Dangers Associated With Rootkit Infections

What is a rootkit?  

A rootkit is a software that enables cybercriminals to gain access and control the target’s device or network. Rootkits sometimes appear as a single piece of software; however, they are usually composed of a number of tools that enable the hacker to gain control of the target’s device.  

Rootkits gain the ability to perform commands on the infected device due to their operating location, which is either near or within the kernel of the operating system.   

Methods utilised by hackers to install rootkits onto the target machine: 

• Phishing (the most common method) – In which the targets inadvertently download the malware. Once downloaded, the malware remains hidden among other programs running, giving the hackers control over the system.  
• Exploiting a vulnerability – by exploiting an unpatched vulnerability which could have been avoided by regular updates. 
• Tricking the victim into opening file attachments – This attachments could be infected PDFs, pirated media or apps downloaded from unsafe sources.  

Uses of rootkits   

The purposes behind using rootkits include the following: 

• To hide keyloggers – which make it easier for criminals to monitor and steal your personal data  
• To allow hackers to execute a DDoS attack, send spam emails and even disable security software 

Rootkits can also be operated for legitimate purposes for example, administering remote IT support or helping law enforcement. For the majority of uses however, rootkits are operated for malicious purposes.  

Types of Rootkits 

1. Hardware rootkit  

Affects the hard drive, the router, or the system’s BIOS (software stored on a small memory chip as part of your computer’s motherboard). Hardware rootkits do not affect the operating system and instead, they affect your hardware to enable hackers to record your keystrokes and spy on their targets. It is a less common type of rootkit however it is characterised as severe in terms of threat level.  

2. Bootloader rootkit  

The bootloader system loads the operating system onto your device and if infected, your device’s bootloader is replaced with the infected one.  The rootkit is executed before your device’s operating system is completely loaded.  

3. Memory rootkit  

Memory rootkits remain concealed in your device’s random-access memory (RAM) and steal your device’s resources to execute malicious commands in the background. These types of rootkits are not coded permanently onto the device and will therefore disappear when your device is rebooted. Memory rootkits are not a serious threat. 

4. Application rootkit 

These rootkits replace stored files in your computer with rootkit files and infect software such as Microsoft Office, Notepad or Paint. Each time a victim runs a program that falls into the umbrella of these software, hackers gain access to your system. Detection is difficult as the infected programs appear as functioning properly. As these rootkits perform on the application layer, they are detectable to anti-virus programs.  

5. Kernel mode rootkits   

These rootkits directly affect your operating system at kernel level, hence the threat rating of these is severe. If enabled, hackers can change the functionality of your system in addition to accessing your data and files.  

6. Virtual rootkits  

Virtual rootkits load under the computer’s operating system which then presents the infected operating system as a virtual machine. This leads to the rootkit being able to hijack hardware demands from the original operating system. These rootkits do not change the kernel however are very difficult to identify. 

Signs of a rootkit infection 

Signs that your device has been infected with a rootkit malware: 

• Numerous error messages and repeated blue screens. 
• Strange activity when using web browsers which can include link direction or unrecognised bookmarks. 
• Continuous freezing or unusually slow running of programs. 
• Change of setting – for example, a different screensaver. 
• Poor performance of web browsers due to increased network traffic.  

A further in-depth guide to detecting rootkits can be found here](https://helpdeskgeek.com/windows-10/how-to-detect-rootkits-in-windows-10-in-depth-guide/). 

Defending against rootkits 

Prevention is the key method for maintaining a safe, secure operating system and taking the following methods will help prevent your device from becoming infected with a with a rootkit malware.   

Regular updates  

Making sure that your system is regularly updated will ensure that detected vulnerabilities will be patched, preventing your system from being exploited by hackers.  

Be careful of phishing tactics  

Phishing emails are designed to elicit a response from you for example, clicking on a provided link or attachment. If these attachments or links are clicked, rootkit malware may be downloaded onto your computer, sometimes under the disguise of a legitimate download. 

Be aware of drive-by downloads 

Drive-by downloads occur when you get directed to a website which automatically downloads malware to your device despite you not clicking or downloading anything from the site. Legitimate sites can also be infected with malicious codes, initiating malware downloads when visited.  

A good defence against this is to make sure that your operating system, web browsers and applications are all installed with the latest updates to make sure that that detected vulnerabilities are patched with the released protections.  

By wary of files from unrecognised sources  

Do not click on links or attachments sent from unrecognisable sources as these could initiate a drive-by download. The better option is to delete any unsolicited emails with an unknown sender immediately. If the sender is known but the email is unsolicited, call the sender to make sure. 

Removing rootkits   

Depending on the type of rootkit, these malwares are very difficult to detect and remove. In some cases, mainstream cyber security firms are able to detect and remove them from the affected system however in some cases, it may be required for the operating system to be rebooted completely.  

Removing rootkits from Windows  

Removal for systems that use Windows typically involve running scans. If the infection is severe then Windows will need to be reinstalled. In this case, it is better to do this using an external media device rather than the Windows installer. Some rootkits damage the BIOS (used for hardware initialization during the booting process) which will require a repair to fix. In the case that another rootkit infection occurs post repair, a new device may be required.  

Removing rootkits from Mac 

Mac updates can remove malware, including rootkits. Currently there are no known rootkit detectors embedded to macOS however in the case that you suspect your system has been compromised with one, reinstalling macOS will remove most apps and rootkits. If the BIOS has been affected by the rootkit, a repair is required and in the case that the rootkit infection remains or occurs again post repair, a new device will be needed to be purchased. 

How can Securiwiser help? 

Our aim is to also ensure that our clients (whether they are individual users or business owners) are confident in their knowledge about various cyber threats that their businesses and operating systems may face. This includes increasing trends and frequencies of certain threats and protection and prevention methods that are cost effective and time saving.   

Business owners, employees and the general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.   

Securiwiser can conduct regular scans for your system and provide the exact details of found vulnerabilities or compromises. We can further explain these vulnerabilities in detail to our clients and provide the best course of action that will save your business time and money.