Rise of the Rootkits

8 August 2014

Rootkit malware has not been viewed as a formidable security threat for quite some time — the malware reached its peak levels in early 2011. Since then, rootkits have been on the decline. During the fourth quarter of 2013, McAfee Labs researchers found the rate of rootkits had fallen below the amount present in 2008. McAfee Labs has long credited 64-bit processors with the prevention of rootkit attacks, making the operating system kernel more difficult to attack. However, the first quarter of 2014 was hit with a spike in rootkit malware.

The stealthy nature of rootkit malware is what makes their resurgence dangerous. Once a rootkit gains access to a system, it is able to remain undetected while it steals information for an extended period. The longer it is unnoticed, the greater are the chances for attackers to steal and destroy data on both corporate and individual scales.

The main culprit in early 2014 was a single 32-bit family attack, which is a possible anomaly. Newer and smarter forms of this malware have learned how to circumvent the 64-bit systems, hijack digital certificates, exploit kernel vulnerabilities, digitally sign malware, and attack built-in-security systems. McAfee Labs believes these methods will result in a resurgence of rootkit-based attacks.

Rootkit Roadblocks
The drastic decline in rootkit samples is depicted in the chart below. As Windows adopted the 64-bit platform, the microprocessor and OS design brought heightened security thanks to digital signature checking and kernel patch protection.

New Rootkit Malware

Sample counts declined along with rootkit techniques used to gain kernel access. Efforts to access the kernel or install malicious device drivers were blocked with the increased protection of the 64-bit systems. The heightened security subsequently spiked the cost of building and deploying rootkits on the protected platforms.

From Roadblocks to Speed Bumps
Security measures and increased rootkit costs aside, attackers seem to have finally found ways to gain kernel-level access of 64-bit systems. The most recent malicious rootkit to penetrate the kernel, Uroburos, remained undetected for three years. By exploiting a known vulnerability in an old VirtualBox kernel, Uroburos was able to load its unsigned malware and override PatchGuard — a protection within 64-bit Windows meant to thwart attackers.

Stolen private keys also offer attackers access to 64-bit systems. Valid digital signatures also assist in circumventing security measures. McAfee Labs has seen a rise in all types of malicious binaries just like these with digital signatures. The McAfee Labs team examined the past two years of data to find out how many 64-bit rootkits have used stolen digital certificates and discovered:

  • Since January 2012 at least 21 unique 64-bit rootkit samples have used stolen certificates.
  • The malware W64/Winnti stole at least five private keys of legitimate vendors to install its rootkit on 64-bit systems since 2012. Of these five, at least two have not been revoked and may still be in use for both legitimate and malicious purposes.
  • At least one rootkit, W64/Korablin, was used in the zero-day exploit CVE-2013-0633, possibly by state-sponsored actors.

While 64-bit processors and 64-bit Windows have implemented new security measures to safeguard against rootkits, it’s important to realize that no security is completely bulletproof. A more comprehensive security system that integrates hardware, software, network, and endpoint protection is the best rootkit defense.