup copies.

Although there are a large number of antivirus programs, there is another, more dangerous in nature, category of malware, called rootkits. This software is created by the most talented programmers, unfortunately, with evil intentions and delivers a lot of problems to users.

Malicious software can work as an application in user space or as part of the operating system. Rootkits most often fall into the second category, which gives them more opportunities, makes them more dangerous and makes their search and neutralization as difficult as possible. An unknown person who gains control of your system, working with it most often at the same time as you, can cause damage and gain access to your personal information. Programs for recording keyboard events can steal passwords, credit card numbers, personal data, data on financial transactions from the tables, confidential data relating to the company’s activities, etc.

Rootkits are small sets of tools, utilities, and scripts. The main purpose of introducing them into the target system is to obtain administrator rights, so the system can either be used remotely to collect secret data, or be used to launch attacks against other vulnerable systems, implement the rootkit and gain access to it.

Usually, a rootkit contains a set of network sniffers, tools for examining the system log, scripts for clearing the system log, system utilities for determining IP addresses, an analog of the netstat utility, utilities for stopping running processes, scripts for hiding code and its compressed copy for replication .

How do rootkits differ from viruses?

Let’s take a quick look at the distinctive signs of both.

Most often executed as a user processMost often executed as part of OS / kernel
Usually gains access to the system with user rights.Gives access to the system with administrator / root user rights.
Does not open paths for remote administrationOpens the path for remote administration – viz., Port, IP, etc.
Does not provide opportunities for remote accessProvides remote access for hacker
Pretty easy to detect and remove from the system.Very difficult to detect and remove from the system.
Designed for system malfunction and data corruption.Designed to steal confidential data

As can be seen from the table, although some features of viruses / trojans and rootkits are similar (in general, they both can cause data loss, or capture and collect confidential data, such as user names, passwords, email addresses, and. etc.), there are fundamental differences between them. Although the virus usually works in “invisible mode”, hiding its presence by infecting executables and system files, it still works as an application — so anti-virus programs are able to detect and delete it. Troyan, which is an improved virus, is hidden in the system in a more elaborate way.

A rootkit, on the other hand, replaces a part of the operating system to hide it and gain the greatest possible control over the system. Therefore, he has the ability to monitor the processes occurring in the system, along with the implementation of any action. It can also be used to inject other rootkits and viruses into the system. Rootkits allow you to remotely control a computer, usually also using it as a distributor of commercial spam.

Infection / Installation

Rootkits use methods similar to those used by viruses to enter the system; however, since rootkits need OS-level privileges, the methods for implementing them differ slightly. Typically, crackers use the following paths to enter the system:

  • If the burglar has physical access to the system, he can try to pick up a simple password. If it is possible to boot the system from removable media belonging to a hacker (CD, USB), he can try different techniques to get the root password from the system installed on the hard disk.
  • A hacker can remotely identify vulnerabilities of OS and network applications that are not updated on time, and then attack them.
  • A hacker can use a web page with a built-in script to enter the system through a browser.
  • Many applications that spy on users (spyware) can be used as a reliable means of delivering rootkits to the system.

Often the rootkit is packaged as a self-extracting archive file, the data from which is extracted immediately after being entered into the system. Often a small set of installation programs that monitor the work of the rootkit, obtain administrator rights and hide their presence in the system, is also compressed.

Some particularly complex rootkits have the ability to detect anti-virus and anti-spyware software and to change the principle of its operation, along with modifying the output to hide its presence in the system. For example, some rootkits copy their toolkit to the root of the file system, but they cannot be detected by listing the files, as the rootkit changes the behavior of the corresponding system commands.

Since hackers are constantly trying to optimize the size of the rootkit code, it takes a very short amount of time to install and activate them. Rootkits are designed to maximize distribution, so almost all of them contain their own copy. In the process, they use all possible mechanisms to study the local network and search for other vulnerable systems.

If the security aspect is not sufficiently developed during the design of a local network, getting a rootkit administrative privileges on one of the nodes is enough for its distribution to other systems on the network. Modern rootkits can detect the presence of an Internet connection, get the latest version of the rootkit and copy it to all infected machines, and then try to find other vulnerable or insufficiently configured systems on the Internet.


As mentioned earlier, rootkit detection is a real challenge, which requires additional actions from administrators compared to a similar task for viruses and trojans. Although some rootkits are blocked with the latest anti-virus tools, most rootkits are invulnerable to them. Since the rootkit becomes part of the operating system, seemingly elementary methods of booting the system from a disk or USB media to restore the system are very useful for booting a fresh, uninfected version of the operating system and using tools to detect rootkits without countering them. In addition, many tools for detecting rootkits only determine their presence, but cannot remove them, so manual intervention is needed to clean the system.

Rootkit detection tools should use new methods instead of simple checks on files or processes, since a rootkit can affect these outdated methods and algorithms while working. The best option is to take a snapshot of various aspects of the system and compare it with a snapshot taken by the program immediately after installing the system.

New tools use intelligent algorithms to detect changes in the state of the system, and therefore do not require an examination of the system in the initial state. There are various rootkit detection algorithms, such as the signature-based method used to detect viruses, or immunity-based methods, in which files, processes, and kernel modules are checked for binary immutability. There is another effective method in which, using a program, a memory dump is taken, which is subsequently examined for anomalies, signatures, or changes directly or indirectly related to the functioning of rootkits.

There are many commercial and free programs for rootkit detection; let’s look at a few popular tools.

McAfee and Symantec offer products that protect against rootkit injection and detect some of them. Be that as it may, separate specialized tools are required to detect rootkits.

In the free software world, the well-known tool, superior to most others, is chkrootkit . It allows detailed binary checks, file modification checks, and kernel module studies. The program works fine in a wide range of Linux distributions and is a necessary tool in the administrator’s suite.

Similarly, Tripwire is an important open source tool that allows you to conduct thorough checks of MD5 hashes and detect anomalies, such as open connections for remote management and local exploits.

Rootkit Hunter is another well-known tool that is a thoughtful script that can detect many rootkits. It can also detect incorrect permissions to files and kernel modules, while providing the ability to conduct daily checks. When a new rootkit appears, an experienced system administrator can study it and develop a script to detect it.

It is important to know that malware creators usually also study these mechanisms and make the necessary modifications to new versions of their rootkits to prevent them from being detected using specialized tools.

Examples of rootkits and the harm they cause

Similarly to viruses, unfortunately, there are many rootkits for both Windows and commercial distributions of Red Hat Enterprise Linux, as well as for other free distributions of Linux. Since the kernel has not undergone fundamental changes for a long time, it is usually not difficult for hackers to develop rootkits that will be distributed.

Despite the fact that there are hundreds of dangerous for free rootkit systems, consider only some of the most common instances.

Let’s start with the mention of the LRK rootkit, since it is one of the oldest and still active rootkits (it was first discovered in 1997, but is still found on vulnerable systems). It has many versions and is known for replacing well-known executables, such as netstat , linsniffer , inetd , ifconfig , etc.

Knark is a rootkit that is very difficult to detect, since it is completely located in the kernel. This is very dangerous, because during operation it hides open ports, files and processes from the administrator.

Beastkit is a relatively new version of the rootkit, designed for Red Hat distributions, and its dangerous modification called Illogic is known for the fact that the process running on port 901 allows a hacker to do practically everything with the help of telnet with the system access to the system.

It is worth mentioning the rootkits that caused significant damage to Linux-systems: Sneakin, Kitko, Ajakit and Devil. All these rootkits use sophisticated techniques, such as defining the OS and modifying kernel structures during operation, port forwarding to decode data, recording keyboard events to steal passwords and sending them to the hacker’s email address, optimizing actions to reduce system resources. , etc. These rootkits are also known for their high propagation rate and the transformation of infected machines into zombies to continue propagation.

As noted earlier, rootkits also allow access to the system by opening ports, creating kernel-level processes, which allows an attacker to fully control the system remotely, even through the Internet.

There are several friendly rootkits that cooperate with each other. If a rootkit detects a rootkit already present in it, it updates it to improve performance. There are several rootkits that work as gateways for delivering viruses and Trojans to the local network; first, a rootkit is injected into the system, reserves a place, sets user privileges, gains control over the file system, disables running anti-virus programs, allows access to send viruses, and goes into an invisible mode of operation.

The new generation of rootkits is known for installing fake SSL certificates and attempts to decrypt HTTP traffic to obtain credit card information, which is usually transmitted over an encrypted channel. There are rootkits that compromise systems by carrying out human-assisted attacks against other systems, which makes it difficult for the investigation to find a real hacker.

The development of a continuously improving infrastructure security system is necessary to stop the spread and prevent damage caused by rootkits. Modern intrusion detection systems (IDS) can effectively stop the spread of rootkits on the way to networks. Senior IT management should be informed about this serious danger and take decisive steps to protect the networks under its control.