A Rootkit is a malicious program composed of malware that is created to provide prolonged root-level or privileged-level access to a computer. It remains hidden in the computer system while maintaining control of the system remotely. Rootkits have the ability to steal data, eavesdrop, change system configurations, create permanent backdoors, deactivate other security defensive programs, and conceal other types of malware. They spread through phishing emails, infected shared folders, executable documents, and pirated software or software on infected websites.
Different types of Rootkits.
1. Application or user-mode rootkits
These rootkits only target user-level applications by gaining administrative privileges to them. They can modify the behavior of Application Programming Interfaces (API) and standard applications such as Paint, or Notepad, so when these applications are running the threat actor gains access to the computer. They can be easily detected by anti-malware programs since they operate at the same application level.
2. Hardware or firmware rootkits
They infect the software that is used to command hardware components such as hard drives, routers, network cards, and the system BIOS. These rootkits are able to install malware, intercept data, and log and monitor the activities of the system. Some firmware rootkits are quite hard to remove from systems even when they are deactivated since they stay hidden inside firmware and reinstall when the machine is turned on.
3. Bootloader rootkits
A bootloader is a program that is responsible for loading the operating system data into the main memory during computer startup. A rootkit can alter this process by infecting the Master Boot Record (MBR) or the Volume Boot Record (VBR) code that initiates the boot-up process. The bootloader rootkit doesn`t appear in the standard file system, making it difficult for anti-malware to detect it. The rootkit becomes activated in the system before the operating system is fully loaded.
4. Kernel mode rootkits
Kernel mode rootkits target the core level of the operating system. This can potentially affect the security of the entire computer, potentially gaining control of the entire system’s processes. It can change the functionality of the operating system since the rootkit is able to modify the code by deleting, replacing, or adding new components to the operating system. These types of rootkits can create massive attacks, impacting the computer`s performance.
5. Hybrid rootkits
These rootkits have part of their components at the application level and other parts at the kernel level, so they have increased stealth to lurk in the system.
6. Memory rootkits
Memory rootkits stay in the machine’s Random Access Memory (RAM), they disappear when the computer is rebooted. These rootkits affect the RAM’s performance as they consume the system’s resources for their malicious processes. Even though they have short lifespans, they can still pose a threat due to their ability to carry out malicious activity in the background.
7. Virtual Machine-Based Rootkits (VMBRs)
As the name implies, these rootkits target virtual machines. They load underneath the computer`s operating system by hosting the target operating system in a virtual machine so they can intercept the hardware calls. They are a lot more difficult to detect because they operate at a higher level than the operating system.
In order for rootkits to get installed in the computer system, they operate in tandem with two other programs, known as a Dropper, and a Loader. This strategy is known as the blended threat.
The Dropper imports the rootkit to the target computer, and when the dropper is activated by the victim, it launches the Loader. Next, the Loader installs the rootkit by exploiting vulnerabilities in the system.
There are different means that rootkits use to get installed on systems. Emails, and other messaging platforms are one such socially engineered method. An installation can also be triggered when a person clicks a malicious link attached in the mail, opens documents that are embedded with rootkits, and unwittingly executing other malware.
How to prevent rootkit attacks
Your computer might be infected by a rootkit if:
- Your device has slow performance, constantly freezes, or fails to receive input from the mouse or the keyboard.
- Popping up many error messages, or generating a blue screen of death (BSOD).
- Unusual unauthorized changes in settings of the system are detected.
- Excessive consumption of the network traffic, web pages, and the malfunction of other network activities.
Some basic precautions in avoiding rootkit attacks include:
- Using reputable anti-malware solutions, which will fight against most application-level malware.
- Keeping software regularly updated, and downloading software only from trusted sources.
- Being aware of common phishing attack tactics, and staying alert for unusual behavior of the computer system.
Rootkits are a sophisticated type of malware that targets various layers of a computer system, including hardware and software. They are able to gain root-level access from the layer that they are in by exploiting system vulnerabilities. Since rootkit attacks operate in the background unknown to the user, and many are difficult to detect, it is crucial to identify the types of rootkits and apply proper defenses against them.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.