Contents:
In this article, we will discuss the functionality of a rootkit, go through classifications, detection methodologies, and, of course, rootkit prevention.
What is a Rootkit?
Rootkits are malicious computer programs designed to infiltrate a machine for the purpose of obtaining administrator or system-level privileges. Despite their overtly clandestine behavior, rootkits are only intended to bypass user authentication mechanisms before the arrival of a malicious payload (i.e., they often work in tandem with trojans or other types of viruses).
As rootkits come in advance of various infectors, they do possess some degree of autonomy. Most are designed to automatically identify and exploit backdoors or, if none is present, rubber-stamp the installation process of legacy or deprecated software. Of course, there are cases when malicious actors would manually exploit vulnerabilities before dropping a rootkit on the victim’s machine.
Types of rootkits
In this section, we’ll go through kernel rootkits, hardware & software rootkits, Hyper-V, and more.
1. Kernel rootkit
This type of rootkit is designed to function at the level of the operating system itself. What this means is that the rootkit can effectively add new code to the OS, or even delete and replace OS code.
Kernel rootkits are advanced and complex pieces of malware and require advanced technical knowledge to properly create one. If the rootkit has numerous bugs and glitches, then this heavily impacts a computer’s performance.
On a more positive note, a buggy kernel rootkit is easier to detect since it leaves behind a trail of clues and breadcrumbs for an antivirus or anti-rootkit.
2. Hardware or firmware rootkit
Instead of targeting the OS, firmware/hardware rootkits go after the software that runs certain hardware components. In 2008, a European crime ring managed to infect card-readers with a firmware rootkit. This then allowed them to intercept the credit card data and send it overseas.
This proof-of-concept rootkit, for instance, managed to bury itself in the hard drive itself, and then intercept any of the data written on the disk.
3. Hyper-V rootkits
Virtualized rootkits are a new development that takes advantage of new technologies. Security researchers developed the first such rootkit as a proof of concept in 2006 and are even more powerful than a kernel rootkit.
A kernel rootkit will boot up at the same time as the operating system, but a virtualized rootkit will boot up first, create a virtual machine and only then will it boot up the operating system.
To give you a visual sense of this, imagine the rootkit and the boot-up process as if they were two boxes.
- In a kernel rootkit, the first box is the boot-up process. The rootkit is the second box, that goes inside the first box.
- In a virtualized rootkit, the first box is the rootkit itself. The boot-up process is the second box that goes within the first box.
As you can imagine, virtualized rootkits have even more control over your system than a kernel one. And because they bury themselves so deep within the device, removal can be nearly impossible.
4. Bootloader rootkit or bootkit
This type of rootkit boots up at the same time as your operating system, by infecting the master boot record (MBR) or the volume boot record (VBR).
Since it attaches itself to those boot records, the rootkit won’t show up in the standard file-system view. As a result, antivirus and anti-rootkit software will have a hard time detecting the malware.
To make matters even worse, the rootkit might modify the boot records, and, by removing it, you risk damaging your PC.
5. Memory rootkit
Memory rootkits hide in the RAM memory of your computer. Like kernel rootkits, these can reduce the performance of your RAM memory, by occupying the resources with all the malicious processes involved.
6. User-mode or application rootkit
User-mode rootkits are simpler and easier to detect than kernel or boot record rootkits. This is because they hide within an application itself, and not system-critical files.
In other words, they operate at the level of standard programs such as Paint, Word, PC games and so on. This means a good antivirus or anti-rootkit program will probably find the malware and then remove it.
Rootkit Detection
Post-intrusion rootkit detection & removal is challenging, mostly because of the fact that rootkits have the ability to disrupt antivirus software. More than that, once the rootkit has established a bridgehead, it can be used to whitelist processes associated with malicious software.
The detection and removal processes are heavily influenced by the rootkit’s type. For instance, most software-based rootkits can be detected and subsequently removed using behavioral analysis or mem dump analysis. However, hardware-based rootkits cannot be removed by physically replacing the affected components. The same goes for kernel-level rootkits – although operating on software level, kernel rootkits cannot be removed using the above-mentioned methodology and, in most cases, would entail an OS reinstallation.
Depending on the rootkit type and infiltration method, detection can be done in several ways: mem dumps analysis, integrity checking, difference-based, behavioral-based or employing an alternative (and trusted) medium.
Memory Dumps Analysis
Effective to some degree, force-dumping the virtual memory may help you in detecting most software-based rootkits, including those embedded in Hyper-V. Mem dumps are offline-exclusive but may require access to online, code repositories.
Integrity checking
A PKI-based code-signing check can be used to detect boot- and kernel-level rootkits. The approach entails a comparison between a baseline hash output and a hash output computed at any moment in time to establish whether or not any tempering was done to the initial, publisher-signed file.
Difference-based Analysis
DA or difference-based analysis involves the use of an API to compare raw data with infected data. Raw data is produced by trusted sources (e.g., system images), while the rootkit-infected data is generated by an API specifically designed for this purpose.
Well-Known Rootkit Examples
Most cybercriminals don’t actually code their own malware. Instead, they just use already existing malicious programs. Most of the time, they only adjust the rootkit’s settings, while some technically skilled add their own code. This is called the malware economy and is worth its own read.
Just like in the real economy, some malware has bigger market shares than others. In this section, we want to cover some of the more widespread rootkit families out there.
If you are unfortunate enough to get infected with a rootkit, chances are it will be one of these.
ZeroAccess rootkit
This rootkit is responsible for the creation of the ZeroAccess botnet, which hogs your resources as it mines for bitcoins or it commits click fraud by spamming you with ads.
At some point, security researchers estimated the ZeroAccess botnet contained 1-2 million PCs. A large part of it (but not all, unfortunately) was taken down by Microsoft as well as other security companies and agencies.
While not as strong a threat as before, Variations of the ZeroAccess rootkit are still out there and actively used.
TDSS /Alureon/TDL
At one point, the botnet based on the TDSS rootkit was thought to be the second biggest in the world. Following some concerted law enforcement actions, several arrests were made and the botnet entered a period of decline.
The malware code, however, is still out there, and actively used. Unlike the ZeroAccess rootkit, TDSS is after your personal data such as credit card data, online bank accounts, passwords, Social Security numbers, and so on.
Necurs
The rootkit behind Necurs, one of the biggest currently active botnets, is responsible with spreading massive amounts of Locky ransomware spam as well as the Dridex financial malware.
The Necurs rootkit protects other types of malware that enslave a PC to the botnet, thus making sure the infection cannot be removed.
Unlike TDSS and ZeroAccess, Necurs is an active botnet, and the cybercriminals behind it are still actively trying to grow it.
How to prevent a rootkit infection
Rootkits may be troublesome and persistent, but in the end, they are just programs like many other types of malware. This means that they only infect your computer after you’ve somehow launched the malicious program that carries the rootkit.
Here are some basic steps you should follow to make sure you don’t get infected with a rootkit, and thus avoid all of these painful and time-consuming steps to remove one.
Be wary of phishing or spear-phishing attempts
Phishing is one of the most frequently used methods to infect people with malware. The malicious hackers simply spam a huge email list with messages designed to trick you into clicking a link or opening an attachment.
The fake message can be anything really, from a Nigerian prince asking for help to retrieve his gold, to really well-crafted ones such as fake messages from Google that request you update your login information.
The attachment can be anything, such as a Word or Excel document, a regular .exe program or an infected JPEG.
Keep your software updated at all times
Outdated software is one of the biggest sources of malware infection. Like any human creation, software programs are imperfect by design, meaning they come with many bugs and vulnerabilities that allow a malicious hacker to exploit them.
For this reason, keeping your software up-to-date at all times is one of the best things you can do to stay safe on the Internet and prevent a malicious hacker from infecting you with malware.
Since updating your software can be such a chore, we recommend you use an automated program to do that for you. To this end, we suggest you use our own Heimdal™ Patch & Asset Management, which we specifically designed to handle this sort of problem.
Traffic-filtering FTW
One major flaw of antivirus is that the malware has to effectively touch your PC before it becomes useful.
Traffic filtering software, on the other hand, scans your inbound and outbound traffic to make sure no malware program is about to come to land on your PC as well as prevent private and confidential information from leaking to any suspicious receivers.
One such program that we wholeheartedly recommend is our own Heimdal™ Threat Prevention, which specializes in detecting malicious traffic and blocking it from reaching your PC.
Conclusion
Rootkits are some of the most complex and persistent types of malware threats out there. We stopped short of saying this, but if not even a BIOS flash is able to remove the rootkit, then you just might have to throw away that PC and just see which hardware components, if any, you can reuse.
Like with anything in life, the best treatment to a rootkit infection is to prevent one from happening.
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Last edited by Vladimir Unterfingher.