In the ever-evolving world of malware, rootkits are some of the most dangerous threats out there. Once installed, a rootkit provides a hacker with numerous tools and options with which to wreak havoc on a system and network, often while remaining undetected until it’s too late to stop them.
The history of rootkits can be traced to 1983 when they were first conceptualized by Unix OS creator Ken Thompson. “Root” is the Linux and Unix term for admin-level control of an operating system, underscoring the severity of these threats. Recent innovations in the attack technology, like the “BlackLotus” UEFI rootkit, have ensured that rootkits are still a very present danger to modern networks and devices.
When trying to protect yourself and your business from rootkits, it can be important to understand not only the variety of types of rootkits out there but also steps you can take to keep them away from your devices as much as possible and what to do when you find yourself infected. Here then are the most common rootkit threats, followed by some basic rootkit defenses.
A kernel-mode rootkit alters components within the computer operating system’s core, known as the kernel. Some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. This also gives them the ability to deftly evade detection by functioning at the same security level as the OS itself. Because of how deeply embedded kernel-mode rootkits are within a computer’s system, they can be one of the most damaging types of malware out there. Kernel-mode rootkits generally require a high degree of technical competency to utilize. Any bugs or glitches in its programming leaves noticeable trails for antivirus software to track.
Notable examples of kernel-mode rootkits include Knark, Zero Access, Adore, FudModule, Da IOS, and the deliciously-named Spicy Hot Pot.
Looking for More About Malware? Check Out What is Malware? Definition, Purpose & Common Protections
A bootkit is a type of kernel-mode rootkit that infects the master boot record, volume boot record or boot section during computer startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. A bootkit will then replace the legitimate bootloader with an infected version. The malware loader persists through the transition to protected mode when the kernel has loaded and is thus able to subvert the kernel. Bootkits can be difficult to detect and drive out, since they won’t typically be found in a user’s file system. Additionally, removal might cause more damage to the computer if the bootkit has already altered the computer’s boot records. Examples include Olmasco, Rovnix and Stoned Bootkit.
Also known as an “application rootkit,” the user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces (APIs). It alters the security subsystem and displays false information to administrators of the target computer. It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services. Examples of this type of rootkit include Vanquish, Aphex and Hacker Defender.
A virtual, or hypervisor, rootkit hosts the target OS as a virtual machine, enabling it to intercept hardware calls made by the original OS. The rootkit does not have to modify the kernel to subvert the operating system. This type of rootkit was developed as a proof of concept in 2006, but in 2017, researcher Joseph Connelly designed nested virtual machine rootkit CloudSkulk as part of his Masters degree work at Boise State University. In 2021, Connelly and other researchers presented a new paper outlining an approach to detecting rootkits similar to CloudSkulk.
Need an Edge to Stay Ahead of Hackers? Take a Look at Top Threat Intelligence Platforms for 2022
A firmware rootkit uses device or platform firmware to create a persistent malware image in the router, network card, hard drive or the basic input/output system (BIOS). The rootkit is able to remain hidden because firmware is not usually inspected for code integrity. These rootkits can be used for semi-legitimate purposes, such as anti-theft technology preinstalled in BIOS images by the vendor, but they can also be exploited by cybercriminals. Examples include Cloaker and VGA rootkit.
Memory rootkits camouflage themselves within a computer’s random-access memory (RAM). While there, it can severely hamper a device’s performance by consuming massive amounts of RAM resources through its toolbox of malicious programs. This is on top of whatever damage they can deal with said toolbox. Thankfully, memory rootkits are one of the easier types of rootkits to manage, as they’re usually deleted when the infected computer reboots.
Notable Rootkit Incidents
Thanks to the amount of control they can exert over a system and the potential damage they can cause, rootkits are a popular choice for hackers from all walks of life. As such, there have been several incidents where rootkits have been used to inflict massive amounts of harm to devices and networks.
Stuxnet is arguably the most prominent example of rootkits being used for malicious purposes. First discovered in 2010, Stuxnet was used to severely disrupt Iran’s nuclear facilities, apparently in an effort to halt the nation’s development of an atomic bomb. All told, Stuxnet managed to destroy 1,000 of the 6,000 centrifuges Iran was using to enrich its uranium. Though never formally admitted by either nation, Stuxnet is generally agreed to have been a joint effort between the United States and Israel in an operation codenamed “Olympic Games,” as reported by both The New York Times and The Washington Post.
The ZeroAccess botnet, discovered in 2011, hit systems hard with fraudulent advertising clicks and Bitcoin mining malware, infecting at least 9 million computers worldwide. The bot was spread through the ZeroAccess rootkit, an aggressive and difficult-to-detect kernel-mode rootkit. The rootkit itself was spread through a number of infection vectors, most notably social engineering and exploit packs like Blackhole.
In 2012, cybersecurity experts with Kaspersky Labs announced they had discovered another malicious rootkit used in the Middle East, called Flame. Also known as Flamer or Skywiper, Flame was both a worm and a rootkit, being able to duplicate itself across local networks as well as boasting a diverse software toolkit with which to manipulate infected systems. This toolkit allowed it to do things like record audio through system microphones, take screenshots without the user’s knowledge, and transmit stolen data via a covert SSL channel. It could also scan infected computers for antivirus software and alter its behavior to better avoid detection by that software. Much like with Stuxnet, experts generally agree Flame was developed by or with funding from a nation state, though the identity of that nation has not been determined. The countries most affected by the rootkit were Iran, Israel, Palestine, Sudan, and Syria.
Want to Learn About More Malware Incidents? Take a Look at The History of Computer Viruses & Malware
How to Defend Yourself Against Rootkits
To help you protect yourself from rootkits, we’ll be looking to researchers Eugene E. Schultz and Edward Ray and their chapter of the Information Security Management Handbook, Sixth Edition, Volume 2 for some expert guidance.
For prevention, Schultz and Ray recommend that enterprises consider the following measures to prevent rootkit infections:
- using intrusion detection and prevention tools such as rootkit scanners
- applying vulnerability patches in a timely manner
- configuring systems according to security guidelines and limiting services that can run on these systems
- adhering to the least privilege principle
- deploying firewalls that can analyze network traffic at the application layer
- using strong authentication
- performing regular security maintenance
- limiting the availability of compiler programs that rootkits exploit
Once a device is infected, the situation gets more complicated. The researchers caution that detecting and removing a rootkit is difficult. However, a rootkit can be detected by trained investigators and analysis tools, such as rootkit scanners, which uncover clues to the presence of the rootkit. Major security firms, such as Symantec, Kaspersky Lab and Intel Security (McAfee), offer rootkit scanners to enterprise customers.
Some of the telltale signs that a rootkit is present include unexplained changes in target systems, strange files in the home directory of root, or unusual network activity.
Cryptographer and computer programmer Thomas Pornin noted that the rootkit needs to maintain an entry path for the attacker, creating an opportunity for detection. In a post on Information Security Stack Exchange, Pornin recommends that IT administrators reboot the computer on a live CD or USB key and then inspect the hard disk. “If the same files do not look identical, when inspected from the outside (the OS booted on a live CD) and from the inside, then this is a rather definite sign of foul play,” he wrote.
Another contributor to the Information Security Stack Exchange who goes by the moniker user2213 explained that another way to detect a rootkit is to use spurious device codes on devices that do not normally respond to the codes. “If you get anything other than the relevant ‘Not implemented’ error code on your system, something strange is going on.”
User2213 also suggested mounting the system drive on a different PC to see if an incorrect filesystem size or unexpected files come up. This could be an indication of a rootkit. “Unfortunately, there aren’t generic red flags for rootkits in general — the battle is more cat-and-mouse,” the writer noted.
Rootkits’ access to full system privileges makes them incredibly difficult to remove. Schultz and Ray recommend making an image backup and then rebuilding the compromised system using the original installation media; otherwise, the malicious code or unauthorized changes could continue even after the rootkit is “deleted.” Security patches then need to be installed and a vulnerability scan performed.
In sum, the best strategy to deal with rootkit threats is to stop the rootkit from infecting computers in your network through security best practices such as patch management and regular maintenance, and specialized tools such as rootkit scanners and firewalls. Should your computers become infected anyway, you need to rebuild the compromised computer from the ground up to ensure that the rootkit is eradicated.
Looking for More Ways to Keep Your Network Safe? Read Best Enterprise Network Security Tools & Solutions for 2022
This article was originally written by Fred Donovan in 2016. It was updated by Zephin Livingston in 2022.