Last updated on September 20th, 2024 at 11:21 pm
Have you heard of rootkits before, but are still not sure what they are? Rootkits are one of the most dangerous malware out there, and if not careful, you might not notice if they have already infiltrated your computer. In this guide, you will find out what rootkits are, and how to detect and prevent them.
What Are Rootkits?
A rootkit is a type of malware that gives hackers unauthorized access to have full control over a specific computer. Once installed, a rootkit can conceal its own presence or the presence of another piece of malware, so that it can carry out its malicious tasks.
While the majority of rootkits target the software and operating system, some have the capability to infect the hardware and firmware of your computer. Rootkits allow cyber criminals to steal data, execute commands, and maintain consistent access without being detected.
Where Did The Name Rootkit Come From?
The name rootkit comes from the concept of root access, in the operating system Unix/Linux. Root stands for the root user, which has the most extensive permissions on a PC. Kit is the application that allows the user access. The combination of these words means severely damaging software that allows a cyber-criminal to gain remote and permanent access to the infected PC and the installations of other tools on it.
How Do Rootkits Work?
Rootkits in Windows usually operate within the kernel of the operating system, which gives it the ability to initiate commands to the computer. Anything that uses an operating system can be infiltrated by a rootkit – even smart appliances such as your fridge or thermostat.
Rootkits are capable of doing many things, such as:
- Hide processes
- Hide files and their contents
- Hide registry keys and their contents
- Hide open ports and communication channels
- Capture keyboard strokes (keylogger)
Rootkits can also allow hackers to use your computer to launch DDoS (Distributed Denial-Of-Service) attacks or forward spam emails. Some rootkits can be used for safe and genuine purposes – like providing remote IT support. But for the most part, they are used for ill-natured intentions.
History Of Rootkits
Even though the name rootkits was derived from UNIX/Linux, rootkits directly descended from DOS stealth viruses. Originally appearing in 1990, DOS stealth viruses were able to camouflage themselves from the user unknowingly. This was different from UNIX/Linux rootkits, which required the root user’s permission to gain access to the system and hide its presence.
In 1995, Jeffrey Richter, a well-known Windows developer, revealed techniques for intercepting system calls in user mode in his famous books Advanced Windows and Programming Applications for Microsoft Windows. These techniques were used for many rootkits, even as far as copying the source code directly from the book. In the late 1990s, NTRootkit, the first known Windows rootkit, was created.
Designed by security researcher Greg Hoglund, NTRootkit was a proof-of-concept, to see what these programs were capable of on Windows systems. Rather than calling them Windows stealth viruses, Greg decided to name them rootkits. To this day, NTRookit continues to inspire many researchers and rootkit developers today.
Rootkit Timeline
Soon after NTRootkit was released, many other rootkits followed.
2000 – he4hook | He4Hook was developed by a Russian programmer. While not malicious, this kernel rootkit was able to hide files. |
2002 – Hacker Defender (HacDef) | This powerful tool not just hid files, but also directories and registry keys. By 2005, the vast majority of rootkits were based off of HacDef. |
2003 – Vanquish | This rootkit had the capability to hide files, folders, and registry entries from view. It also contained a harmful component that could record user passwords. |
2005 – Sony | Used to prevent CD ripping, this controversial rootkit slowed down PC performance, spied on users, and could even damage a PC if it was removed. Due to the controversy, Sony was forced to settle many lawsuits. |
2010 – Stuxnet | One of the most notorious rootkits in history, Stuxnet was able to crash many computers in Iran, causing substantial damage to its nuclear program. |
2011 – ZeroAccess | This rootkit downloads and installs malicious malware onto the PC, which can make the PC join a worldwide botnet used to make carry out cyberattacks. |
2012 – Flame | Primarily used for cyber espionage in the Middle East, this rootkit was able to monitor traffic, capture screenshots and audio, and log keystrokes. |
2014 – Kronos | This rootkit steals private banking info using a combination of keylogging and web injection. It was distributed as part of a phishing campaign. |
2018 – Moriya | Part of the threat campaign TunnelSnake, the rootkit Moriya allows hackers to intercept network traffic and secretly control an organization’s network. |
Types Of Rootkits
These are some of the most common rootkits that can infect your PC:
Firmware/Hardware Rootkits: These types of rootkits work by targeting the hardware or firmware of your device to install malware that’s almost impossible to detect. It can affect your router, storage drive, or system BIOS attackers, which makes this type of rootkit very damaging.
Bootloader Rootkits: Bootloader rootkits target the storage drive’s MBR (Master Boot Record) by changing the real bootloader with its own, which allows the rootkit to have full control over the operating system.
Application Rootkits: These rootkits change the files on a computer with malignant rootkit files, which greatly affects the performance of the targeted program. When the user runs these infected applications, this allows the cybercriminal to take full control of the computer.
Memory Rootkit: This rootkit specifically targets a machine’s RAM, and can drastically reduce the performance by using up many resources. Even though memory rootkits disappear after a short period, they can carry out severely harmful activity while the rootkit is still active.
Kernel Rootkits: Kernel rootkits are the most dangerous rootkits in the world because they have infinite access to all of your computer’s resources. As these rootkits target the fundamental components of your operating system, they can modify your system’s configuration and operating system settings. Kernel rootkits are the most difficult to detect, which makes removing them very challenging once they infiltrate your computer.
How To Detect Rootkits
Rootkits are challenging to spot, because of the way they can hide without being detected by most antivirus programs. Rootkits can remain on a computer for many months after it is installed. Here are some of the usual signs that you have rootkits on your PC:
- Slow PC Performance
- Blue Screen Of Death (BSOD)
- Windows Settings Unusually Being Changed
- Strange Internet Browser Behavior
The rootkit will remain stealthily unseen until the user takes a certain action, such as using a trusted antivirus like Bitdefender to start a rootkit scan.
How Do You Prevent Rootkits?
Because of the severe impact rootkits can have on your computer, it is important to remain vigilant and practice good security habits. Your programs and OS must stay up-to-date to avoid any vulnerabilities that rootkits can take advantage of. Pay close attention to any files you download, and make sure those files come from trusted sources.
If you notice strange slowdowns on your PC, don’t ignore them. If you think something suspicious is happening, there’s a chance your instinct is correct. Carefully inspect your inbound emails to avoid any potential phishing attacks, especially if you’re not sure who the sender is.
When a rootkit has infected your computer, the most proven way to remove it and restore it to its initial state is to run a rootkit scan with a high-quality antivirus such as Bitdefender Total Security.
Bitdefender Total Security is the most top-rated antivirus software you can get. It repeatedly gives excellent results at independent lab tests, is cheaper than some of its competitors, and comes with useful security features. Bitdefender offers broad protection against online threats, starting with antivirus, firewall, and ransomware. It also safeguards against brute force attacks, malicious links, and dangerous attachments.
Terrific job!