Rootkits

Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it’s undetected. During this time, it will steal information and resources.

How rootkits work

Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself.

If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.

Many modern malware families use rootkits to try to avoid detection and removal, including:

How to protect against rootkits

Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.

Apply the latest updates to operating systems and apps.

Educate your employees so they can be wary of suspicious websites and emails.

Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.

What if I think I have a rootkit on my device?

Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment.

Microsoft Defender Offline can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren’t working correctly because of a possible malware infection.

System Guard in Windows 10 protects against rootkits and threats that impact system integrity.

What if I can’t remove a rootkit?

If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup.

Программы rootkit Rootkits

Авторы вредоносных программ используют корневые наборы для сокрытия вредоносных программ на вашем устройстве, что позволяет вредоносным программам сохраняться как можно больше времени. Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. Успешный корневой набор потенциально может оставаться на месте в течение многих лет, если он не был незамеченным. A successful rootkit can potentially remain in place for years if it’s undetected. В течение этого времени он будет украсть сведения и ресурсы. During this time, it will steal information and resources.

Как работают корневые наборы How rootkits work

Rootkits перехватывает и меняет стандартные процессы операционной системы. Rootkits intercept and change standard operating system processes. После того как корневой набор заражает устройство, нельзя доверять сведениям, которые устройство сообщает о себе. After a rootkit infects a device, you can’t trust any information that device reports about itself.

Если вы попросите устройство перечислить все запущенные программы, корневой набор может незаметно удалить какие-либо программы, о чем вы не хотите знать. If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits — это все для сокрытия вещей. Rootkits are all about hiding things. Они хотят скрыть как себя, так и свою вредоносную активность на устройстве. They want to hide both themselves and their malicious activity on a device.

Многие современные семейства вредоносных программ используют корневые наборы, чтобы избежать обнаружения и удаления, в том числе: Many modern malware families use rootkits to try to avoid detection and removal, including:

Защита от корневых наборов How to protect against rootkits

Как и любой другой тип вредоносных программ, лучший способ избежать корневых наборов — это предотвратить его установку в первую очередь. Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.

Применение последних обновлений к операционным системам и приложениям. Apply the latest updates to operating systems and apps.

Обучайте своих сотрудников таким образом, чтобы они могли напевать подозрительные веб-сайты и электронные письма. Educate your employees so they can be wary of suspicious websites and emails.

Регулярно обновляйте важные файлы. Back up important files regularly. Используйте правило 3-2-1. Use the 3-2-1 rule. Храните три резервных копии данных на двух разных типах хранения и по крайней мере на одном offsite резервного копирования. Keep three backups of your data, on two different storage types, and at least one backup offsite.

Что делать, если я думаю, что у меня есть корневой набор на моем устройстве? What if I think I have a rootkit on my device?

Программное обеспечение безопасности Майкрософт включает ряд технологий, предназначенных специально для удаления корневых наборов. Microsoft security software includes a number of technologies designed specifically to remove rootkits. Если вы думаете, что у вас есть корневой набор, который не обнаруживает программное обеспечение антивирусного обеспечения, может потребоваться дополнительный инструмент, который позволяет загрузиться в известные доверенные среды. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment.

Microsoft Defender Offline может быть запущен из Центра безопасности Windows и имеет последние обновления от Microsoft по борьбе с вредоносными программами. Microsoft Defender Offline can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Он предназначен для использования на устройствах, которые не работают правильно из-за возможного заражения вредоносными программами. It’s designed to be used on devices that aren’t working correctly because of a possible malware infection.

System Guard в Windows 10 защищает от корневых наборов и угроз, которые влияют на целостность системы. System Guard in Windows 10 protects against rootkits and threats that impact system integrity.

Что делать, если я не могу удалить корневой набор? What if I can’t remove a rootkit?

Если проблема сохраняется, настоятельно рекомендуется переустановить операционную систему и программное обеспечение безопасности. If the problem persists, we strongly recommend reinstalling the operating system and security software. Затем восстановите данные из резервного копирования. Then restore your data from a backup.

What is Rootkit? How do Rootkits work? Rootkits explained.

While it is possible to hide malware in a way that will fool even the traditional antivirus/antispyware products, most malware programs are already using rootkits to hide deep on your Windows PC … and they are getting more dangerous! The DL3 rootkit is one of the most advanced rootkits ever seen in the wild. The rootkit was stable and could infect 32 bit Windows operating systems; although administrator rights were needed to install the infection in the system. But TDL3 has now been updated and is now able to infect even 64-bit versions Windows!

What is Rootkit

A Rootkit virus is a stealth type of malware that is designed to hide the existence of certain processes or programs on your computer from regular detection methods, so as to allow it or another malicious process privileged access to your computer.

Rootkits for Windows are typically used to hide malicious software from, for example, an antivirus program. It is used for malicious purposes by viruses, worms, backdoors, and spyware. A virus combined with a rootkit produces what as known as full stealth viruses. Rootkits are more common in the spyware field, and they are now also becoming more commonly used by virus authors as well.

They are now an emerging type of Super Spyware which hide effectively & impact the operating system kernel directly. They are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide it is very hard to find the malware on your PC.

Rootkits in themselves are not dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether this is normal software or malware programs.

There are basically three different types of Rootkit. The first type, the “Kernel Rootkits” usually add their own code to parts of the operating system core, whereas the second kind, the “User-mode Rootkits” are specially targeted to Windows to startup up normally during the system start-up, or injected into the system by a so-called “Dropper”. The third type is MBR Rootkits or Bootkits.

When you find your AntiVirus & AntiSpyware failing, you may need to take the help of a good Anti-Rootkit Utility. RootkitRevealer from Microsoft Sysinternals is an advanced rootkit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

Microsoft Malware Protection Center Threat Report on Rootkits

Microsoft Malware Protection Center has made available for download its Threat Report on Rootkits. The report examines one of the more insidious types of malware threatening organizations and individuals today — the rootkit. The report examines how attackers use rootkits, and how rootkits function on affected computers. Here is a gist of the report, starting with what are Rootkits – for the beginner.

Rootkit is a set of tools that an attacker or a malware creator uses to gain control over any exposed/unsecured system which otherwise is normally reserved for a system administrator. In recent years the term ‘ROOTKIT’ or ‘ROOTKIT FUNCTIONALITY’ has been replaced by MALWARE – a program designed to have undesirable effects on a healthy computer. Malware’s prime function is to withdraw valuable data and other resources from a user’s computer secretly and provide it to the attacker, thereby giving him complete control over the compromised computer. Moreover, they are difficult to detect and remove and can remain hidden for extended periods, possibly years, if gone unnoticed.

So naturally, the symptoms of a compromised computer need to be masked and taken into consideration before the outcome proves fatal. Particularly, more stringent security measures should be taken to uncover the attack. But, as mentioned, once these rootkits/malware are installed, its stealth capabilities make it difficult to remove it and its components that it might download. For this reason, Microsoft has created a report on ROOTKITS.

The 16-page report outlines how an attacker uses rootkits and how these rootkits function on affected computers.

The sole purpose of the report is to identify and closely examine potent malware threatening many organizations, computer users in particular. It also mentions some of the prevalent malware families and brings into the light the method the attackers use to install these rootkits for their own selfish purposes on healthy systems. In the remainder of the report, you will find experts making some recommendations to help users mitigate the threat from rootkits.

Types of Rootkits

There are many places where malware can install itself into an operating system. So, mostly the type of rootkit is determined by its location where it performs its subversion of the execution path. This includes:

1. User Mode Rootkits
2. Kernel Mode Rootkits
3. MBR Rootkits/bootkits

The possible effect of a kernel-mode rootkit compromise is illustrated via a screen-shot below.

The third type, modify the Master Boot Record to gain control of the system and start process of loading the earliest possible point in the boot sequence3. It hides files, registry modifications, evidence of network connections as well as other possible indicators that can indicate its presence.

Notable Malware families that use Rootkit functionality

• Win32/Sinowal13 – A multi-component family of malware that tries to steal sensitive data such as user names and passwords for different systems. This includes attempting to steal authentication details for a variety of FTP, HTTP, and email accounts, as well as credentials used for online banking and other financial transactions.
• Win32/Cutwail15 – A Trojan that downloads and executes arbitrary files. The downloaded files may be executed from disk or injected directly into other processes. While the functionality of the downloaded files is variable, Cutwail usually downloads other components that send spam. It uses a kernel-mode rootkit and installs several device drivers to hide its components from affected users.
• Win32/Rustock – A multi-component family of rootkit-enabled backdoor Trojans initially developed to aid in the distribution of “spam” email through a botnet. A botnet is a large attacker-controlled network of compromised computers.

Protection against rootkits

Preventing the installation of rootkits is the most effective method to avoid infection by rootkits. For this, it is necessary to invest in protective technologies such as anti-virus and firewall products. Such products should take a comprehensive approach to protection by using traditional signature-based detection, heuristic detection, dynamic and responsive signature capability and behavior monitoring.

All these signature sets should be kept up to date using an automated update mechanism. Microsoft antivirus solutions include a number of technologies designed specifically to mitigate rootkits, including live kernel behavior monitoring that detects and reports on attempts to modify an affected system’s kernel, and direct file system parsing that facilitates the identification and removal of hidden drivers.

If a system is found compromised then an additional tool that allows you to boot to a known good or trusted environment may prove useful as it may suggest some appropriate remediation measures.

Under such circumstances,

1. The Standalone System Sweeper tool (part of the Microsoft Diagnostics and Recovery Toolset (DaRT)
2. Windows Defender Offline may be useful.

For more information, you can download the PDF report from Microsoft Download Center.

Date: April 1, 2019 Tags: Malware, Rootkit

What is a Rootkit? How Can You Detect it?

Inside Out Security Blog » Data Security » What is a Rootkit? How Can You Detect it?

“Geez, my computer is really running slow all of a sudden.”

“Hmm, I don’t recall seeing this odd application in my task manager before.”

Get the Free Pen Testing Active Directory Environments EBook

If you have ever asked these questions, there is a chance you caught a rootkit virus. One of the most infamous rootkits, Stuxnet, targeted the Iranian nuclear industry, infecting 200,000 computers and physically degraded 1,000 machines inside Iran’s uranium enrichment facilities.

What is a Rootkit?

Rootkits are the toolboxes of the malware world. They install themselves as part of some other download, backdoor, or worm. They then take steps to prevent the owner from detecting their presence on the system. Once installed, Rootkits provide a bad actor with everything they need to take control of your PC and use it for DDoS or as a zombie computer.

Rootkits operate near or within the kernel of the OS, which means they have low-level access to instructions to initiate commands to the computer. Hackers have recently updated rootkits to attack new targets, namely the new Internet of Things (IoT), to use as their zombie computers. Anything that uses an OS is a potential target for a rootkit – your new fridge or thermostat included.

Rootkits do provide functionality for both security and utility to end-users, employers, and law enforcement. Veriato is a rootkit that gives employers monitoring capabilities for their employees’ computers. Law enforcement agencies use rootkits for investigations on PCs and other devices. Rootkits are the bleeding edge of OS development, and research for rootkits helps developers counter possible future threats.

What is a Rootkit Scan?

Rootkit scans are the best attempt to detect a rootkit infection, most likely initiated by your AV solution. The challenge you face when a rootkit infects our PC is that your OS can’t necessarily be trusted to identify the rootkit. They are pretty sneaky and good at camouflage. If you suspect a rootkit virus, one of the better strategies to detect the infection is to power down the computer and execute the scan from a known clean system.

Rootkit scans also look for signatures, similar to how they detect viruses. Hackers and security developers play this cat and mouse game to see who can figure out the new signatures faster. A surefire way to find a rootkit is with a memory dump analysis. You can always see the instructions a rootkit is executing in memory, and that is one place it can’t hide.

Behavioral analysis is one of the other more reliable methods of detecting rootkits. Instead of looking for the rootkit, you look for rootkit-like behaviors. Or in Varonis terms you apply Data Security Analytics to look for deviant patterns of behavior on your network. Targeted scans work well if you know the system is behaving oddly. Behavioral analysis will alert you of a rootkit before a human realizes one of the servers is under attack.

Rootkit Protection Best Practices

The good news is that rootkits as a method of cyberattack are in decline. OS developers and security researchers continue to improve operating systems and endpoint defenses to protect users from all types of malware, and their efforts have been especially effective against rootkits. Rootkits require high privilege access to install their hooks into the OS. Most systems prevent these kinds of attacks with built-in kernel protection modes. Many companies apply the principle of least privilege, which also prevents users from being able to install software to the kernel, thereby preventing rootkits from taking hold.

Behavior analysis is considered a best practice to defending your data against rootkit based attacks. Behavioral analysis will find evidence of a rootkit while a hacker is using the tools. They could trip a threat monitor by trying to access a folder the user account doesn’t normally access or when they try to promote their account to higher privilege levels. With a well-developed permissions policy based on principles of least privilege and data security analytics a hacker will have a difficult time stealing data with a rootkit.

Rootkits Over the Years

Below are a few different rootkits for further research. The rootkits highlighted below are both significant in their development or impact.

Even though rootkits are largely no longer being developed to target personal computers, the new Internet of Things (IoT) is providing hackers a whole new set of systems to take over and use as zombie computers. I expect the IoT to see the same kind of security concerns as early computers experienced in the early 2000s. Which makes a monitoring solution that protects you from threats, like DatAlert, even more important. You also want to check out Varonis Edge to add further context to our threat prediction models. Varonis Edge gathers data from the Proxies, DNS, and Routers to better analyze the attack vectors that hackers use to get in your network.

Check out a demo of the Varonis Data Security Platform to see how DatAlert and Edge can defend you from rootkit and other threats!

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.