What is Rootkit?

A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence.

The term rootkit is a connection of the two words “root” and “kit.” Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.

What Can a Rootkit Do?

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage. Shortly, once they gain unauthorized access to computers, rootkits enable cybercriminals to steal personal data and financial information, install malware or use computers as part of a botnet to circulate spam and participate in DDoS (distributed denial of service) attacks.

Rootkit Detection

It’s difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.

Rootkit Protection

Many rootkits penetrate computer systems by piggybacking with software you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities. This includes patches of your OS, applications and up-to-date virus definitions. Don’t accept files or open email file attachments from unknown sources. Be careful when installing software and carefully read the end-user license agreements.

Types of Rootkits

  • Hardware or firmware rootkit. Hardware or firmware rootkits can affect your hard drive, your router, or your system’s BIOS, which is the software installed on a small memory chip in your computer’s motherboard. Instead of targeting your operating system, they target the firmware of your device to install malware which is difficult to detect. Because they affect hardware, they allow hackers to log your keystrokes as well as monitor online activity. Although less common than other types, hardware or firmware rootkits are a severe threat to online safety.
  • Bootloader rootkit. The bootloader mechanism is responsible for loading the operating system on a computer. Bootloader rootkits attack this system, replacing your computer’s legitimate bootloader with a hacked one. This activates the rootkit even before your computer’s operating system is fully loaded.
  • Memory rootkit. Memory rootkits hide in your computer’s random-access memory (RAM) and use your computer’s resources to carry out malicious activities in the background. Memory rootkits affect your computer’s RAM performance. Because they only live in your computer’s RAM and don’t inject permanent code, memory rootkits disappear as soon as you reboot the system – though sometimes further work is needed to get rid of them. Their short lifespan means they tend not to be perceived as a significant threat.
  • Application rootkit. Application rootkits replace standard files in your computer with rootkit files and may even change the way standard applications work. These rootkits infect programs like Microsoft Office, Notepad, or Paint. Attackers can obtain access to your computer every time you run those programs. Because the infected programs still run normally, rootkit detection is difficult for users – but antivirus programs can detect them since they both operate on the application layer.
  • Kernel mode rootkits. Kernel mode rootkits are among the most severe types of this threat as they target the very core of your operating system (i.e., the kernel level). Hackers use them not only to access the files on your computer but also to change the functionality of your operating system by adding their own code.
  • Virtual rootkits. A virtual rootkit loads itself underneath the computer’s operating system. It then hosts the target operating systems as a virtual machine, which allows it to intercept hardware calls made by the original operating system. This type of rootkit does not have to modify the kernel to subvert the operating system and can be very difficult to detect.

Well-Known Rootkit Examples

  • Lane Davis and Steven Dake – wrote the earliest known rootkit in the early 1990s.
  • NTRootkit – one of the first malicious rootkits targeted at Windows OS.
  • HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls.
  • Machiavelli – the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
  • Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson’s AXE PBX.
  • Zeus – first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing.
  • Stuxnet – the first known rootkit for industrial control systems
  • Flame – a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.

The End of this Post

Credits: Veracode & Kaspersky & Google Images

Thank you for reading this. I hope you enjoyed! Take a look on other posts.

Hack The Box Buy Me A Coffee GitHub Discord