Rootkits

A rootkit is a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a computer system has been compromised. Contrary to what its name implies a rootkit does not grant you administrator access as it requires prior access to execute and tamper with security files and processes.

A hacker may attempt to use a rootkit to replace vital system executables which may then be used to hide processes and files the hacker has installed along with the presence of the rootkit. A rootkit is intended to seize control of the operating system. Typically rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms.

Often they are Trojans as well thus fooling users into believing they are safe to run on their systems. Rootkits may also install a “backdoor” in a system by replacing the login mechanism with an executable that accepts a secret login combination which in turn allows an attacker to access the system regardless of changes to the actual accounts on the system.

Fundamentally, rootkits let an otherwise standard user perform tasks requiring admin rights, including but not limited to installing all sorts of software applications onto the targeted computer. Due to their stealthy nature, Rootkits are not only able to conceal their presence on the PC, but also draw a veil over any program installed with their help. These functionalities turn Rootkits into an effective means of smuggling malicious software into computer systems. The implications may vary from simple eavesdropping or monitoring to remote code execution and even ensnaring the host PC into a botnet.

Landing on the PC

While planting a Rootkit onto your PC may be child’s play for a hacker, the latter will have to acquire administrator rights if he/she wants actually to install the rootkit. To gain privileged access, the attacker will need to take advantage of existing software vulnerabilities. Should this fail to yield any results, he/she may try to take possession of your administrator password, either by launching a brute force attack or by deploying some social engineering tricks, say, phishing techniques. Should the attack bear fruit, the intruder will be able to manage your entire PC system. That includes breaking down all barriers to a Rootkit installation, too.

Symptoms

In spite of their secretive nature, Rootkits still leave a trail of footprints indicative of such an infection. So, whenever your system experiences

  • anti-malware program crashes
  • abnormally high network traffic in idle mode
  • sudden changes in your OS settings or
  • freezing USB input devices, there is ample room for concern for an ongoing Rootkit infection.

Consequences

Once a Rootkit has infiltrated your PC, it is likely to remain firmly planted on it. Moreover, it has quite a good chance of lingering on for weeks, months, or even years on end because Rootkits are inherently hard to detect. They may be configured to target various parts of a computer system. While some may affect system memory, others could attack the firmware. Still others may reach as far as the kernel itself. Each Rootkit type requires a different detection technique and is subject to a different removal procedure. What is more, the Rootkit itself may — and most probably will — impede detection by subverting the anti-virus software designed to catch it (yes, Rootkits are capable of doing that). Last but not least, Rootkits can be configured to not only pave the way for backdoor attacks but also conceal the malware’s existence subsequently.

Removal

Rootkits’ dogged persistence and robust self-defense mechanisms may turn pretty much any removal attempt into a somewhat arduous task. Nevertheless, removing a Rootkit is possible, as long as you employ the right method. The table below outlines the three main Rootkit types and their corresponding removal methods:

Rootkit Type Removal Method
Memory Rootkits Signature scan and memory dump analysis
Kernel Rootkits New clean OS installation
Firmware Rootkits Hardware replacement

Memory-embedded Rootkits are best identifiable via the so-called memory dump — a process which examines the system’s memory contents for any system problems and errors. It provides a detailed snapshot of the computer’s state before any crashes or failures. Kernel Rootkits, on the other hand, get to the very heart of the operating system by modifying the kernel. As a result, they become an integral part of the OS, load in parallel with the OS during startup, and are fully capable of curbing any system call, process, or data that may expose them to the user. Finally, firmware-tailored Rootkits may go as far as damage your main hardware and peripheral equipment beyond repair, forcing you into shelling out good money on replacements.

Also, many anti-malware program vendors have already integrated specialized Rootkit scanners into their software solutions. For the time being, however, security researchers cling to the idea that the best way to neutralize a Rootkit infection is to install a clean OS image.

Most Trending Rootkits in the Last 2 Weeks

# Threat Name Severity Level Alias(es) Detections
1. NTOSKRNL-HOOK
2. Win32:Rootkit-gen
3. Fire Chili Rootkit
4. WINNKIT
5. PoorTry/BurntCigar
6. Reptile Rootkit
7. Melofee Malware
8. Rootkit.Agent/Gen-Local

Last updated: 2024-12-08

Rootkits List

Threat Name Severity Level Detections
BackDoor-Spyeye!rootkit
BDS/ZAccess.AL 20 % (Normal) 0
BDS/ZAccess.V 20 % (Normal) 8,413
Bootkitty Malware
Crisis 20 % (Normal) 0
Facefish Backdoor
Fire Chili Rootkit
FontOnLake Malware
Gen.Rootkit
Generic Rootkit.ej
Generic Rootkit.g 60 % (Medium) 0
Hack Tool.HOC
iLOBleed Rootkit
LoJax
Mal/ZAccess-D 100 % (High) 1
MBR:Alureon-K [Rtk]
MBR:Alureon-L 100 % (High) 0
Mebroot
Melofee Malware
Moriya Rootkit
MosaicRegressor
NTOSKRNL-HOOK
Perkiler Malware Description
Phase Bot 80 % (High) 2
Podnuha!sd6
1 2 3 4
Loading...