Security.com

rootkit

By Mary E. Shacklett

What is a rootkit?

A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system. Although this type of software has some legitimate uses, such as providing remote end-user support, most rootkits open a backdoor on victims' systems to introduce malicious software -- including viruses, ransomware, keylogger programs or other types of malware -- or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by deactivating endpoint antimalware and antivirus software.

Rootkits, which can be purchased on the dark web, can be installed during phishing attacks or employed as a social engineering tactic to trick users into giving the rootkits permission to be installed on their systems, often giving remote cybercriminals administrator access to the system. Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but today, most antimalware programs can scan for and remove rootkits hiding within a system.

How rootkits work

Since rootkits cannot spread by themselves, they depend on clandestine methods to infect computers. When unsuspecting users give rootkit installer programs permission to be installed on their systems, the rootkits install and conceal themselves until hackers activate them. Rootkits contain malicious tools, including banking credential stealers, password stealers, keyloggers, antivirus disablers and bots for distributed denial-of-service attacks.

Rootkits are installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Microsoft Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from risky websites.

What can be compromised during a rootkit attack?

The following are some of the potential results of a rootkit attack:

Symptoms of rootkit infection

A primary goal of a rootkit is to avoid detection to remain installed and accessible on the victim's system. Although rootkit developers aim to keep their malware undetectable and there are not many easily identifiable symptoms that flag a rootkit infection, here are four indicators that a system has been compromised:

  1. Antimalware stops running. An antimalware application that just stops running indicates an active rootkit infection.
  2. Windows settings change by themselves. If Windows settings change without any apparent action by the user, the cause may be a rootkit infection. Other unusual behavior, such as background images changing or disappearing in the lock screen or pinned items changing on the taskbar, could also indicate a rootkit infection.
  3. Performance issues. Unusually slow performance or high central processing unit usage and browser redirects may also point to the presence of a rootkit infection.
  4. Computer lockups. These occur when users cannot access their computer or the computer fails to respond to input from a mouse or keyboard.

Types of rootkits

Rootkits are classified based on how they infect, operate or persist on the target system:

Tips for preventing a rootkit attack

Although it is difficult to detect a rootkit attack, an organization can build its defense strategy in the following ways:

Rootkit detection and removal

Once a rootkit compromises a system, the potential for malicious activity is high, but organizations can take steps to remediate a compromised system.

Rootkit removal can be difficult, especially for rootkits that have been incorporated into OS kernels, into firmware or on storage device boot sectors. While some antirootkit software can detect and remove some rootkits, this type of malware can be difficult to remove entirely.

One approach to rootkit removal is to reinstall the OS, which, in many cases, eliminates the infection. Removing bootloader rootkits may require using a clean system running a secure OS to access the infected storage device.

Rebooting a system infected with a memory rootkit removes the infection, but further work may be required to eliminate the source of the infection, which may be linked to command-and-control networks with presence in the local network or on the public internet.

Examples of rootkit attacks

Phishing and social engineering attacks. Rootkits can enter computers when users open spam emails and inadvertently download malicious software. Rootkits also use keyloggers that capture user login information. Once installed, a rootkit can give hackers access to sensitive user information and take control of computer OSes.

Application rootkit attacks. Rootkits can install themselves on commonly used applications, such as spreadsheet and word processing software. The hackers use application rootkits to gain access to users' information whenever they open the infected applications.

Network and internet of things (IoT) attacks. Significant security threats come in with IoT devices and edge computing that lack the security measures other systems and centralized computers have. Hackers find and exploit these vulnerabilities by inserting rootkits through edge points of entry. This can enable a rootkit to spread throughout a network, taking over computers and workstations and rendering them as zombie computers under outside control.

OS attacks. After entering a system, a kernel mode rootkit can attack the system's OS. The attack can include modifying the functionality of the OS, slowing system performance, and even accessing and deleting files. Kernel mode rootkits usually enter systems when a user inadvertently opens a malicious email or executes a download from an unreliable source.

Credit card swipe and scan attacks. Criminals have used rootkits to infect credit card swipers and scanners. The rootkits are programmed to record credit card information and to send the information to servers controlled by hackers. To prevent this, credit card companies have adopted chip-embedded cards, which are more impervious to attack.

Malware continues to become more sophisticated, creating a gap in current network defenses. Learn how to avert malware using a modern approach that provides protection against both known and unknown threats.

01 Oct 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement