Rootkits

A rootkit is a type of malware, used to guarantee to the offender continued privileged access to a computer, while the malware hides its presence. The name comes from the union of the two words "root" and "kit" , which originally represented a collection of tools (also referred to as "kit") that allowed Administrator-level (defined as "root" in unix based systems) access to a computer or network.

Rootkits are now used with other malware such as trojans , worms and viruses in order to conceal their presence and actions from the user and the system.

security

About RootKits


What can a rootkit do and how does it work?

What is a rootkit capable of?

Rootkits are no joke when it comes to possible damage caused, and difficulty in removal. By design rootkits stay hidden even while active, giving offenders remote control over a computer while keeping the user completely unaware. Depending on the software contained within such a "kit",it can be used for many different purposes, may it be stealing data such as passwords, credit card and online bank information. Rootkits are also used to subvert security software and install a KeyLogger, which logs each and every tap made by the user on the keyboard. Its ability to conceal itself even from security software makes it a very long lasting malware. Living in your computer long enough to cause significant damage.


How does a rootkit work?



There are many types of rootkits going around, but the most commonly found can be grouped into five categories:

  • Hardware or firmware rootkit

    This kind of rootkit can infect, the computer's hard drive, the computer's BIOS (a Software that comes preinstalled on motherboards) or the router. Giving cyber criminals the ability to intercept data written to the disk, and/or in the case of the router being infected, acting as a sort of middle man it intercepts all data passing through the router. Since this type of rootkit infects internal core components of a computer system is one of the most persistent and harmful.

  • Bootloader rootkit

    As the name suggests, this kind of rootkit infects the bootloader, a very important software that handles the loading of the computer on startup, more precisely it infects boot records. This rootkit has by infecting Master Boot Records, an access of such a high level that a few lines of code would completely compromise the computer. A bootloader kit therein contained then proceeds to attack the system and replaces the computer's legitimate bootloader with a hacked one. Therefore allowing the cyber criminal control over a computer even before it is turned on. Being installed within the boot records the chances of it remaining hidden are way bigger, since most security software are not designed to check boot records when scanning for malicious entities.

  • Memory rootkit

    A memory rootkit infects the RAM, random access memory, of a computer and carries out harmful activities in the background generally using up a computer's resources. They can be detected by the user, if he were to notice an unusual slow down of the computer that is caused by a massive usage of RAM. Since they infect the ram, getting rid of them is quite easy, on reboot a computer empties its RAM, this would also remove the rootkit. There are although cases in which rebooting the system is not enough.

  • Application rootkit

    Application rootkits replace standard files in a computer with rootkit files. This could also cause a change in how application work. The most common program's files that get replaced with rootkit's files are those utility software that come built in with an os, such as Paint, Notepad or software that are really commonly found on computers, like the office suite. This rootkit is difficult for the user to detect, since it doesn't really cause any change in the computer's functionalities, but gives a cyber criminal access to the computer every time one of the infected applications is started.
    This type of rootkit is also called User Mode Rootkit.

  • Kernel mode rootkit

    Similarly to Application rootkits, these rootkit substitute files in a computer with rootkit files. the difference lies in the fact that Kernel Mode rootkits substitute files of the operating system. Thus modifying functionalities of the operating system and allowing the offender the addition of functionalities, removal of others, automatic download, upload and even install other malicious applications.

security

Sanity Checks


How does one avoid rootkits?

If a computer happens to be slowing down for no reason at all, or if anomalies are noticeable, like encountering the blue screen of death . It is highly possible that your computer may be infected with a rootkit following a succesful phishing attack.
To protect a computer from rootkits the following are valid tips:

  • Keep software updated. Updates increase the software security.
  • Watch out for phishing e-mails
  • Pay attention to what websites you browse onto. Some can automatically download malware to your pc.
  • Don't download files from websites you don't trust, and don't download files from people you don't know.

Rootkits

Edoardo Salvioni

 next article