Malware Focus: Rootkits
- Published: Wednesday, Aug. 28, 2019
A rootkit is simply a set of tools that can maintain root privileged access to an operating system. BUT if a rootkit is deployed as malware it could carry malicious code to exploit background processes. Once a rootkit is snuggled inside the operating system it can start its attack.
In Windows, the highest privileged mode is the kernel mode. This mode provides a direct link between hardware and software code. Not all processes require full use of processing power so these lower level functions are handled through user mode, with lower privileges.
Rootkits may use several different attack vectors in order to compromise the security of a system. By inserting malicious code into a process, like DLLs (Dynamic Link Libraries) and APIs (Application Programming Interface), the infection can quickly spread and cause its damage with little to no detection by the user.
Not all rootkits are persistent. Some will restrict themselves to the RAM and not attach to the file system. A reboot of the system will purge the rootkit. Initially this sounds ideal. However, the rootkit has likely already spread the malware and a reboot is just the crooks way of removing all the evidence of the intrusion.
Today’s rootkits will inject themselves into signed drivers to avoid detection. One way to help prevent this is to have stricter driver signing requirements. Windows S mode will only allow trusted binaries to be installed on the computer. Windows Defender Device Guard can add further protection. And, of course, user education and security best practices can assist with preventing these types of infections.
Rootkit detection and removal is extremely difficult. If a system is behaving badly you might check the CPU or bandwidth usage for excessive use. Logging can be useful in identifying anomalies in outbound connections.
If you have discovered a rootkit infection immediately take the system offline. Then perform a full system scan. Windows Defender will have an offline scan option so that when you reboot the system it performs a deep scan. Other antivirus software will perform a similar function. The best way to assure that the system is totally clean is to do a complete rebuild.