In part 5 of this multipart article we discussed the Botnet. Recall from previous articles that the definition of malware is a type of software designed to take over or damage a computer, without the user’s knowledge or approval. Let’s discus the Rootkit!
A rootkitis a set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer. It is almost invisible software that resides below regular antivirus software detection. Often, rootkits are able to subvert antivirus software and even remove or replace it.
Rootkits require administrator privileges to install. Once a rootkit gains administrator privileges, it maintains those privileges to allow subsequent access. Rootkits often replaces operating system files with alternate versions that allow hidden access.
So what benefit does a rootkit provide a cyber criminal? Glad you asked.
[source: wikipedia]
Rootkits:
- Provides an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication andauthorization mechanisms.
- Conceal other malware, notably password-stealing key loggers and computer viruses.
- Appropriate the compromised machine as a zombie computer for attacks on other computers. “Zombie” computers are typically members of large botnets that can launch denial-of-service attacks and distribute e-mail spam. See our previous posts on Zombie computers and Botnets
- Enforcement of digital rights management (DRM).
In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user:
- Conceal cheating in online games from software like Warden.
- Detect attacks.
- Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.
- Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.
- Bypassing Microsoft Product Activation
Detection methods are advanced and consist of behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in a part of the system known as the Kernel. In most cases, reinstallation of the operating system may be the only available fix. Depending on the type of rootkit, such as a firmware rootkit, removal may require hardware replacement or specialized equipment.
As we have said before, the best defense is prevention. Keep your systems updated with the latest patches for all software you run, and ensure you have the latest anti-virus software definition updates. Avoid clicking on links and opening attachments if you did not expect it to be sent.
Stay tuned for our next article where we will cover the LOGIC BOMB. Or, you can subscribe to our newsletter using the form on the top right and have our informative articles delivered to you via email once a week.