In simple language, “rootkit” is basically a software kit used to get to the root of the computer. In other words, a software kit used to gain admin access to the computer and thereby control it. Developed as a legitimate software to provide a “backdoor” to software developers in order to fix the respective software – in case any issue arises – today, unfortunately, it is used by the hacking community to take control of vulnerable computers and to steal vital data from them.
Rootkits can make it to your computers via a number of ways – the most popular of them being phishing and social engineering attacks. Once they enter your computer, they usually take control of it and allow different types of hackers to access it remotely so that they can carry out the intended task – which could be stealing information from the computer or simply crashing it. Legacy antimalware programs had a tough time detecting rootkits, but this is not an issue with the modern and powerful antivirus programs.
What Can a Rootkit Do?
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.
How to Detect Rootkit?
It is difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.
What Are Different Types of Rootkits?
As malware has different types (Adware, Bots, Bugs, Spyware, Ransomware, Malvertising, Viruses, Rootkits, etc), each types of malware like rootkit has their own different types. Here are five types of rootkits.
1. Hardware or Firmware Rootkit
The name of this type of rootkit comes from where it is installed on your computer. This type of malware could infect your computer’s hard drive or its system BIOS, the software that is installed on a small memory chip in your computer’s motherboard. It can even infect your router. Hackers can use these rootkits to intercept data written on the disk.
2. Bootloader Rootkit
Your computer’s bootloader is an important tool. It loads your computer’s operating system when you turn the machine on. A bootloader toolkit, then, attacks this system, replacing your computer’s legitimate bootloader with a hacked one. This means that this rootkit is activated even before your computer’s operating system turns on.
3. Memory Rootkit
This type of rootkit hides in your computer’s RAM, or Random Access Memory. These rootkits will carry out harmful activities in the background. The good news? These rootkits have a short lifespan. They only live in your computer’s RAM and will disappear once you reboot your system — though sometimes further work is required to get rid of them.
4. Application Rootkit
Application rootkits replace standard files in your computer with rootkit files. They might also change the way standard applications work. These rootkits might infect programs such as Word, Paint, or Notepad. Every time you run these programs, you will give hackers access to your computer. The challenge here is that the infected programs will still run normally, making it difficult for users to detect the rootkit.
5. Kernel Mode Rootkits
These rootkits target the core of your computer’s operating system. Cybercriminals can use these to change how your operating system functions. They just need to add their own code to it. This can give them easy access to your computer and make it easy for them to steal your personal information.
How to Defend against Rootkits?
Because rootkits are so dangerous, and so difficult to detect, it is important to exercise caution when surfing the internet or downloading programs. There is no way to magically protect yourself from all rootkits.
Fortunately, you can increase your odds of avoiding these attacks by following the same common-sense strategies you take to avoid all computer viruses.
A. Don’t Ignore Updates
Updates to your computer’s applications and operating system can be annoying, especially when it seems as if there is a new update for you to approve every time you turn on your machine. But don’t ignore these updates. Keeping your operating systems, antivirus software, and other applications updated is the best way to protect yourself from rootkits.
B. Watch Out for Phishing Emails
Phishing emails are sent by scammers who want to trick you into providing them your financial information or downloading malicious software, such as rootkits, onto your computer. Often, these emails will look like they come from a legitimate bank or credit card provider. These messages may state that your account is about to be frozen or that you need to verify your identity. The messages will also ask that you click on a link.
If you do, you will be taken to a fake website. Once there, you might accidentally download a rootkit to your computer.
Now what is the conclusion? Never click on any links supposedly sent from a financial services company. When the message you’ve received is supposedly coming from a company with which you have no accounts, delete them. If the message comes from a company you do business with, log into your online account or call the company. If there’s really a problem, it should show up on your online account or a customer-service representative will confirm it.
C. Be Careful of Drive-By Downloads
Drive-by downloads can be especially troublesome. These happen when you visit a website and it automatically installs malware on your computer without you know it. You don’t have to click on anything or download anything from the site for this to happen. And it is not just suspicious websites that can cause this. Hackers can embed malicious code in legitimate sites to cause these automatic downloads.
The best way to help protect yourself? Approve updates to your computer’s software quickly. Set your operating system, browsers, and all applications to install updates automatically so that your computer systems will always have the most up-to-date protections in place.
D. Don’t Download Files Sent by People You Don’t Know
Be careful, too, when opening attachments. Don’t open attachments sent to you by people you don’t know. If you do so, it could cause a rootkit to be installed in your computer.
Therefore, when you receive a suspicious attachment you should delete the email message immediately.
Method of Infection
Rootkits are installed through a variety of methods, but the most common infection vector is through the use of a vulnerability in the operating system or an application running on the computer. Attackers target known and unknown vulnerabilities in the OS and applications and use exploit code to get a privileged position on the target machine. They then install the rootkit and set up components that allow remote access to the computer.
The exploit code for a specific vulnerability may be hosted on a legitimate website that has been compromised. Another infection vector is via infected USB drives. Attackers may leave USB drives with rootkits hidden on them in places where they are likely to be found and picked up by victims, such as office buildings, coffee shops and conference centers. In some cases, the rootkit installation may still rely on security vulnerabilities, but in others, the malware may install as part of a seemingly legitimate application or file on the USB drive.
Well-Known Rootkit Examples
- Lane Davis and Steven Dake – wrote the earliest known rootkit in the early 1990s.
- NTRootkit – one of the first malicious rootkits targeted at Windows OS.
- HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls.
- Machiavelli – the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
- Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson’s AXE PBX.
- Zeus – first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing.
- Stuxnet – the first known rootkit for industrial control systems
- Flame – a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.
Detecting the presence of a rootkit on a computer can be difficult, as this kind of malware is designed to stay hidden and do its business in the background. There are utilities designed to look for known and unknown types of rootkits through various methods, including using signatures or a behavioral approach that tries to detect a rootkit by looking for known behavior patterns.
Removing a rootkit is a complex process and typically requires the use of specialized tool. In some cases, it may be necessary for the victim to reinstall the operating system if the computer is too damaged.