In the ever-evolving world of malware, rootkits are some of the most dangerous threats out there. A fusion of the words “root” and “kit,” rootkits are essentially software toolboxes. Though not initially developed for malicious purposes, these toolboxes have become potent pieces of malware in the hands of technically-savvy cybercriminals.
Common types of rootkits include bootkits, firmware rootkits, and memory rootkits. Once installed, a rootkit provides a hacker with an incredible number of weapons with which to wreak havoc on a system and network, often while remaining undetected until it’s too late to stop them. Depending on the rootkit and the hacker, victims can find their messages intercepted, their data stolen, or even their hardware rendered unusable.
When trying to protect yourself and your business from rootkits, it can be important to understand not only the variety of types of rootkits out there but also steps you can take to keep them away from your devices as much as possible and what to do when you find yourself infected. Here then are the most common rootkit threats, followed by some basic rootkit defenses.
Looking for More About Malware? Check Out What is Malware? Definition, Purpose & Common Protections
A bootkit is a type of kernel-mode rootkit that infects the master boot record, volume boot record or boot section during computer startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. A bootkit will then replace the legitimate bootloader with an infected version. The malware loader persists through the transition to protected mode when the kernel has loaded and is thus able to subvert the kernel.
Bootkits can be difficult to detect and drive out, since they won’t typically be found in a user’s file system. Additionally, removal might cause more damage to the computer if the bootkit has already altered the computer’s boot records.
Examples include Olmasco, Rovnix and Stoned Bootkit.
A kernel-mode rootkit alters components within the computer operating system’s core, known as the kernel. Some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. This also gives them the ability to deftly evade detection by functioning at the same security level as the OS itself.
Because of how deeply embedded kernel-mode rootkits are within a computer’s system, they can be one of the most damaging types of malware out there. Kernel-mode rootkits generally require a high degree of technical competency to utilize. Any bugs or glitches in its programming leaves noticeable trails for antivirus software to track.
Notable examples of kernel-mode rootkits include Knark, Zero Access, Adore, FudModule, Da IOS, and the deliciously-named Spicy Hot Pot.
Also known as an “application rootkit,” the user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces (APIs). It alters the security subsystem and displays false information to administrators of the target computer. It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services.
Examples of this type of rootkit include Vanquish, Aphex and Hacker Defender.
A virtual, or hypervisor, rootkit hosts the target OS as a virtual machine, enabling it to intercept hardware calls made by the original OS. The rootkit does not have to modify the kernel to subvert the operating system. This type of rootkit was developed as a proof of concept in 2006, but in 2017, researcher Joseph Connelly designed nested virtual machine rootkit CloudSkulk as part of his Masters degree work at Boise State University. In 2021, Connelly and other researchers presented a new paper outlining an approach to detecting rootkits similar to CloudSkulk.
Need an Edge to Stay Ahead of Hackers? Take a Look at Top Threat Intelligence Platforms for 2022
A firmware rootkit uses device or platform firmware to create a persistent malware image in the router, network card, hard drive or the basic input/output system (BIOS). The rootkit is able to remain hidden because firmware is not usually inspected for code integrity. These rootkits can be used for semi-legitimate purposes, such as anti-theft technology preinstalled in BIOS images by the vendor, but they can also be exploited by cybercriminals.
Examples include Cloaker and VGA rootkit.
Memory rootkits camouflage themselves within a computer’s random-access memory (RAM). While there, it can severely hamper a device’s performance by consuming massive amounts of RAM resources through its toolbox of malicious programs. This is on top of whatever damage they can deal with said toolbox. Thankfully, memory rootkits are one of the easier types of rootkits to manage, as they’re usually deleted when the infected computer reboots.
Notable Rootkit Incidents
Thanks to the amount of control they can exert over a system and the potential damage they can cause, rootkits are a popular choice for hackers from all walks of life. As such, there have been several incidents where rootkits have been used to inflict massive amounts of harm to devices and networks.
Stuxnet is arguably the most prominent example of rootkits being used for malicious purposes. First discovered in 2010, Stuxnet was used to severely disrupt Iran’s nuclear facilities, apparently in an effort to halt the nation’s development of an atomic bomb. All told, Stuxnet managed to destroy 1,000 of the 6,000 centrifuges Iran was using to enrich its uranium.
Though never formally admitted by either nation, Stuxnet is generally agreed to have been a joint effort between the United States and Israel in an operation codenamed “Olympic Games,” as reported by both The New York Times and The Washington Post.
The ZeroAccess botnet, discovered in 2011, hit systems hard with fraudulent advertising clicks and Bitcoin mining malware, infecting at least 9 million computers worldwide. The bot was spread through the ZeroAccess rootkit, an aggressive and difficult-to-detect kernel-mode rootkit. The rootkit itself was spread through a number of infection vectors, most notably social engineering and exploit packs like Blackhole.
In 2012, cybersecurity experts with Kaspersky Labs announced they had discovered another malicious rootkit used in the Middle East, called Flame. Also known as Flamer or Skywiper, Flame was both a worm and a rootkit, being able to duplicate itself across local networks as well as boasting a diverse software toolkit with which to manipulate infected systems.
Flame’s toolkit allowed it to do things like record audio through system microphones, take screenshots without the user’s knowledge, and transmit stolen data via a covert SSL channel. It could also scan infected computers for antivirus software and alter its behavior to better avoid detection by that software.
Much like with Stuxnet, experts generally agree Flame was developed by or with funding from a nation state, though the identity of that nation has not been determined. The countries most affected by the rootkit were Iran, Israel, Palestine, Sudan, and Syria.
Want to Learn About More Malware Incidents? Take a Look at The History of Computer Viruses & Malware
Ways Rootkits Can Infect Your Device
Rootkits are ultimately a form of malware, and like with other kinds of malware, hackers have a number of ways to inject a rootkit into your device. Thankfully, the most dangerous types of rootkits are also often the most difficult to properly install. Below are some examples of common rootkit infection vectors:
- Boot Installation: Bootkits specifically tend to be installed when an infected device boots up.
- Packaged with Other Malware: Certain types of rootkits, such as user-mode rootkits, often find their way onto computers alongside other pieces of malware, such as through mass spam campaigns.
- “Evil-Maid” Attacks: At times, a hacker or team of hackers might send someone to install a rootkit on an unattended device. You’ll see this version of hacking pop up in movies quite a bit.
- Legitimate Software Programs: Rootkits were originally developed as a relatively innocuous piece of software and as a result might be included in certain legitimate programs.
- Other Common Malware Infection Vectors: From spear phishing to social engineering to just opening an infected document, rootkits are just as able to be slipped onto your device through some of the most common methods of malware infiltration out there.
Want to Learn More About How Malware Can Infect Your Computer? Check Out 8 Ways Malware Creeps Onto Your Device
How to Defend Yourself Against Rootkits
To help you protect yourself from rootkits, we’ll be looking to researchers Eugene E. Schultz and Edward Ray and their chapter of the Information Security Management Handbook, Sixth Edition, Volume 2 for some expert guidance.
For prevention, Schultz and Ray recommend that enterprises consider the following measures to prevent rootkit infections:
- Network Security
- Using intrusion detection and prevention tools such as rootkit scanners
- Deploying firewalls that can analyze network traffic at the application layer
- Patching and Updating: applying vulnerability patches in a timely manner
- Security Best Practices:
- Configuring systems according to security guidelines and limiting services that can run on these systems
- Adhering to the least privilege principle (perhaps with the aid of privileged access management (PAM))
- Using strong authentication
- Performing regular security maintenance
- Limiting the availability of compiler programs that rootkits exploit
- Email security to limit malicious attachments
- Browser security, browser isolation, or DNS security to block malicious websites or limit the reach of malicious files on websites.
Once a device is infected, the situation gets more complicated. The researchers caution that detecting and removing a rootkit is difficult. However, a rootkit can be detected by trained investigators and analysis tools, such as rootkit scanners, which uncover clues to the presence of the rootkit. Major security firms, such as Symantec, Kaspersky Lab and Intel Security (McAfee), offer rootkit scanners to enterprise customers.
Some of the telltale signs that a rootkit is present include unexplained changes in target systems, strange files in the home directory of root, or unusual network activity.
Cryptographer and computer programmer Thomas Pornin noted that the rootkit needs to maintain an entry path for the attacker, creating an opportunity for detection. In a post on Information Security Stack Exchange, Pornin recommends that IT administrators reboot the computer on a live CD or USB key and then inspect the hard disk. “If the same files do not look identical, when inspected from the outside (the OS booted on a live CD) and from the inside, then this is a rather definite sign of foul play,” he wrote.
Another contributor to the Information Security Stack Exchange who goes by the moniker user2213 explained that another way to detect a rootkit is to use spurious device codes on devices that do not normally respond to the codes. “If you get anything other than the relevant ‘Not implemented’ error code on your system, something strange is going on.”
User2213 also suggested mounting the system drive on a different PC to see if an incorrect filesystem size or unexpected files come up. This could be an indication of a rootkit. “Unfortunately, there aren’t generic red flags for rootkits in general — the battle is more cat-and-mouse,” the writer noted.
Rootkits’ access to full system privileges makes them incredibly difficult to remove. Schultz and Ray recommend making an image backup and then rebuilding the compromised system using the original installation media; otherwise, the malicious code or unauthorized changes could continue even after the rootkit is “deleted.” Security patches then need to be installed and a vulnerability scan performed.
In sum, the best strategy to deal with rootkit threats is to stop the rootkit from infecting computers in your network through security best practices such as patch management and regular maintenance, and specialized tools such as rootkit scanners and firewalls. Should your computers become infected anyway, you need to rebuild the compromised computer from the ground up to ensure that the rootkit is eradicated.
Looking for More Ways to Keep Your Network Safe? Read Best Enterprise Network Security Tools & Solutions for 2022
NOTE: This article was originally written by Fred Donovan in 2016. It was updated by Zephin Livingston in 2022.