In the ever-evolving world of malware, rootkits are some of the most dangerous threats out there. A fusion of the words \u201croot\u201d and \u201ckit,\u201d rootkits are essentially software toolboxes. Though not initially developed for malicious purposes, these toolboxes have become potent pieces of malware in the hands of technically-savvy cybercriminals.<\/p>\n
Common types of rootkits include bootkits, firmware rootkits, and memory rootkits. Once installed, a rootkit provides a hacker with an incredible number of weapons with which to wreak havoc on a system and network, often while remaining undetected until it\u2019s too late to stop them. Depending on the rootkit and the hacker, victims can find their messages intercepted, their data stolen, or even their hardware rendered unusable.<\/p>\n
When trying to protect yourself and your business from rootkits, it can be important to understand not only the variety of types of rootkits out there but also steps you can take to keep them away from your devices as much as possible and what to do when you find yourself infected. Here then are the most common rootkit threats, followed by some basic rootkit defenses.<\/p>\n
Looking for More About Malware? Check Out What is Malware? Definition, Purpose & Common Protections<\/a><\/strong><\/p>\n A bootkit is a type of kernel-mode rootkit that infects the master boot record, volume boot record or boot section during computer startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. A bootkit will then replace the legitimate bootloader with an infected version. The malware loader persists through the transition to protected mode when the kernel has loaded and is thus able to subvert the kernel.<\/p>\n Bootkits can be difficult to detect and drive out, since they won\u2019t typically be found in a user\u2019s file system. Additionally, removal might cause more damage to the computer if the bootkit has already altered the computer\u2019s boot records.<\/p>\n Examples include Olmasco, Rovnix and Stoned Bootkit.<\/p>\n A kernel-mode rootkit alters components within the computer operating system\u2019s core, known as the kernel. Some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. This also gives them the ability to deftly evade detection<\/a> by functioning at the same security level as the OS itself.<\/p>\n Because of how deeply embedded kernel-mode rootkits are within a computer\u2019s system, they can be one of the most damaging types of malware out there. Kernel-mode rootkits generally require a high degree of technical competency to utilize. Any bugs or glitches in its programming leaves noticeable trails for antivirus software to track.<\/p>\n Notable examples of kernel-mode rootkits include Knark, Zero Access, Adore, FudModule, Da IOS, and the deliciously-named Spicy Hot Pot.<\/p>\n Also known as an \u201capplication rootkit,\u201d the user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces (APIs). It alters the security subsystem and displays false information to administrators of the target computer. It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services.<\/p>\n Examples of this type of rootkit include Vanquish, Aphex and Hacker Defender.<\/p>\n A virtual, or hypervisor, rootkit hosts the target OS as a virtual machine, enabling it to intercept hardware calls made by the original OS. The rootkit does not have to modify the kernel to subvert the operating system. This type of rootkit was developed as a proof of concept in 2006, but in 2017, researcher Joseph Connelly designed nested virtual machine rootkit CloudSkulk<\/a> as part of his Masters degree work at Boise State University. In 2021, Connelly and other researchers presented a new paper<\/a> outlining an approach to detecting rootkits similar to CloudSkulk.<\/p>\n Need an Edge to Stay Ahead of Hackers? Take a Look at Top Threat Intelligence Platforms for 2022<\/a><\/strong><\/p>\n A firmware rootkit uses device or platform firmware to create a persistent malware image in the router, network card, hard drive or the basic input\/output system (BIOS). The rootkit is able to remain hidden because firmware is not usually inspected for code integrity. These rootkits can be used for semi-legitimate purposes, such as anti-theft technology preinstalled in BIOS images by the vendor, but they can also be exploited by cybercriminals.<\/p>\n Examples include Cloaker and VGA rootkit.<\/p>\n Memory rootkits camouflage themselves within a computer\u2019s random-access memory (RAM). While there, it can severely hamper a device\u2019s performance by consuming massive amounts of RAM resources through its toolbox of malicious programs. This is on top of whatever damage they can deal with said toolbox. Thankfully, memory rootkits are one of the easier types of rootkits to manage, as they\u2019re usually deleted when the infected computer reboots.<\/p>\n Thanks to the amount of control they can exert over a system and the potential damage they can cause, rootkits are a popular choice for hackers from all walks of life. As such, there have been several incidents where rootkits have been used to inflict massive amounts of harm to devices and networks.<\/p>\n Stuxnet<\/a> is arguably the most prominent example of rootkits being used for malicious purposes. First discovered in 2010, Stuxnet was used to severely disrupt Iran\u2019s nuclear facilities, apparently in an effort to halt the nation\u2019s development of an atomic bomb. All told, Stuxnet managed to destroy 1,000 of the 6,000 centrifuges Iran was using to enrich its uranium.<\/p>\n Though never formally admitted by either nation, Stuxnet is generally agreed to have been a joint effort between the United States and Israel in an operation codenamed \u201cOlympic Games,\u201d as reported by both The New York Times<\/a> and The Washington Post<\/a>.<\/p>\n The ZeroAccess<\/a> botnet, discovered in 2011, hit systems hard with fraudulent advertising clicks and Bitcoin mining malware, infecting at least 9 million computers worldwide. The bot was spread through the ZeroAccess rootkit, an aggressive and difficult-to-detect kernel-mode rootkit. The rootkit itself was spread through a number of infection vectors, most notably social engineering<\/a> and exploit packs like Blackhole.<\/p>\n In 2012, cybersecurity experts with Kaspersky Labs announced they had discovered another malicious rootkit used in the Middle East, called Flame<\/a>. Also known as Flamer or Skywiper, Flame was both a worm and a rootkit, being able to duplicate itself across local networks as well as boasting a diverse software toolkit with which to manipulate infected systems.<\/p>\n Flame\u2019s toolkit allowed it to do things like record audio through system microphones, take screenshots without the user\u2019s knowledge, and transmit stolen data via a covert SSL channel. It could also scan infected computers for antivirus software and alter its behavior to better avoid detection by that software.<\/p>\n Much like with Stuxnet, experts generally agree Flame was developed by or with funding from a nation state, though the identity of that nation has not been determined. The countries most affected by the rootkit were Iran, Israel, Palestine, Sudan, and Syria<\/a>.<\/p>\n Want to Learn About More Malware Incidents? Take a Look at The History of Computer Viruses & Malware<\/a><\/strong><\/p>\n Rootkits are ultimately a form of malware, and like with other kinds of malware, hackers have a number of ways to inject a rootkit into your device. Thankfully, the most dangerous types of rootkits are also often the most difficult to properly install. Below are some examples of common rootkit infection vectors:<\/p>\n Want to Learn More About How Malware Can Infect Your Computer? Check Out 8 Ways Malware Creeps Onto Your Device<\/a><\/strong><\/p>\n To help you protect yourself from rootkits, we\u2019ll be looking to researchers Eugene E. Schultz and Edward Ray and their chapter of the Information Security Management Handbook, Sixth Edition, Volume 2<\/a> for some expert guidance.<\/p>\n For prevention, Schultz and Ray recommend that enterprises consider the following measures to prevent rootkit infections:<\/p>\n Once a device is infected, the situation gets more complicated. The researchers caution that detecting and removing a rootkit is difficult. However, a rootkit can be detected by trained investigators and analysis tools, such as rootkit scanners, which uncover clues to the presence of the rootkit. Major security firms, such as Symantec, Kaspersky Lab and Intel Security (McAfee), offer rootkit scanners<\/a> to enterprise customers.<\/p>\n Some of the telltale signs that a rootkit is present include unexplained changes in target systems, strange files in the home directory of root, or unusual network activity.<\/p>\n Cryptographer and computer programmer Thomas Pornin noted that the rootkit needs to maintain an entry path for the attacker, creating an opportunity for detection. In a post<\/a> on Information Security Stack Exchange<\/em>, Pornin recommends that IT administrators reboot the computer on a live CD or USB key and then inspect the hard disk. \u201cIf the same files do not look identical, when inspected from the outside (the OS booted on a live CD) and from the inside, then this is a rather definite sign of foul play,\u201d he wrote.<\/p>\n Another contributor to the Information Security Stack Exchange who goes by the moniker user2213 explained that another way to detect a rootkit is to use spurious device codes on devices that do not normally respond to the codes. \u201cIf you get anything other than the relevant \u2018Not implemented\u2019 error code on your system, something strange is going on.\u201d<\/p>\n User2213 also suggested mounting the system drive on a different PC to see if an incorrect filesystem size or unexpected files come up. This could be an indication of a rootkit. \u201cUnfortunately, there aren\u2019t generic red flags for rootkits in general \u2014 the battle is more cat-and-mouse,\u201d the writer noted.<\/p>\n Rootkits\u2019 access to full system privileges makes them incredibly difficult to remove. Schultz and Ray recommend making an image backup and then rebuilding the compromised system using the original installation media; otherwise, the malicious code or unauthorized changes could continue even after the rootkit is \u201cdeleted.\u201d Security patches then need to be installed and a vulnerability scan performed.<\/p>\n In sum, the best strategy to deal with rootkit threats is to stop the rootkit from infecting computers in your network through security best practices such as patch management<\/a> and regular maintenance, and specialized tools such as rootkit scanners and firewalls<\/a>. Should your computers become infected anyway, you need to rebuild the compromised computer from the ground up to ensure that the rootkit is eradicated.<\/p>\n Looking for More Ways to Keep Your Network Safe? Read Best Enterprise Network Security Tools & Solutions for 2022<\/a><\/strong><\/p>\n NOTE:<\/strong> This article was originally written by Fred Donovan in 2016. It was updated by Zephin Livingston in 2022.<\/em><\/p>\n\n\nBootkit<\/h2>\n
Kernel-mode Rootkit<\/h2>\n
User-mode Rootkit<\/h2>\n
Virtual Rootkit<\/h2>\n
Firmware Rootkit<\/h2>\n
Memory Rootkit<\/h2>\n
Notable Rootkit Incidents<\/h2>\n
Ways Rootkits Can Infect Your Device<\/h2>\n
\n
How to Defend Yourself Against Rootkits<\/h2>\n
Prevention<\/h3>\n
\n
\n
\n
Detection<\/h3>\n
Removal<\/h3>\n
Conclusion<\/h2>\n