ROOTKIT: WHAT IS A ROOTKIT?
Rootkit: What Is a Rootkit, Scanners, Detection and Removal Software
What Is a Rootkit?
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today Rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.
A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software, such as viruses, ransomware, keylogger programs or other types of malware, or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by endpoint antivirus software.
Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but most antimalware programs today have the ability to scan for and remove rootkits hiding within a system.
What Can a Rootkit Do?
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.
How rootkits work
Since rootkits can't spread by themselves, they depend on clandestine methods to infect computers. Typically, they spread by hiding in software that may appear to be legitimate and could actually provide legitimate functions.When users give a rootkit installer program permission to be installed on their system, the rootkit surreptitiously installs itself as well and conceals itself until a hacker activates it. A rootkit will contain malicious tools, including banking credential stealers, password stealers, keyloggers, antivirus disablers and bots for distributed denial-of-service attacks.
Rootkits are typically installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from risky websites.
Symptoms of rootkit infection
One of the primary objectives of a rootkit is to avoid detection in order to remain installed and accessible on the victim system, so rootkit developers aim to keep their malware undetectable, which means there may not be many detectable symptoms that flag a rootkit infection.
One common symptom of a rootkit infection is that antimalware protection stops working. An antimalware application that just stops running indicates that there is an active rootkit infection.Another symptom of a rootkit infection can be observed when Windows settings change independently, without any apparent action by the user. Other unusual behavior, such as background images changing or disappearing in the lock screen or pinned items changing on the taskbar, could also indicate a rootkit infection.
Finally, unusually slow performance or high CPU usage and browser redirects may also indicate the presence of a rootkit infection.
Types of rootkits
There are several different types of rootkits characterized by the way the rootkit infects, operates or persists on the target system.A kernel mode rootkit is designed to change the functionality of an OS. This type of rootkit typically adds its own code -- and, sometimes, its own data structures -- to parts of the OS core, known as the kernel. Many kernel mode rootkits exploit the fact that OSes allow device drivers or loadable modules to execute with the same level of system privileges as the OS kernel, so the rootkits are packaged as device drivers or modules to avoid detection by antivirus software.
A user mode rootkit, also sometimes called an application rootkit, executes in the same way as an ordinary user program. User mode rootkits may be initialized like other ordinary programs during system startup, or they may be injected into the system by a dropper. The method depends on the OS. For example, a Windows rootkit typically focuses on manipulating the basic functionality of Windows dynamic link library files, but in a Unix system, an entire application may be completely replaced by the rootkit.
A bootkit, or bootloader rootkit, infects the master boot record of a hard drive or other storage device connected to the target system. Bootkits are able to subvert the boot process and maintain control over the system after booting and, as a result, have been used successfully to attack systems that use full disk encryption.
Firmware rootkits take advantage of software embedded in system firmware and install themselves in firmware images used by network cards, BIOSes, routers or other peripherals or devices.
Most types of rootkit infections can persist in systems for long periods of time, because they install themselves on permanent system storage devices, but memory rootkits load themselves into computer memory (RAM). Memory rootkits persist only until the system RAM is cleared, usually after the computer is restarted.
Rootkit detection and removal
it is difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.
Rootkits are designed to be difficult to detect and remove; rootkit developers attempt to hide their malware from users and administrators, as well as from many types of security products. Once a rootkit compromises a system, the potential for malicious activity is very high.
Typically, rootkit detection requires specific add-ons to antimalware packages or special-purpose antirootkit scanner software.
There are many rootkit detection tools suitable for power users or for IT professionals provided by antimalware vendors, which usually offer rootkit scanners or other rootkit detection tools to their customers. While free and paid third-party rootkit scanners are also available, care should be taken that any security scanning software is provided by a reputable publisher because threat actors have been known to package and distribute malware as security software.
Rootkit removal can be difficult, especially for rootkits that have been incorporated into OS kernels, into firmware or on storage device boot sectors. While some antirootkit software is able to detect, as well as remove, some rootkits, this type of malware can be difficult to remove entirely.
One approach to rootkit removal is to reinstall the OS, which, in many cases, will eliminate the infection. Removing bootloader rootkits may require using a clean system running a secure OS to access the infected storage device.
Rebooting a system infected with a memory rootkit will remove the infection, but further work may be required to eliminate the source of the infection, which may be linked to command and control networks with presence in the local network or on the public internet.
Rootkit Protection
Static analysis can detect backdoors and other malicious insertions such as rootkits. Enterprise developers as well as IT departments buying ready-made software can scan their applications to detect threats including "special" and "hidden-credential" backdoors.
Rootkit Protection
Many rootkits penetrate computer systems by piggybacking with software you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities. This includes patches of your OS, applications and up-to-date virus definitions. Don't accept files or open email file attachments from unknown sources. Be careful when installing software and carefully read the end-user license agreements.Static analysis can detect backdoors and other malicious insertions such as rootkits. Enterprise developers as well as IT departments buying ready-made software can scan their applications to detect threats including "special" and "hidden-credential" backdoors.
Well-Known Rootkit Examples
- Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s.
- NTRootkit – one of the first malicious rootkits targeted at Windows OS.
- HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls.
- Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
- Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE PBX.
- Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing.
- Stuxnet - the first known rootkit for industrial control systems
- Flame - a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.
