What is a rootkit?

 “A rootkit is a program or, more often, a collection of software tools that

gives a threat actor remote access to and control over a computer or other
system. While there have been legitimate uses for this type of software,
such as to provide remote end-user support, most rootkits open a
backdoor on victim systems to introduce malicious software, such as
viruses, ransomware, keylogger programs or other types of malware, or to
use the system for further network security attacks. Rootkits often attempt
to prevent detection of malicious software by endpoint antivirus software.”
 a collection of tools used by hackers to gain administrative
privileges on compromised machines
 used to help hide other forms of malware.
What does it do?
 allows someone, either legitimate or malicious, to maintain
command and control over a computer system, without the
computer system user knowing about it.
 owner of the rootkit can execute files and changing system
configurations on the target machine.
 can access log files or monitor activity to covertly spy on the user’s
computer usage.
 **there are legitimate uses for rootkits too.
How does it work?
 Rootkits are just one component of what is called a blended threat.
 Blended threat typically consist of three snippets of code
1. A dropper
2. Loader
3. Rootkit
 The dropper is the code that gets the rootkit’s installation started.
 Once initiated, the dropper launches the loader program and then
deletes itself.
 The loader causes a buffer overflow, which loads the rootkit into
memory.
How blend threat get to yourcomputer?
 Through social engineering
 Exploiting known vulnerabilities
 Even from brute forcing.
Types of rootkits
User-mode rootkits
 Run on a computer with administrative privileges.
 This allows to alter security and hide processes, files, system
drivers, network ports, and even system services.
 These rootkits remain installed on the infected computer by copying
required files to the computer’s hard drive, automatically launching
with every system boot.
 **these rootkits will be detected by the anti-malware software.
Kernel-mode rootkit
 Will place the rootkit on the same level as the operating system.
 OS can no longer be trusted.
 One kernel-mode toolkit that’s getting lots of attention is the Da
IOS rootkit.
 **windows blue screen error might be caused by these rootkits.
User-mode/kernel-mode hybrid rootkit
 A hybrid rootkit that combines user-mode characteristics (easy to
use and stable) with kernel-mode characteristics (stealthy).
 The hybrid approach is very successful and the most popular
rootkit currently.
Bootkit or bootloader rootkit
 This type of rootkit infects the Master Boot Record of a hard drive
or other storage device connected to the target system.
 Bootkits can subvert the boot process and maintain control over the
system after booting and, as a result, have been used successfully
to attack systems that use full disk encryption.
Firmware rootkit
 This takes advantage of software embedded in system firmware and
installs itself in firmware images used by network cards, basic
input/output systems, routers, or other peripherals or devices.
Memory rootkit
• Most types of rootkit infections can persist in systems for long
periods because they install themselves on permanent system
storage devices, but memory rootkits load themselves into
computer memory or RAM.
• Memory rootkits persist only until the system RAM is cleared,
usually after the computer is restarted.
Virtualized rootkit
 These rootkits operate as malware that executes as a hypervisor
controlling one or many virtual machines (VMs).
 Rootkits operate differently in a hypervisor-VM environment than
they do on a physical machine.
 In a VM environment, the VMs controlled by the master hypervisor
machine appear to function normally, without noticeable
degradation to service or performance on the VMs that are linked to
the hypervisor.
 This enables the rootkit to do its malicious work with less chance of
being detected since all VMs linked to the hypervisor appear to be
functioning normally.
Tips for preventing a rootkit attack
Although it is difficult to detect a rootkit attack, an organization can
build its defense strategy in the following ways:
 Use strong antivirus and antimalware software. Typically, rootkit
detection requires specific add-ons to antimalware packages or
special-purpose antirootkit scanner software.
 Keep software up to date. Rootkit users continually probe OSes and
other systems for security vulnerabilities. OS and system software
vendors are aware of this, so whenever they discover vulnerabilities
to their products, they immediately issue a security update to
eliminate them. As a best practice, IT should immediately update
software whenever a new release is issued.
 Monitor the network. Network monitoring and observability
software can alert IT immediately if there is an unusually high level
of activity at any point along the network, if network
nodes suddenly start going offline or if there is any other sign of
network activity that can be construed as an anomaly.
 Analyzebehavior. Companies that develop strong security
permission policies and continually monitor for compliance can
reduce the threat of rootkits. For example, if a user who normally
accesses a system during the daytime in San Jose, Calif., shows up
suddenly as an active user in Europe during nighttime hours, a
threat alert could be sent to IT for investigation.
Rootkit detection and removal
 Once a rootkit compromises a system, the potential for malicious
activity is high, but organizations can take steps to remediate a
compromised system.
 Rootkit removal can be difficult, especially for rootkits that have been
incorporated into OS kernels, into firmware or on storage device boot
sectors. While some antirootkit software can detect and remove some
rootkits, this type of malware can be difficult to remove entirely.
 One approach to rootkit removal is to reinstall the OS, which, in many
cases, eliminates the infection. Removing bootloader rootkits may
require using a clean system running a secure OS to access the infected
storage device.
 Rebooting a system infected with a memory rootkit removes the
infection, but further work may be required to eliminate the source of
the infection, which may be linked to command-and-control networks
with presence in the local network or on the public internet.
 https://www.adlice.com/roguekiller/
 https://support.kaspersky.com/utility#TDSSKiller
 https://www.bleepingcomputer.com/download/malwarebytes-anti-
rootkit/
Examples of rootkit attacks
 Phishing and social engineering attacks. Rootkits can enter
computers when users open spam emails and inadvertently
download malicious software. Rootkits also use keyloggers that
capture user login information. Once installed, a rootkit can give
hackers access to sensitive user information and take control of
computer OSes.
 Application rootkit attacks. Rootkits can install themselves on
commonly used applications, such as spreadsheet and word
processing software. The hackers use application rootkits to gain
access to users' information whenever they open the infected
applications.
 Network and internet of things (IoT) attacks. Significant security
threats come in with IoT devices and edge computing that lack the
security measures other systems and centralized computers have.
Hackers find and exploit these vulnerabilities by inserting rootkits
through edge points of entry. This can enable a rootkit to spread
throughout a network, taking over computers and workstations and
rendering them as zombie computers under outside control.
 OS attacks. After entering a system, a kernel mode rootkit can
attack the system's OS. The attack can include modifying the
functionality of the OS, slowing system performance, and even
accessing and deleting files. Kernel mode rootkits usually enter
systems when a user inadvertently opens a malicious email or
executes a download from an unreliable source.
 Credit card swipe and scan attacks. Criminals have used rootkits to
infect credit card swipers and scanners. The rootkits are
programmed to record credit card information and to send the
information to servers controlled by hackers. To prevent this, credit
card companies have adopted chip-embedded cards, which are
more impervious to attack.
 Malware continues to become more sophisticated, creating a gap in
current network defenses. Learn how to avert malware using a
modern approach that provides protection against both known andunknown threat
Injector tool
Injector
 a tool to inject my rootkit into Windows kernel using vulnerable
drivers