How to Fight Rootkits

Security professionals and enthusiasts are aware of rootkits, but general audiences typically don’t know about this kind of malware, which is specifically designed to hide itself and its activity in an infected system. This threat is well worth public awareness as there’s a high chance of you possibly meeting this malware in the future. Cybercriminals are constantly developing new methods to steal your data and actively sell these methods to each other.

rootkit_title

The ability to hide itself allows this type of malware to live on the victim’s system for months and sometimes even years, letting a hacker use the computer for any purpose. Even if a computer doesn’t contain any valuable information, which is unlikely, it could still be used for producing digital currency (bitcoins), sending spam and participating in a DDoS attacks. Rootkit functionality allows hackers to hide malicious activity not only from built-in OS monitoring tools, but from antivirus and firewall sensors as well. That’s why we suggest checking your antivirus and internet security system for the existence of an anti-rootkit function and its efficiency.

The ability to hide itself allows this type of malware to live on the victim’s system for months and sometimes even years, letting a hacker use the computer for any purpose.

What makes a rootkit invisible? It’s not that complicated to explain: malware tries to integrate its code deep into an operating system and intercept all standard requests for file reading, obtaining the running process list, etc.  A rootkit processes such requests and removes any mention of files, processes and other traces related to its activity.  Other techniques are utilized as well – e.g. a rootkit can inject some code into a legitimate process and use that process memory to do its dirty work.  That allows a rootkit to remain invisible to less advanced antivirus solutions, which work on a high level of OS requests and don’t try to dive deeper into the OS or other low-level hardware structures. If an antivirus managed to detect a rootkit, the malware could try to deactivate the protection and delete some critical antivirus components. Some of the more crafty rootkits even use live-bait fishing technology – creating a special file to be detected by an antivirus. As soon as the antivirus software accesses that file, the rootkit has tried to shut the antivirus down and prevent it from future execution.

How can you stop this mess? First of all, to detect any suspicious activity, your antivirus must monitor critical system files on a low level, thus catching malware trying to modify the hard drive. It’s possible to find new rootkit that are still unknown to your antivirus just by comparing computer activity as seen on the OS level with results of low-level monitoring. Secondly, it’s crucial to have sufficient antivirus self-protection so malware cannot deactivate your product. And last, but not least, an antivirus has to remove 100% of rootkit components, even those injected into critical files of the OS. It’s impossible to solve this problem just by deleting files – this renders the OS nonfunctional, so your antivirus would remove those files without affecting the original functionality.

So make sure your protection meets these requirements before saying “I know, what a rootkit is and I am sure that my antivirus solution efficiently protects me from this threat.”

  • Share
  • Pin It

Comments

  1. Borhan says:

    How come the OS let these kind of malware gain this High Privilege access to it’s critical process and files?

    1. Serge Malenkovich says:

      There are numerous ways to try: vulnerabilities in OS security architecture, vulnerable privileged applications, social engineering to make user click “Allow admin access”.

      1. Aaron says:

        Indeed. Serge is quite correct. I’ve seen malware and rootkits installed in many ways as a technician. Everything from “I got an email from a friend, it seemed innocent enough. Then my computer started crashing” to “I was just browsing the web and something went wrong”.
        The worst one I ever fought, they didn’t even know how they got it. Browsing the web, shut the machine off, next day they turned it on and within half an hour it crashed. Restart, black screen. The operating system was trashed beyond repair. Start to finish it took me four business days to repair it all. The moment I knew what was going on, I made them a suggestion. “You need better security software!” My suggestion? Kaspersky.