What You Should Know About Rootkits?

An idea that shivers down your spine: your computer may right now be full of viruses and malware, and may even be connected to a botnet used to carry out cyberattacks and click fraud. large scope. If so, you absolutely won't notice. Because in most cases, a rootkit will make the user believe that everything is in order: the rootkit works a bit like a magic cloak under which all kinds of criminal activities take place invisibly. But if you know the risk of rootkits and how they work, you can better protect yourself. Below are the main things to know about rootkits.

What is a Rootkit? Definition

By rootkit, we are not referring to isolated malware. It's a whole set of malicious programs that have managed to get into your computer by exploiting a security flaw that gives it Remote access, thus allowing the rootkit to be manipulated remotely as well. One of the peculiarities of the rootkit is to be able to hide, but also to conceal other malicious programs, and to make them undetectable by antivirus programs and other security solutions, to the point that the user is unaware of their existence.

Depending on the level of the system where the rootkit is installed, the attacker will be able to gain important administrator rights (in this case we speak of a rootkit in kernel mode) and thus gain unlimited control of the computer.

What is the Difference Between Rootkits and Other Malware?

For obvious reasons, rootkits are also called stealth viruses, although they are not officially categorized as viruses. But what exactly sets rootkits apart from other malware?

Viruses: a virus attaches itself to an executable file or to a program (generally to a file with the .exe extension). It is certainly capable of replicating itself, but it cannot propagate itself. To do this, it needs the assistance of someone or other software.

Worms: Worms are a sub-category of viruses capable of self-reproducing using data transfer functions within a system.

Trojans: These are not viruses, but malware, that is, malicious software that masquerades as useful applications. Hackers use Trojans to open back doors in the system.

Rootkits: The rootkit is also described as a subcategory of Trojans. Several Trojans have the same characteristics as rootkits. The main difference is that rootkits deliberately hide in the system and help the hacker to gain administrator rights.

What Types of a Rootkit Are There?

Rootkits are distinguished primarily by the method they employ to camouflage malware processes and hacker activities. Most often these are kernel-mode or user-mode rootkits. These particularly dangerous toolkits are constantly being developed by cybercriminals, and it is increasingly difficult to protect against their actions.

Kernel-Mode Rootkits

When we talk about rootkits, we are usually referring to this type of rootkit. Kernel-mode rootkits slip into the operating system kernel. This zone also called "ring 0" is the zone where you have the most privileged access rights, and which allows you to access all the hardware components, but also to modify the parameters of the system. Concretely: if a hacker succeeds in placing a rootkit there, he is able to take control of the entire system.

Such rootkits replace parts of the kernel with their own code. In the case of Unix-based operating systems, this is usually done by means of kernel modules that are downloaded later, hence the term "LKM Rootkits" (short for loadable kernel modules). In Windows systems, the kernel is usually manipulated directly, by introducing new system drivers into it. Whatever the procedure: the kernel-mode rootkit can exploit its privileged position to transmit false information to the antivirus program on the computer. Rootkits of this type are therefore difficult to detect and eliminate. Due to their complexity, they are also quite rare.

User-Mode Rootkits

Unlike kernel-mode rootkits, this other type of rootkit is implemented at the user level of the computer, where all the programs to run are located. As this domain is the lowest level of the CPU (ring 3), user-mode rootkits can only assign restricted access to the attacker. However, their structure is less complex and they are found more often than kernel-mode rootkits, especially in Windows environments.

User-mode rootkits camouflage themselves by detecting the exchange of data between the operating system and the security and antivirus programs installed on the computer. To do this, they use the DLL-Injection and API hooking methods: a specific software library (Dynamic Link Library, abbreviated as DLL) slips into the data exchange and hijacks the functions of certain software interfaces (Application Programming Interfaces, abbreviated as API) to the rootkit. It thus manages to erase its own traces in process lists, such as those in the Windows task manager.

Other Rootkits

In addition to these two types of rootkits, there are others, but which present fewer dangers:

Application Rootkits: this is the primitive and initial form of rootkits. They replace system programs with their own modified programs and are therefore easily detectable. This is the reason why hackers hardly use them anymore.

Memory Rootkits: such rootkits exist only in RAM memory, and therefore disappear from the system on each restart.

Identify a Rootkit

Most antivirus programs scan for known rootkits by their signatures and seek to identify new ones by scanning for special behaviors, such as file deletion. The Problem: Unless you're dealing with a badly programmed kernel-mode rootkit that spawns repeating blue screens and catches your eye, most rootkits won't let anything filter out of their presence in your system.

As rootkits are the subject of ever more sophisticated programming, it becomes more and more difficult to find them. However, we have technical tools, specially designed to attack rootkits: rootkit scans. This function is integrated into several security solutions, but it also exists as a program dedicated to this function. These include Sophos Anti Rootkit and Bitdefender Rootkit Remover, two tools available for free.

Such a rootkit scan can also be performed from a boot CD. Such a CD will start your computer without paying attention to the installed operating system. The rootkit will therefore remain inactive, which may allow an antivirus on the CD to detect it.

Remove a Rootkit

Unfortunately, there is no 100% reliable solution to removing a rootkit from your computer. Even professional antiviruses like AntiVir, Protegent, and Microsoft miss several rootkits if we are to believe many test reports. According to some trade magazines, it is better to combine the use of three of these programs.

And even this method is not always effective in dealing with rootkits that are deeply hidden in the BIOS. You often have only one solution left: completely format the hard drive and reinstall the operating system to finally eradicate this malicious and recalcitrant tool.