Introduction to Rootkits

Rootkits

Rootkits are a pretty dangerous and shapeshifting piece of program which masks itself from general anti-virus softwares and firewalls. They are specifically created in order to grab the admin user privilege.Hence the first name “root”.

Rootkits were first spotted in 1990 where it is specifically created for linux/UNIX OS hence the term “root”(Super User).Then later on Windows rootkit, NTRootkit, was spotted.

The Necurs Botnet has infected over millions of systems and has been link to the most infamous malware exploits including Dridex, Gameover Zeus, CryptoWall, and CryptoLocker.

Rootkits are spread through the use of a combination of threats. A combined threat takes advantage of more than one vulnerability to perform an attack.Whereas rootkits uses dropper and loader.

The dropper is a piece of code that installs the rootkit on a system. The loader is the program that helps the rootkit to launch.

Collectively they are refer as rootkit, since they are a collection of programs like keylogger, remote access tools, antivirus deceptors, Etc, ,which work cohesively to achieve a specific task.

Even it may contain programs to prepare the system for DDos attacks.

There are basically five types of rootkits in general,

  1. Hardware or firmware.
  2. Bootloader.
  3. Memory.
  4. Application.
  5. Kernel mode.
1. Firmware Rootkit

As the name says,this type of rootkit directly affects the firmware(Even the motherboard) or the hard disk where the BIOS is store and it can even exploit the router and manipulate the data that are write to the disk.

2. Bootloader Rootkit

Bootloader is an important component which loads the operating system when the computer is turn on. This kind of rootkit will replace the legit bootloader with the affected one so this rootkit loads even before the system boots up.

3. Memory rootkit

This kind of rootkit resides on the computer’s RAM and performs harmful activities.But the main disadvantage is that,since they live on RAM,once they cannot affect our system once we reboot it,Since RAM is volatile.However we need to take certain actions in order to remove it completely.

4. Application rootkit

Application rootkits replace the generic applications like paint,document viewer,music player and will function as if nothing has changed,but in reality they will be handing over the control of our system to the hacker.

5. Kernel mode rootkits

This rootkit targets the core of our computer’s OS(hence the first name “kernal”),So hackers can use these to change how our operating system works.They just need to add their own code to our OS. This can give them access to our computer and make it easy to steal our information without letting us know.

SOME OF THE INFAMOUS ATTACKS:

1. The Greek Wiretapping Scandal(GREEK WATERGATE)

Mobiles on the Vodafone network of greek officials and high ranking civil servants were wiretap by installing rootkits that monitor every activity.

2. Stuxnet

Stuxnet is well familiar for taking down a portion of the uranium enrichment facility in Iran’s Natanz nuclear plant in 2010 and it is the first rootkit for programmable logic controllers.

3. Sony BMG Rootkit

Sony’s copy protection software was insert into 22 million CDs. Which installs a rootkit that modifies the operating system to protect the CD from being copy when it is insert into the system.

4. Zacinlo

A new rootkit component that allowed it to bypass Windows 10 security features.It mainly targeted US users.

This said, there are some helpful rootkit detection methods:

  • Keep track of any unusual traffic.
  • Rootkit hunters are use to monitor the system for malfunctioning applications.
  • While booting the system try to use runtime softwares to detect bootloader rootkits.
  • Nowadays, many major security software vendors have their own rootkit scanners for free. Most of them use signatures of known rootkits for detection, and only a few are able to detect unknown variants.

HOW TO STAY PROTECTED?

Since rootkits are dangerous and difficult to detect and remove,we should be extra cautious while surfing the internet.Best way to protect ourselves from rootkit is to stay updated.

  • Keeping our OS,anti-virus and other applications updated is the best way to protect ourselves.Most of the times people tend to ignore those updates since they seem quite annoying and may contain large files and also may take more time.
  • Phishing emails are most common while targeting an organisation or a specific person(Spear Phishing).It is advised to not to open or click any links provided by unknown users and sources.
  • Downloading files from unknown websites or visiting a website which is embedded with drive-by download will automatically download malware without the user’s action.All it needs is to visit the website.

SOME OF THE USEFUL ROOTKIT HUNTING TOOLS:

  1. (Avast aswMBR)http://public.avast.com/~gmerek/aswMBR.htm
  2. (BitDefender)https://labs.bitdefender.com/2013/02/rootkit-remover/
  3. (Emsisoft Emergency Kit)https://www.emsisoft.com/en/home/emergencykit/
  4. (GMER)http://www.gmer.net/ 
  5. (Kaspersky TDSSKiller)https://usa.kaspersky.com/downloads/tdsskiller

Written By: D.Hari Haran

Reviewed By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs

Leave a Comment

Your email address will not be published. Required fields are marked *