Among the many types of viruses and malware in existence, rootkits are among the most dangerous. This is due to the damage they can inflict on computers and the level of difficulty involved in identifying and removing them.
Rootkits are essentially software programs that enable cyber criminals to gain privileged access to computers, control them, and sustain this over a lengthy period of time, all without the victim knowing.
While rootkits are now mostly commonly associated with Trojans, worms, viruses, and other forms of malware, they weren’t always malicious. In fact, they were initially designed as legitimate tools for computer admins.
This is reflected in the word “rootkit”—root refers to Linux and Unix admin accounts, and “kit” describes software for executing these tools. But hackers have learned to abuse rootkits, using them to avert detection by users and antimalware programs. So, how do they work, and most importantly, how can you detect and mitigate them?
How do rootkits work?
Rootkits are sophisticated pieces of software that typically consist of a dropper, a loader, and a rootkit. Each has a different role in how rootkits get onto and remain hidden on infected devices.
The dropper is an executable program that allows cyber criminals to install malware on a device. Users can unknowingly spread a dropper by opening an attachment in a phishing email or clicking a malicious link on a hacked website.
The second component of rootkits, the loader, is used to install and execute malware on an infected machine. Its purpose is to activate the rootkit through a buffer overflow that adds it to the computer’s memory.
Once the dropper and loader have fulfilled their purposes, the rootkit can change a machine’s user permissions and deactivate antimalware or antivirus software. This not only makes it harder for the computer’s owner to detect the rootkit infection but also allows cybercriminals to download files, spy on users, and damage the machine.
What are the different types of rootkits?
Several types of rootkits exist, each with varying capabilities. Here are a few of the most common types.
Firmware rootkit
This type of rootkit buries itself in firmware code with the aim of infecting hardware such as hard drives, network cards, and microprocessors. Hackers can use firmware rootkits to track internet activity, access disk data, and use keyloggers.
Memory rootkits
This rootkit hides in the computer’s RAM, slowing down the infected computer and allowing hackers to perform malicious activities without being detected by users. Their code isn’t permanent and can be removed by restarting the computer.
Bootloader rootkits
Bootloaders are vital to computers, loading the operating system as soon as you click the power button. Cybercriminals use bootloader rootkits to run malicious bootloaders comprising rootkits. This type of rootkit will kick into action prior to the operating system fully booting up, attacking the infected machine. Modern operating systems come with Secure Boot technology to fight malicious bootloaders.
Kernel rootkits
Kernel rootkits inject malicious code into the kernel, the beating heart of a computer operating system. By successfully installing a kernel rootkit on an infected computer, a hacker can modify the operating system and gain all its user privileges. Kernel rootkits aren’t easy to deploy and, when done wrong, can render the computer useless.
Application-level rootkits
Cyber criminals use rootkits to replace genuine application files with malicious ones and inject code into applications and application programming interfaces (APIs) to alter their behavior. Operating in the device's application layer, these rootkits are primarily used for stealing personal information.
Hypervisor or virtualized rootkits
These rootkits infect hypervisors, which are software programs for generating and managing virtual machines (VMs). Hackers use them to spy on communication made between a virtual machine and the host operating system, modify this information, and access computer virtualization resources.
User-mode rootkits
These rootkits attack the user level of an infected operating system, allowing cybercriminals to replace genuine files with malicious ones and alter the behavior of APIs and applications. Because user-mode rootkits alter hard-drive files and load whenever the operating system reboots, they can stay permanently on infected devices.
What are some common examples of rootkits?
The last few years have seen many different rootkits emerge. Here are some common examples.
- NTRootKit: Hackers use this tool to get admin access to Windows NT/2K systems
- HackerDefender: This user mode rootkit has seen exponential deployment over the years. It enables hackers to modify a range of Windows and Native API function features and conceal information from other applications.
- ZeroAccess: This is a kernel-mode rootkit that has existed for over a decade, allowing cybercriminals to download and install malware on 32- and 64-bit Windows machines and use them as a botnet.
- Necurs: This is another kernel-mode rootkit that cybercriminals use to take over and perform unsupervised actions on infected machines. In 2014, hackers began using it as part of the Gameover Zeus botnet so that users of infected machines could not remove the malware.
The latest rootkits
From Lazarus to GhostEmperor, some of the world’s most infamous cybercrime gangs are leveraging novel rootkits in their hacking campaigns.
- FudModule: This is a kernel-mode rootkit that has been leveraged by the North Korean threat actors Lazarus Group in various campaigns. Madelein van der Hout, senior analyst at Forrester, explains that the crime organization spread the FudModule malware on infected AppLocker applications by exploiting a zero-day vulnerability. “This allowed them to cross the admin-to-kernel boundary and carry out a sophisticated rootkit attack,” van der Hout adds.
- Demodex: Chinese hackers at GhostEmperor used this kernel-mode rootkit to take over and hide business networks across South Easia explains Dor Nizar, Sygnia senior malware researcher. He adds: “It utilized the CheatEngine driver to manipulate its own functionality by hooking functions in CheatEngine, allowing it to inject the malicious Demodex code into the system kernel, thus installing the rootkit.”
- Glupteba: This bootkit allows threat actors to install a powerful rootkit on infected systems and persistently access them, explains Nizar. He says the rootkit is spread in an infected machine's Unified Extensible Firmware Interface, allowing cybercriminals to gain control over its boot process. By leveraging a custom version of EfiGuard for deactivating PatchGuard and Driver Signature Enforcement security tools on infected Windows devices, the hackers can deploy malware even before the operating system starts.
How do you detect and remove rootkits?
Detecting and removing rootkits isn’t easy. By design, they aim to achieve persistence on infected machines without being identified by antimalware software.
But there are some steps to take to aid in rootkit removal. Forester’s van der Hout recommends using behavior-based detection software to flag unusual behavior like “unexpected privilege escalations or hidden files.” She also says integrity monitoring tools like Tripwire will identify unauthorized changes to key system files and configurations. Third, she explains that signature-based detection services can detect the signatures of suspected rootkits. Finally, she says hardware and firmware scanners can “detect firmware anomalies.”
Preventing rootkits in the first place isn’t impossible. Katell Thielemann, distinguished VP analyst at Gartner, recommends that users perform “basic cyber hygiene” steps such as strict patch management, enabling secure boot technology on their operating systems, and being careful when opening files and attachments
Rootkits remain a dangerous form of malware that can affect operating systems in many different ways. With new variants always emerging, it’s crucial that computer users take steps to identify and mitigate them. That may not be easy, but it’s certainly possible with the latest antimalware tools and good cyber security hygiene.
Can you prevent a rootkit from infecting a system?
Prevention is always best, so if you believe your systems could be at risk from rootkit infections, regular scans with any of the above tools will help ease concerns.
Phishing emails are common delivery mediums for rootkits, so train staff to avoid opening emails from an unknown source.
Patching software is always a good strategy for preventing rootkit infection, as it closes off any vulnerabilities rootkits exploit to infect systems.
Lastly, monitor network traffic for unusual signs of data transfer. This can help in isolating network segments that could be under attack to prevent any attack from multiplying.
