What is a rootkit?GRIDINSOFT TEAM
Rootkit, as you can understand from its name, is a program that grants you low-level control of the infected system. And “low-level” means not surface access but access from the deepest levels possible. While most computer viruses are launched just as the applications, some malware types require access on the driver level or even deeper.
It is important to mention how your PC executes the applications you launch. There are four hierarchical levels, called protection rings, that define the rights that programs have when executed by your CPU. Ones that are placed on the higher ring are not able to inflate the apps on lower rings. Ring 0 is given to the operating system's kernel, Ring 1 - to the hardware drivers, and Ring 2 - to the programs with low-level access permissions. Ring 3 is used by most third-party applications since they don’t need any deep permissions. Implementing malware to the Ring 2 means you have control over all user’s applications; on Ring 1 - almost over all things that happen on the computer.
A rootkit is a program or a pack of tools that allow the person who controls it remotely to access the infected system and control it as it wants. When used solitary, it will still be dangerous but can barely be used to earn money for the victims, as all other viruses do. You can vandalize the infected system, make it malfunction or even not work, but that will not bring you a penny. Until you manage to inject the other, profitable malware.
Rootkit in combination with other viruses
Rootkit malware is extremely useful when you need to give the other viruses the ability to integrate as deep as possible. Having such permissions offers the cybercriminals access to all disks and even the whole network. Sure, such a rough tool is rarely used for attacks on individuals. Attacking the single users with rootkit+other malware is like hunting rabbits on a tank. However, against corporations or other things that use computer networks and data centers, it is just what is needed.
Attacks on corporations are usually backed by spyware, ransomware, or both simultaneously. Rootkit acts like an aperitive for the main course - encrypted files and stolen data. Both may cost corporations millions of dollars, and in case of a confidential information leak you may also expect reputational losses. And all this spree is provided by one little thing that sits deeply in your system and holds the gates open. But how does rootkit work?
How does that work?
All operating systems among contemporary ones are not 100% invulnerable to malware attacks. Even the latest Windows and macOS have certain security flaws - they’re just not uncovered yet. Those which were reported are usually fixed in the nearest updates. Nonetheless, many companies do not keep an eye on the regular system and software updates. Some ask their employees to update their PCs manually - but they will rather make more memes about Windows updates than really update it. Exactly, those breaches are used by rootkits to escalate privileges.
But breaches in operating systems are not so massive and easy to exploit. Most of the vulnerabilities the hackers use are located in third-party applications. MS Azure, Office, and Outlook, almost all Adobe products and apps from different other vendors are full of security flaws that allow the cybercriminals to perform their attacks. Rootkits they use are often created specifically for exploiting the vulnerabilities in certain apps that are in use by the target company. These programs lists, their versions, and all other information that can be useful during the attack are collected during the OSINT operations.
Security breaches are usually the result of a poor or shortsighted software design. These flaws usually give the user the ability to execute the code with higher privileges or to launch certain functions without showing any visible signs. Cyberburglars use such an ability to execute the malicious code with maximum efficiency. When you launch the MS Office macro or open the malicious link in the Adobe document, crooks get this ability and launch the viruses. You can find the list of all detected vulnerabilities on the CVE Mitre website.
Rootkit attack step-by-step
When the rootkit is delivered into a computer in the corporate network, it attempts to use one of the flaws to allow itself the execution on the deepest available level. Such rights then allow crooks to infect all other computers in the network and - what is more important - to brute force the domain controller. Having access to the DC means controlling computers in the network and the server. In the companies where the network is not clustered that may mean paralyzing the whole office. For small companies, that usually means days of idle, offices of large companies may stop for weeks.
Cybercriminals do not create any new things. RDP attacks and bait emails are alpha and omega of all modern malware spreading campaigns, but even in further actions there is nothing new. After the successful launch of the rootkit, crooks then start brute-forcing the domain controller and other computers. Simultaneously, additional malware is downloaded and launched with escalated privileges. Computers in the network become infected, and when the DC falls, crooks launch the spyware and start downloading the data from servers.
The stolen data is the source of additional money for crooks. Personal information of the clients, data about the company's financial stats or production plans - all these things are highly-priced on the Darknet. Unknown doers are even more generous in their bids if there is information about the customers of a particular clinic, insurance company, or cybersecurity firm. However, some companies pay the additional ransom the crooks ask to avoid publishing this info. Sometimes, this "second" ransom reaches the sum of the initial one - for file decryption.
How are rootkits distributed?
As it was mentioned, they are spread through the classic ways of initial payload for the cyberattack. RDP technology is great, but was used too rarely to catch and fix all flaws before the pandemic. But even though all attempts of Microsoft to block these breaches, companies do not hurry to update their software. And hackers only say “thank you” for such a gift. Even more thanks they will give you for the employees who open all attachments to the email messages and allow the macros in Office docs.
When it comes to attacking the individuals (i.e., joking or vandalizing), rootkits are distributed as fix tools for a specific problem, system optimizers, or driver updaters, i.e., pseudo-effective software. Sometimes sly users add them to the repacked Windows version and spread on torrent trackers or elsewhere. Then, they are free to do whatever they want to users who install it on their PCs.
How to stop the rootkit?
It is pretty easy to counteract the thing when you know how that acts, and it is not something unstoppable and out-of-ordinary. Rootkits exploit old and well-known things, as it was shown earlier, so it is quite easy to make your system, or even the whole network, invulnerable to malware injection. I will give you multiple pieces of advice, from preventive to defensive.
Do not let it in
Your workers must be aware of email spamming and other forms of baiting/social engineering. Someone may listen to the information but pay zero attention to it and keep doing dangerous things. But the question there is “why is he/she still not fired?”, not “how to make he/she follow the security rules?”. It is the same as smoking in the room with oxygen containers or rolling the mercury balls on the office floor.
Set up a simple user account for employees
Since Windows Vista, this operating system can ask for the administrator’s password to run the program that asks for the admin’s privileges. People keep using admin’s accounts by inertia, but there is no need. Even though rootkit can still find a way to escalate privileges, it will need not just to escalate the rights of the application it exploits but also the rights of the user’s account. More steps → , more time → , more chances to be stopped.
Use anti-malware software
The ideal case for companies is to have a corporate solution for network protection. It will prevent the malware from spreading through the network and stop its attempts to exploit the security breaches. When you cannot afford it or don’t want to have such a massive thing running in the network, you can create proper malware protection using the anti-malware software. GridinSoft Anti-Malware will fit perfectly for that purpose - without any excessive functions and with proactive protection.
Update the software regularly
Rootkits will be useless when the system does not have any of the known vulnerabilities. Sure, there is still a possibility that crooks will use a 0-day vulnerability. But it is better to have only this risk than to have all flaws available for exploitation + zero-day breaches. Fortunately, nowadays, software vendors offer security patches almost every week. Just keep an eye on it and launch the installation of the update regularly.
Cluster the network
Having your whole network connected to a single Domain Controller is a perfect situation for hackers. Sure, such a network is much easier to administer, but the whole network gets damaged when it comes to cyberattacks. If malware - usually ransomware or spyware - finishes its activity, you cannot use any of the computers in the network. All files are ciphered, credentials are stolen, and ransom notes are everywhere. Your office will be out of the working process, resulting in significant losses. Meanwhile, when you cluster the network, only a part of it is getting out of service in case of attack.
Isolate the servers
Sure, it is much more comfortable to manage the servers sitting at your workplace than to have a glorious walk through the server room, from one stand to another. But the latter is much safer in the case of cyberattacks. For sure, it is important to keep the balance - some prophylactics and new releases deployment may be done remotely. But most of the time, the access to the servers must be restricted or enabled only after entering the password.
How are rootkits detected and removed?
Detection and removal of the rootkits is a thing that requires the use of anti-malware programs. It is impossible to see any signs of its presence before it is too late, and it has many facilities to make itself more sustainable in the attacked system. Their detection, however, also requires a fast reaction. Such a reaction time can be provided with a proactive protection function, allowing the program to check the running processes in the background. That’s why I will recommend you GridinSoft Anti-Malware once again. It has such a function - based on the heuristic engine and neural network. This security tool can effectively counteract the rootkits in the earliest stages of malware infiltration.
Rootkit Scanner & Remover
Protect yourself against rootkit with Gridinsoft Antimalware, the best Rootkit Scanner available. Regain control of your privacy with a rootkit scanner, detector, and remover that's ultra-fast and refreshingly lightweight — and 100% effective.
Frequently Asked Questions
What is a rootkit?
A rootkit is a malicious set of programs capable of gaining access to areas of computer systems that its user has no clearance to reach. Rootkits conceal their presence and activity in the system.
How does rootkit enter the system?
Criminals can install rootkits manually or rely on auto-installation. Hackers can introduce the rootkits into systems via spam mailings and messaging with the mediation of downloader trojans or even without them.
What does rootkit malware do?
It gains access as close as possible to the operating system core using its vulnerabilities. After that, a rootkit can do much harm. It can be used to hide other malware, for example, keyloggers. It can also provide the machine's hard-to-detect involvement in a botnet. But the most troubling capacity of the rootkit is the creation of a backdoor, which virtually allows malefactors to control the infected device.
How grave are the consequences of a rootkit attack?
That depends on the hackers' intentions; however, a rootkit dwelling in the system kernel is already a menace of corrupted and stolen data, an exploited machine (in mining/botnets,) and identity theft as a result of rootkit-protected keylogging.
How to avoid rootkit attack?
It is hard to detect and remove the rootkit if it got past all the defenses and planted itself in the system kernel. In the worst case, you will have only one chance: reinstalling the system. All precautions against other malware are more than valid concerning rootkits. Have an anti-malware program running, perform high vigilance, don't download suspicious attachments, and avoid following unknown links.