A rootkit is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. A rootkit may contain a number of malicious tools such as keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots for DDoS attacks. This software remain hidden in the computer and allow the attacker remote access to the computer.
The term rootkit is derived from the combination of two words – "root" and "kit". "Root" refers to the administrator account in Unix and Linux operating systems, which is an all-powerful account with full privileges and unrestricted access. It is equivalent to the administrator account in Windows systems. The term "kit" refers to the programs that allow a threat actor to obtain unauthorized root/admin-level access to the computer and restricted areas. The rootkit enables the threat actor to perform all these actions surreptitiously without the user's consent or knowledge.
How the Attacker Installs Rootkits
The threat actor tries to obtain root/administrator access by exploiting known vulnerabilities, or by stealing administrator privilege credentials. Cyber criminals employ social engineering techniques to obtain credentials. Root access allows installation of rootkits or any other malware. Installation of the rootkit enables the threat actor to access the computer from remote to install other malware, steal data, observe activities and even control the computer. Rootkits are sophisticated malware, and most antivirus and antimalware solutions do not detect rootkits. Rootkits are also able to hide their intrusion, and hence once they are in, they are practically undetectable.
Since rootkits have complete control over the system, they can modify software and the cyber security solutions such as the antivirus that could detect rootkits. As even the detection solutions are modified, it is difficult to detect and remove rootkits.
What are Rootkits used for?
Threat actors use rootkits for many purposes:
- Stealth capabilities: Modern rootkits add stealth capabilities to malicious software payloads (such as keyloggers and viruses) to make them undetectable.
- Backdoor access: Rootkits permit unauthorized access through backdoor malware. The rootkit subverts the login mechanism to also accept a secret login access for the attacker. Standard authentication and authorization mechanisms are bypassed to provide admin privileges to the attacker.
- DDoS attacks: Rootkits allow the compromised computer to be used as a bot for distributed-denial-of-service attacks. The attack would now be traced to the compromised computer and not to the attacker's system. These bots are also called as zombie computers and are used as part of bot networks to launch the DDoS attacks, and other malicious activities such as click fraud and spam email distribution.
Usage of Rootkits for Good Causes
The functionality of rootkits is also used for good causes, such as:
- in a honeypot to detect attacks
- to enhance emulation software
- to enhance security software – it enables the software to secure itself from malicious actions
- digital rights management enforcement
- device anti-theft protection - BIOS-based rootkit software enables monitoring, disabling and wiping of data on mobile devices when they get lost or stolen
Types of Rootkits
There are five types of rootkits
- User-mode rootkits
- kernel-mode rootkits
- hypervisor rootkits
- firmware rootkits.
How to Detect Rootkits?
A behavioral-based approach proves to be effective in detecting rootkits. Cyber security solutions such as the Comodo Advanced Endpoint Protection (AEP) utilize their Host Intrusion Prevention Systems to effectively detect and remove rootkits in computer systems.