SECURITY EVANGELIST

A rootkit is one of the most difficult types of malware to find and remove.  Malicious hacker frequently use them to eavesdrop on your PC, such as keyloggers, or to remotely control your computer, in case of botnets or similar threats. 

As you can imagine, this is a nasty type of malware and can severely impact your PC’s performance, not to mention your personal data.

What exactly is a rootkit?

You can guess a rootkit’s definition from the two component words, “root” and “kit” are Linux/UNIX terms, where “root” is the equivalent of the Windows Administrator, while “kits” are software designed to take root/administrator control of a PC, without informing the user.

Once a rootkit installs itself on your computer, it will boot up at the same time as your PC. On top of that, by having administrator access, it can track everything you do on the device, scan your traffic, install programs without your consent, hijacker your computer’s resources or enslave it in a botnet.

Unfortunately, rootkits are notoriously difficult to detect, since they can also hide processes from view. They do this both for the rootkit itself, and for any other accompanying malware.  As such, in order to remove them, you’re going to need an excellent antivirus, as well as a specialized rootkit scanner and remover.

How rootkits spread

On a more positive note, rootkits are ultimately programs just like any other, and in order for them to be installed, they need to be run.

Rootkits are usually composed of three components: the dropper, loader and the rootkit itself.

The dropper is the executable program or file that installs the rootkit. Chances are you’ll meet this dropper program as an attachment to a suspicious phishing email or as a malicious download from a strange website.

But the dropper doesn’t have to be an executable program. Files such as PDFs and Word documents can be designed to trigger a rootkit installation the moment they are opened, and by then it’s too late.

Cybercriminals can be quite creative in how they hide their malware, as this article shows.

Taking this into consideration, it’s nearly impossible to infect yourself with a rootkit if you’re paranoid about the stuff you click on the Internet, and even more paranoid about the things you install.

Sometimes, you’ll get infected with a rootkit from legitimate sources. In 2005, Sony sold 22 million CD’s that would install a rootkit on the computer, all in an effort to improve copy protection and secure digital rights on the music located on the disk.

And in 2015, Lenovo used rootkits to reinstall deleted software on computers they sold, as well as “send non-personally identifiable system data to Lenovo servers”.

These commercial methods are not just invasive and unethical, but their mere presence is a cybersecurity threat, since they can be hijacked and used for other purposes than the ones they were intended for.

Types of rootkit viruses

The severity of a rootkit infection can be measured depending on how deep into the system it  goes.

Source

Infections at the Ring 3 levels are fairly superficial, since these only infect programs such as Microsoft Office, Photoshop or other similar software.

Ring 1 and 2 are deeper layers, such as the drivers for the video graphics card or your sound system.

Ring 0 meanwhile, targets the base operating system that control everything else, such as the BIOS or CMOS. These are deepest and hardest to remove since an antivirus (which mostly operates at Ring 3) doesn’t have full access to Ring 1.

Kernel rootkit

This type of rootkit is designed to function at the level of the operating system itself. What this means is that the rootkit can effectively add new code to the OS, or even delete and replace OS code.

Kernel rootkits are advanced and complex pieces of malware and require advanced technical knowledge to properly create one. If the rootkit has numerous bugs and glitches, then this heavily impacts a computer’s performance.

On a more positive note, a buggy kernel rootkit is easier to detect since it leaves behind a trail of clues and breadcrumbs for an antivirus or anti-rootkit.

Hardware or firmware rootkit

Instead of targeting the OS, firmware/hardware rootkits go after the software that runs certain hardware components. In 2008, a European crime ring managed to infect card-readers with a firmware rootkit. This then allowed them to intercept the credit card data and send it overseas.

This proof-of-concept rootkit for instance managed to bury itself in the hard drive itself, and then intercept any of the data written on the disk.

Hypervizor or virtualized rootkit

Virtualized rootkits are a new development that takes advantage of new technologies. Security researchers developed the first such rootkit  as a proof of concept in 2006, and is even more powerful than a kernel rootkit.

A kernel rootkit will boot up at the same time as the operating system, but a virtualized rootkit will boot-up first, create a virtual machine and only then will it boot up the operating system.

To give you a visual sense of this, imagine the rootkit and the boot-up process as if they were two boxes.

  • In a kernel rootkit, the first box is the boot-up process. The rootkit is the second box, that goes inside the first box.
  • In a virtualized rootkit, the first box is the rootkit itself. The boot-up process is the second box that goes within the first box.

As you can imagine, virtualized rootkits have even more control over your system than a kernel one. And because they bury themselves so deep within the device, removal can be nearly impossible.

Bootloader rootkit or bootkit

This type of rootkit boots up at the same time as your operating system, by infecting the master boot record (MBR) or the volume boot record (VBR).

Since it attaches itself to those boot records, the rootkit won’t show up in the standard file system view. As a result, antivirus and anti-rootkit software will have a hard time detecting the malware.

To make matters even worse, the rootkit might modify the boot records, and, by removing it, you risk damaging your PC.

Memory rootkit

Memory rootkits hide themselves in the RAM memory of your computer. Like kernel rootkits, these can reduce the performance of your RAM memory, by occupying the resources with all the malicious processes involved.

User-mode or application rootkit

User-mode rootkits are simpler and easier to detect than kernel or boot record rootkits. This is because they hide within an application itself, and not system critical files.

In other words, they operate at the level of standard programs such as Paint, Word, PC games and so on. This means a good antivirus or anti-rootkit program will probably find the malware and then remove it.

Rootkit families

Source

Most cybercriminals don’t actually code their own malware. Instead, they just use already existing malicious programs. Most of the times, they only adjust the rootkit’s settings, while some technically skilled add their own code. This is called the malware economy, and is worth its own read.

Just like in the real economy, some malware have bigger market shares than others. In this section, we want to cover some of the more widespread rootkit families out there.

If you are unfortunate enough to get infected with a rootkit, chances are it will be one of these.

We’ve only added 3 of the most common/well known rootkit families, but you can find a bigger collection of known rootkits here.

ZeroAccess rootkit

This rootkit is responsible for the creation of the ZeroAccess botnet, which hogs your resources as it mines for bitcoins or it commits click fraud by spamming you with ads.

At some point, security researchers estimated the ZeroAccess botnet contained 1-2 million PCs. A large part of it (but not all, unfortunately) was taken down by Microsoft as well as other security companies and agencies.

While not as strong a threat as before, Variations of the ZeroAccess rootkit are still out there and actively used.

Here’s a more in-depth article covering the ZeroAccess rootkit.

TDSS /Alureon/TDL

At one point, the botnet based on the TDSS rootkit was thought to be the second biggest in the world. Following some concerted law enforcement actions, several arrests were made and the botnet entered a period of decline.

In an effort to fight back against the botnet, Kaspersky even named its rootkit remover, TDSSKiller, after it.

The malware code however is still out there, and actively used. Unlike the ZeroAccess rootkit, TDSS is after your personal data such as: credit card data, online bank accounts, passwords, Social Security number and so on.

Necurs

The rootkit behind Necurs, one of the biggest currently active botnets, is responsible with spreading massive amounts of Locky ransomware spam as well as the Dridex financial malware.

The Necurs rootkit protects other types of malware that enslave a PC to the botnet, thus making sure the infection cannot be removed.

Unlike TDSS and ZeroAccess, Necurs is an active botnet, and the cybercriminals behind it are still actively trying to grow it.

Here’s a list of 8 rootkit scanners you can use to find and remove an infection

 

Source

Antivirus programs will have a hard time finding an advanced rootkit, so your best bet is to use a specialized rootkit revealer or scanner.

Here’s a breakdown of what these rootkit scanners and removers can do.

Use HitmanPro  for a rootkit scan

HitmanPro is a popular second opinion malware scanner with wide-ranging capabilities. It can find and remove rootkits an antivirus might otherwise overlook.

Fortunately, it has a simple interface and a small installer file. It’s also free for 30 days, after which you’ll have to buy the full license.

Norton Power Eraser is a useful antirootkit program

Norton Power Eraser is a free security utility offered by Norton (duh). Its traffic scanning capabilities are above average, however it does have a tendency to be too aggressive. As such, there is a high chance of false positives, so be extra cautious when using it.

Its interface is fairly simple. If you want to make sure you also scan for rootkits, then go to “Settings” and be sure you check in the option to “Include Rootkit Scan”.

UnHackMe is self-explanatory

A shareware program with monitoring capabilities, meaning it can alert you whenever it detects a rootkit trying to hack its way into your PC. Its full features are only available during the 30 day trial, after which you’ll have to buy the license for further use.

It has a fairly simple interface if you just want the standard scan, but if you’re a more experienced user then it offers quite a lot of extra functionality, such as deleting a registry key, exporting results as a .txt file or disabling program autorun.

GMER is the ultimate rootkit revealer

Chances are you’ve never heard of this program, but it was good enough to power Avast! Antirootkit.

Not only that, but cybercriminals launched DDoS attacks against the site hosting GMER, so that users couldn’t download it.

But malicious hackers haven’t stopped there. Some rootkits are designed to identify GMER and prevent it from starting up in the first place. If that happens to you, then rename the file to iexplorer.exe in order to trick the rootkit.

As effective as it is, GMER requires some very advanced computer knowledge to use effectively, since you have to properly identify malicious processes from legitimate ones.

An important note here is that GMER excels in identifying rootkits, and not so much in removing them, so you’ll most likely need a dedicated rootkit remover for that.

If you are just a regular user, we strongly recommend you only use the scanning feature and save the test results. Later, you can share these results to a dedicated cybersecurity forum for expert advice.

PCHunter – Rootkit 1.51

Another tool for the more technically skilled user, PCHunter can offer you a wealth of information on the inner workings of your computer, such as processes and registries.

Just like GMER however, you should be double extra cautious when using it, otherwise you may risk breaking up your OS and computer.

Kaspersky TDSSKiller is an old, but still capable rootkit hunter

Developed by Kaspersky to remove TDSS and Aileron family of rootkits, its functionality was extended to clean up other rootkits as well. Unfortunately, it hasn’t been updated so frequently, but it still packs a punch in removing a rootkit infection.

Use a good antivirus to remove the rootkit from your PC

In the past, antivirus developers had their own separate tools to remove rootkits. Over time however these have been merged into their main antivirus products. Such was the fate of rootkit detectors from Avast, AVG and other developers.

A good antivirus can make all the difference in removing a rootkit. As such, we’ve put together a guide on how you can find the best antivirus for the job.

The rootkit removal process

By now, we’ve covered all the basics and important information, but how exactly do you remove a rootkit?

First off, as we’ve said before, rootkits are the most difficult types of malware to remove and clean from a computer.

Because of this, none of the methods below are 100% guaranteed to completely repair your device.

First, back up all of your important data

There’s no telling how the rootkit might react once you start the removal process. Chances are high it has built-in defensive measures that might wipe your computer or make it completely unusable.

You might ask yourself “isn’t it likely that the rootkit will also infect the backup?”. The answer is yes, it is possible. However, the rootkit/malware won’t infect other files on your PC, meaning they won’t infect a previously clean Word file or image. So unless you also backup the rootkit/malware, you’re pretty much safe.

Boot up your PC in Safe Mode with Networking

Some rootkits might try to prevent you from installing a security product, or taking any measures to remove it. If this happens, you must restart your computer in Safe Mode with Networking in order to limit the access of the rootkit.

In order to start up your PC in Safe Mode with Networking, you need to press F8 at the Windows boot screen.

Here’s an alternative method if that proves to be a bit tricky.

Scan for rootkits with multiple tools

There are numerous rootkit families out there, such as TDSS, Aileron or ZeroAccess. Not every rootkit scanner is able to find all of them, but by using a combination of executable/on-demand scanners, you can overlap the strength of one scanner with the weakness of another.

For this reason, we suggest you use all of these scanners:

  • Kaspersky TDSS Killer
  • UnHackMe
  • Norton Power Erase, with a special mention to be a bit more cautious about a false positive.

Another program we suggest you install is Malwarebytes Antirootkit. Besides being able to scan and remove any rootkits, it also has a very useful feature that fixes the damage done by the rootkit to your Windows OS.

Use Rkill to freeze any remaining malware

Simply removing the rootkit won’t guarantee you have a clean PC. Chances are the rootkit came with other types of malware that are still active, and also designed to resist a normal malware removal process.

For this reason, we suggest you use Rkill to freeze any remaining malware processes, so your malware removal programs can come in and save the day.

Important: do not restart your computer after using Rkill, or else the malware might start up again upon bootup.

Use Malwarebytes Anti-Malware and HitmanPro to clean up the remaining malware

Normally these are paid programs, but they do come with a 30 day free trial during which they have their full functionality unlocked.

Malwarebytes Anti-Malware is the general purpose malware removal program, while HitmanPro is a popular and efficient second opinion malware scanner.

By now, your PC should finally be clean and malware free. But things get complicated if you have a particularly resistant type of rootkit that inhabits your BIOS or hardware.

What to do if you have a BIOS/Hardware level rootkit

If you are unlucky enough to go through a BIOS/hardware rootkit infectionn, then chances are the standard malware removal process won’t be able to clean these ones up.

In these situations, your best option is to start going nuclear on the rootkit. This means you should completely wipe your data and reinstall the OS.

How to do a clean Windows installation

Before you format your drive and do a clean wipe, be sure to backup any important files and documents you might have.

Next, you’ll need to make sure you do a complete wipe. This isn’t as easy as it sounds, since Windows doesn’t actually erase the data once you do the  “Delete” + “Clear Recycle Bin” combo. We recommend you follow this guide to completely destroy any data on your hard drive and make sure it is clean.

Next comes the fresh Windows installation. Here are three install guides for Windows 7,8 and 10.

What to do if you have a BIOS rootkit infection

A BIOS rootkit is probably the worst possible infection you can have (except maybe a virtualized rootkit, but that’s an entirely separate conversation).

Chances are that not even a complete wipe and reinstall of Windows will be able to remove a BIOS rootkit.

Your best chance in this case is to flash the BIOS drive. This means that you effectively wipe the BIOS software and install a new one. As you can imagine, this is some pretty last-resort stuff.

To help guide you through this, here is a comprehensive guide on how to flash your BIOS and reinstall the software.

IMPORTANT NOTE: You might want to do a manual reset before you start. It’s very possible the rootkit has a defensive measure that blocks you from flashing or reinstalling the BIOS. For this reason, we recommend you do a hard reset that completely wipes the BIOS settings. Who knows, this might even remove the rootkit altogether.

Here how you can do a manual reset of the BIOS settings.

How to prevent a rootkit infection

Rootkits may be troublesome and persistent, but in the end they are just programs like many other types of malware. This means that they only infect your computer after you’ve somehow launched the malicious program that carries the rootkit.

Here are some basic steps you should follow to make sure you don’t get infected with a rootkit, and thus avoid all of these painful and time consuming steps to remove one.

Be wary of phishing or spear phishing attempts

Phishing is one of the most frequently used methods to infect people with malware. The malicious hackers simply spam a huge email list with messages designed to trick you into clicking a link or opening an attachment.

The fake message can be anything really, from a Nigerian prince asking for help to retrieve his gold, to really well-crafted ones such as fake messages from Google that requests you update your log in information.

The attachment can be anything, such as a Word or Excel document, a regular .exe program or an infected JPEG.

Here’s a more in-depth look on how you can avoid a phishing attack.

Keep your software updated at all times

Outdated software is one of the biggest sources of malware infection. Like any human creation, software programs are imperfect by design, meaning they come with many bugs and vulnerabilities that allow a malicious hacker to exploit them.

For this reason, keeping your software up-to-date at all times is one of the best things you can do to stay safe on the Internet and prevent a malicious hacker from infecting you with malware.

Since updating your software can be such a chore, we recommend you use an automated program to do that for you. To this end, we suggest you use our own Heimdal FREE, which we specifically designed to handle this sort of problems.

Use a good antivirus

Antivirus software hasn’t had a good time lately. Many of the more recent so called “second generation malware” come with many defensive measures such as obfuscation that prevents or makes detection difficult.

Despite this however, an antivirus still brings real value to the fight on malware, and should be a software no security minded user should miss on their PC.

Here’s a more in-depth guide on how to find the best antivirus that can suit your needs.

A traffic filtering solution can prevent the malware from even touching your PC

One major flaw of antivirus is that the malware has to effectively touch your PC before it becomes useful.

Traffic filtering software on the other hand scans your inbound and outbound traffic to make sure no malware program is about to come to land on your PC as well as prevent private and confidential information from leaking to any suspicious receivers.

One such program that we whole-heartedly recommend is our own Heimdal PRO, which specializes in detecting malicious traffic and blocking it from reaching your PC.

Conclusion

Rootkits are some of the most complex and persistent types of malware threats out there. We stopped short of saying this, but if not even a BIOS flash is able to remove the rootkit, then you just might have to throw away that PC and just see which hardware components, if any, you can reuse.

Like with anything in life, the best treatment to a rootkit infection is to prevent one from happening.

2017.01.27 INTERMEDIATE READ

The Ultimate Malware Removal Guide

where-malware-hides-featured
2016.10.27 SLOW READ

Practical Online Protection: Where Malware Hides

Why Your Traditional Antivirus Can’t Detect Second Generation Malware
2015.09.09 SLOW READ

This Is Why Antivirus Can’t Detect Second Generation Malware [Infographic]

Comments

So how are you supposed to decrypt that Partition in order to remove it? Has anyone found one method that works better than another for removal especially when it is advanced?

Do rootkits need the internet to function

One of the most comprehensive reports I have read to date, … well done Paul.

Very good article. I’ve already posted on LinkedIn.

Very useful text. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP