What Is a Rootkit?
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.
What Can a Rootkit Do?
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.
Types of rootkits
1. Hardware or firmware rootkit
The name of this type of rootkit comes from where it is installed on your computer. This type of malware could infect your computer’s hard drive or its system BIOS, the software that is installed on a small memory chip in your computer’s motherboard. It can even infect your router. Hackers can use these rootkits to intercept data written on the disk.
2. Bootloader rootkit
Your computer’s bootloader is an important tool. It loads your computer’s operating system when you turn the machine on. A bootloader toolkit, then, attacks this system, replacing your computer’s legitimate bootloader with a hacked one. This means that this rootkit is activated even before your computer’s operating system turns on.
3. Memory rootkit
This type of rootkit hides in your computer’s RAM, or Random Access Memory. These rootkits will carry out harmful activities in the background. The good news? These rootkits have a short lifespan. They only live in your computer’s RAM and will disappear once you reboot your system — though sometimes further work is required to get rid of them.
4. Application rootkit
Application rootkits replace standard files in your computer with rootkit files. They might also change the way standard applications work. These rootkits might infect programs such as Word, Paint, or Notepad. Every time you run these programs, you will give hackers access to your computer. The challenge here is that the infected programs will still run normally, making it difficult for users to detect the rootkit.
5. Kernel mode rootkits
These rootkits target the core of your computer’s operating system. Cybercriminals can use these to change how your operating system functions. They just need to add their own code to it. This can give them easy access to your computer and make it easy for them to steal your personal information.
How to remove rootkit malware
To clean up rootkits, you have several options. You can run the Windows Defender offline scan from inside Windows 10. Go to the Windows Defender Security Center, into Advanced scans and check the radius box to enable the Windows Defender offline scan. Once you reboot your system it will boot under the operating system with a Windows PE clean boot and scan the hard drive.
Firmware rootkits require a different approach
Rootkits embedded in a device’s firmware can be more difficult to recover from and clean up. Unified Extensible Firmware Interface (UEFI) rootkits are among the scariest of this type. In September 2018, APT28 was the first UEFI rootkit found in the wild. The rootkit was embedded in the flash memory of a device’s Serial Peripheral Interface (SPI). That gave the rootkit persistence against both reinstallation of the operating system and replacement of the hard drive.
Remember that rootkits are not just for Windows devices. They can be introduced into internet of things (IoT) devices as well. If you suspect a device has been turned into a malicious device, reset it to factory defaults, then ensure it’s up to date on its firmware. Last but not least, reset the password associated with the username or account with the device.
Read more at Woods LLP