Monday, November 7, 2016

What is Rootkit and how to detect and remove it ?





What is a Rootkit ?


A rootkit is a collection of programs that can give administrator-level access of a computer to the attackers. The term “rootkit” is derived from two words “root” and “kit”. A rootkit is a set of programs or tools that enables root-level or administrator level access of a computer and hence the name.

Attackers usually install a rootkit to mask the intrusion and continue malicious activities in a stealthy manner, as rootkits are considerably difficult to detect and remove.

Attackers usually first obtain user-level access of a computer using some security vulnerabilities or by hacking weak credentials of a system and then gains administrator privileges by exploiting more vulnerabilities.


Purpose of a Rootkit


A rootkit can get installed in a system with several purposes:

  • It can install spyware to secretly spy on the users and steal sensitive data.
  • It can install a keylogger in the system to log keystrokes of a user and steal sensitive credentials.
  • It can install a backdoor to give the attackers full access of the system.
  • Rootkits can even alter system logs to remain as stealthy as possible and infect other systems of the network with malware.


Types of Rootkits


There can be several types of rootkits:


User-mode Rootkit


User-mode rootkits get installed in a system and run on a computer with administrative privileges. They can alter security configurations in a system and hide processes, files, system drives, network ports or even system services. It can automatically launch itself at the time of system start. But, as user-mode rootkits do not alter the Operating System kernel, they are less stealthy and easier to detect and remove comparatively.


Kernel-mode Rootkit


Kernel-mode rootkits are extremely stealthy and can be very difficult to detect and remove. They infect a system and change the Operating System kernel. As a result, the kernel becomes untrusted and cannot detect the rootkit.

Hybrid Rootkit


A hybrid rootkit combines both user-mode and kernel-mode programs. They are widely used by the attackers to secretly infect a system and they are the most common type of rootkits.

Firmware Rootkit


Firmware rootkits can hide themselves in system firmware when the system shuts down and reinstall themselves when the system restarts. This type of rootkits are difficult to remove. If a removal program finds the rootkit and removes it without removing it from the firmware, the rootkit reinstalls itself when the system restarts.


Symptoms of Rootkit Infection


As discussed earlier, rootkits are extremely difficult to detect and remove. But, there can be a number of symptoms which may indicate a rootkit infection:

  • The computer fails to respond to any kind of inputs from the mouse or keyboard and locks up often.
  • System settings change suspiciously without knowledge. For example, screensaver may get changed or the taskbar can hide itself.
  • Network access becomes very slow without any other known reason. This may indicate exfiltration of data from the system to the attackers.


Detection and Removal or Rootkits


There are a number of security tools which can detect and remove quite a number of rootkits if used as per the instructions. A number of such rootkit removal tools are:

  • F-Secure Blacklight
  • RootkitRevealer
  • Windows Malicious Software Removal Tool
  • ProcessGuard
  • Rootkit Hunter
  • Sophos Anti-Rootkit
  • Rootkit Hook Analyzer
  • VICE
  • RAIDE
  • chkrootkit


While removing a rootkit from a system, please read the current instructions of the rootkit detection and removal tool and follow the steps required before, during or after the rootkit removal. Once the rootkit is removed, restart the system and scan again to make sure the rootkit has not reinstalled itself. And, if nothing works, do a repartition, reformat and reinstallation of the system. It is painful, but it works.

No comments:

Post a Comment