What are the types of rootkit?
There are different types of rootkits, and they are classified by the way they infect a targeted system. Here are the most commonly used ones:
- Kernel mode rootkit: These are designed to change the functionality of an operating system by inserting malware onto the kernel—the central part of an operating system that controls operations between hardware and applications. Although kernel mode rootkits can be difficult to deploy because they cause systems to crash if the attacker’s code fails, they pose big threats since kernels have the highest levels of privileges within a system.
- User mode rootkit: These rootkits are executed by acting as ordinary user programs. They are sometimes referred to as an application rootkit since they operate where applications typically run. They tend to be easier to deploy but often pose less damage than kernel rootkits.
- Bootkits: These extend the abilities of traditional rootkits by infecting the master boot record—small programs that are activated during a system startup. This makes them more persistent forms of attacks since the bootkits will run when a system turns on after a defensive reset. What’s more, they will remain active in a system’s memory where IT teams do not regularly scan.
- Firmware rootkits: These take advantage of software embedded in a system’s firmware—routers, network cards, hard drives—which can allow a rootkit to remain hidden for longer since these devices are not typically inspected for code integrity.
Why is a rootkit used?
Attackers will use rootkits for many purposes, but most commonly they will be utilized to improve stealth capabilities in malware. Increased stealth can ensure that malicious payloads remain undetected while they exfiltrate or destroy data from a network. It is also fairly common for rootkits to be used to help unauthorized users gain backdoor access into systems. Rootkits achieve this by subverting login mechanisms to accept secret login access for an attacker.
What’s more, rootkits can be deployed to compromise a computer so an attacker can use it as bot for a distributed-denial-of-service (DDoS) attack. In these cases, if a DDoS is detected and traced, it will lead the victim to the compromised computer instead of the attacker’s. These compromised computers are often referred to as “zombie computers” and in addition to being used in DDoS attacks, they can be deployed in click fraud efforts or spam distribution.
There are occasions where rootkits can be employed by administrators for good uses, but it is not quite as common. Occasionally, IT teams will run rootkits in a honeypot to detect attacks, to enhance their emulation and security software, or to improve device anti-theft protection. However, more often than not, rootkits will be used externally and against a system, so it’s important for managed services providers (MSPs) to know how to detect and defend their customers against them.
How to detect a rootkit
Because there aren’t many commercial rootkit removal tools available that can locate and remove rootkits, the removal process can be complicated, sometimes even impossible. This is especially true in cases where the root resides in the kernel. Reinstallation of an operating system is sometimes the only viable solution to the problem. In the case of firmware rootkits, removal may require hardware replacement or specialized equipment.
One of the best methods MSPs can utilize for their customers is a rootkit scan. Rootkit scans must be operated by a separate clean system when an infected computer is powered down. The scan will look for signatures left by hackers and can identify if there has been any foul play on the network.
Additionally, a memory dump analysis can be an effective strategy in detecting rootkits, especially considering that bootkits latch onto a system’s memory to operate. If there is a rootkit in your customer’s network, it won’t be hidden if it is executing commands from memory, and MSPs will be able to see the instructions it is sending out.
Another reliable method of detecting rootkits is behavioral analysis. Rather than looking for a rootkit directly by searching memory or playing a game of cat and mouse with attack signatures, you can look for rootkit symptoms in a system—slow operating speeds, odd network traffic, or other common deviant patterns of behavior.
A highly advisable strategy MSPs can deploy in customers’ systems is the principle of least privilege (PoLP). This is when a system restricts every module on a network so it can only gain access to the information and resources that are necessary for its specific purpose. Not only does this ensure tighter security between the arms of a network, it also prevents unauthorized users from installing malicious software to network kernels, thereby preventing rootkits from breaking in.
Luckily, rootkit attacks are generally in decline as OS security systems continue to improve endpoint defenses and more CPUs utilize built-in kernel protection modes. But they still exist, and MSPs must know how to prevent rootkits and stop breaches that may be harming their customers’ IT infrastructures.
Read about other outsider threats that could impact your systems and networks in our Security Resource Center.