What is a Rootkit?
Rootkits are a dangerous type of malware that are incredibly difficult to detect and remove. This article will explore exactly what they are, how they work and what they target, famous examples of rootkits, detection and removal techniques and prevention strategies to help safeguard your system from these malicious threats.
What is a Rootkit?
A Rootkit can be defined as a piece of malware that serves as a toolkit to allow the attackers to access your computer in various ways. It is named for having the most fundamental level of access, or "root" access, and being a kit of tools.
How do rootkits work?
The rootkit essentially opens a backdoor for the attackers to access your machine on a consistent, repeated basis. Essentially this turns your computer into a resource to be used by the attackers as they see fit. They may use this access to install other malware, such as a Keylogger, to attack you and your information, or they may use your computer to attack other computers if there are a lot of other computers on the network, such as in a business environment. The attackers may use the rootkit on one machine to attempt to attack and compromise other machines. Using these techniques, attackers can spread laterally through a network until they locate a target worth focusing on. Because of the low-level access of Rootkits, they can be difficult to remove, which is what the malicious actor is looking for.
What do rootkit attacks target?
Rootkit attacks are both deceptive and complex. They are capable of targeting your device in a number of ways, in order to maximize both disruption and data theft. Here are a few of the most common targets that rootkit attacks hone in on:
- Malware infection: Rootkits will often install malicious software on your device, such as viruses, worms and spyware, that compromise the performance of the target device and expose the privacy of any sensitive information that may be stored on it.
- Removal of files: Rootkits regularly gain access to a system during the login process, or through security vulnerabilities. Once installed, they can execute an array of commands that steal or delete vital files.
- Stealing personal information: The name given to rootkits that capture keystrokes through keyloggers are payload rootkits. They often spread by sending spam emails that contain the rootkit itself. Once opened by the recipient, the rootkit may steal sensitive personal information such as credit card numbers and online banking credentials.
- Changing of settings: Rootkits are very difficult to identify once that have established themselves within a device. This allows them to ensure persistent access by preventing any restarting of the target device, even blocking system reboots. Rootkits typically change security authorization privileges in order to allow ongoing access.
Examples of rootkits
It is clear that rootkits can cause severe damage to both individual devices and entire networks by infiltrating systems to manipulate and steal data. They are notorious for remaining undetected for long periods of time. Here are five notable examples of rootkits that have had major impacts:
1990 Sun Microsystems – the first rootkit
The first rootkit on record was created by Lane Davis and Steve Dake in 1990. It was initially designed to test the cybersecurity of Sun Microsystem's SunOS UNIX Platform, rather than with any malicious intent. This rootkit set the foundations for future rootkit development.
2004 Greek Watergate – Prime Minister's phone hacked
The illegal wiretapping of over 100 government official mobile phones, including the Prime Minister at the time, Kostas Karamanlis, in 2004 widely became known as Greek Watergate. The attackers in question used a rootkit to compromise a Sony Ericsson telephone exchange, which allowed them access to these mobile devices. The rootkit also disabled audit logs, which allowed them to evade detection until an erroneous update exposed the scale of the breach.
2005 Sony Music rootkit installation on CDs
Sony BMG CDs included software known as Extended Copy Protection in 2004. This covertly installed a rootkit on the user's CD which limited their access. Initially discovered by Mark Russinovich, this caused public outrage at the time and led to legal action and recalls across the globe. This is one of the most significant incidents in raising public awareness of the dangers that rootkits can possess.
2012 Flame rootkit – Middle Eastern cyber espionage
Discovered in 20212, Fame was a sophisticated cyber espionage tool that was active mainly in the Middle East. It allowed the attackers to monitor traffic, capture keystrokes and take screenshots of infected devices. This example truly highlights the complexities of rootkits as the infrastructure of Flame utilized 80 servers across three continents!
2019 Scranos – Video player revenue manipulation
Not only did Scranos, which was identified in 2019, steal passwords and financial data, but it also manipulated YouTube's algorithm in order to generate revenue and increase subscriber numbers for certain channels on the video sharing platform. Spread through trojanized downloads, Scranos highlights the commercial motivation behind contemporary rootkits.
Different types of rootkits
Rootkits can vary hugely in their methods of infection and operation. This is how they are classified into different types. The main types of rootkits that you should be aware of are as follows:
Bootloader rootkit
A bootloader rootkit will infect the Master Boot Record (MBR) or Volume Boot Record (VBR) of a hard drive. It subtly replaces the original, default bootloader with a manipulated version that allows the rootkit to activate itself prior to loading of the operating system. Due to its early execution, it can be incredibly difficult to both detect and remove.
Firmware rootkit
Firmware rootkits target the software that is embedded within a system's hardware, including BIOS, network cards and routers. As a result of their residing within the firmware (which is not typically scanned by antivirus software), they can be very difficult to detect. Their ability to persist through operating system reinstallations makes their removal a challenge.
Kernel rootkit
Kernel rootkits operate at the core level of the operating system, which brings with it a multitude of problems as they are able to add, delete or modify system code. They can significantly alter system functionality and evade cybersecurity software with ease.
Memory rootkit
Memory rootkits work within the computer's RAM and execute malicious activities by using system resources. Although they can slow your system down and perform harmful actions while active, they do not persist after a reboot as they are cleared once the system's memory is reset. This makes them one of the easiest types of rootkits to remove.
Application rootkit
As the name suggests, application rootkits will replace genuine application files with malicious versions. They typically target commonly used applications such as Notepad, MS Paint or Microsoft Office, allowing hackers to access the system whenever the application is run. The normal functionality of the application itself often makes it challenging to detect application rootkits.
Virtual rootkit
Virtual rootkits will create a Virtual Machine (VM) that allows it to run the original operating system as a guest. This allows them to intercept hardware calls and carry out malicious actions without modifying the kernel. Because they thrive beneath the operating system, they do not change standard OS operations directly which makes them very difficult to detect.
How to detect rootkit symptoms
As covered throughout the article, rootkits are notorious for being incredibly difficult to detect, by virtue of their design. Although there are no commercially available products that can find and remove all known and unknown rootkits, there are particular tell-tale signs that you can look out for that maya aid detection:
- Antivirus stopping running: If your antivirus software suddenly stops working or is disabled without user input, it may be a sign of a rootkit infection attempting to avoid detection.
- Performance issues: Rootkits, particularly memory rootkits, will consume system resources while you use your device. This can become apparent in a number of ways, including slow startup times, lagging applications and frequent freezes.
- Computer lockups: If your device frequently crashes, this can be a sign of rootkit infection – particularly those that result in the famous blue screen of death, or BSOD.
- Settings changing by themselves: Altered screensavers, hidden taskbars and incorrect date/time displays are all signs that a rootkit may be modifying your system's settings.
- Lots of error screens: Unusual or unexplained error messages may indicate that a rootkit is causing conflicts within the operating system.
- Unusual web browser behavior: Strange behavior within your web browser may suggest that a rootkit is manipulating browser activity. Such behavior includes new bookmarks that you did not add yourself, unexpected pop ups and redirections to unfamiliar websites.
- Web pages not functioning properly: Web pages that fail to load correctly, have functionality issues or experience unusually excessive network traffic could indicate the interference of a rootkit with your internet connection.
How to remove a rootkit
As mentioned on multiple occasions throughout this article, the removal of a rootkit is a complex and challenging procedure. Here are a few key steps to effectively remove a rootkit:
- Back up vital data: Prior attempting the removal of a rootkit, it is imperative that you back up all important data. The removal process can be an unpredictable one as inbuilt defensive measures can cause additional damage.
- Reboot in safe mode: Rootkits will typically attempt to prevent the installation of effective security solutions, or their own removal. You can limit their capabilities by pressing F8 during the Windows boot screen to facilitate safe mode.
- Use multiple rootkit scan tools: Due to variety of rootkit types identified earlier in the article, there is no single scanner or software that can detect all rootkits. A combination of tools will increase the likelihood of detection and removal.
- Freeze remaining malware: Once you have removed the rootkit, remnant malware may persist. Additional security solutions, such as SUPERAntiSpyware's Professional X Edition, should allow you to freeze any remaining malware, enabling further removal processes.
- Reinstall the operating system: It is possible to eliminate the rootkit and restore system integrity by reinstalling your operating system. This is particularly pertinent when it comes to deeply embedded rootkits. It is always strongly recommended to use external media when reinstalling, so that you can avoid reinfection.
- BIOS infection: If the rootkit has infected the BIOS, it is time for more drastic measures to be taken. The BIOS drive may need to be wiped and replaced while you conduct a hard reset of your device. It is not uncommon that the best solution for a BIOS infection is to simply purchase a new device.
- Regular updates: Keeping both your operating system and security software up to date will help to protect against rootkits and other malware. You can potentially patch vulnerabilities exploited by rootkits by conducting regular updates.
How to prevent rootkit attacks
Preventing rootkit attacks requires a comprehensive approach to cybersecurity. The aforementioned difficulties in detecting and removing rootkits make multiple layers of defense absolutely vital. Here are a few necessary strategies for protecting your system from rootkits:
- Use effective antivirus software: Installing a robust and comprehensive antivirus solution such as SUPERAntiSpyware can help to detect and block rootkits prior to the infiltration of your system.
- Continuously update software: Maintaining the relevancy of all your software, including the operating system is crucial in defending your computer from malicious threats, including rootkits. Updates typically include security patches that close vulnerabilities often exploited by rootkits.
- Analyze computer behavior: Ensure that you regularly monitor your device for unusual behavior. Slow performance, settings changes and unexpected crashes can all signal a rootkit infection. Ensure that you refer back to the earlier section on symptoms of rootkit infections and keep your eyes peeled.
- Monitor your network: Use network monitoring tools to detect suspicious activity. Rootkits can often expose themselves when communicating with their control server, displaying high levels of network traffic or unexpected disconnections.
- Be alert to phishing scams: Ensure that you do not open suspicious emails or click on unknown links. Phishing is one of the most common proliferation methods for rootkits.
- Only download files from trusted sources: Ensure that you only ever download software and files from reputable sources. Pirated software or downloads from freeware websites can often carry rootkit infections.
Return to the Malware Glossary page.