Hypervisors, MBRs, and memory dump analysis are pretty complicated, but fortunately, there are a few simple things you can do to keep your devices rootkit-free in 2023:
Short on time? Here’s how to stay protected against rootkits in 2023:
Hypervisors, MBRs, and memory dump analysis are pretty complicated, but fortunately, there are a few simple things you can do to keep your devices rootkit-free in 2023:
Rootkits are dangerous malware files that embed themselves deep into operating systems, applications, firmware, and bootloaders, making fundamental changes to user devices while being able to hide from traditional malware scanning techniques.
Most malware files (like viruses, trojans, worms, ransomware) run as executable program files on your device — the operating system recognizes them as program files, and a malware scanner can analyze the behavior of these files by scanning running processes, system files, program files, and saved data on your disk.
But a rootkit is buried deep into the operating system, effectively tricking a malware scanner into thinking that the rootkit malware is part of the system itself. Because of the rootkit’s privileged access, your OS won’t know that the rootkit is there, and your antivirus program may not be able to detect the infection, making them very difficult to identify and remove.
Some rootkits can be removed with a reboot of your device, while others can’t be removed even by completely reformatting your hard drive. Rootkits can be used for a variety of purposes, including cryptojacking, identity theft, and network and device sabotage.
Different Types of Rootkits
There are many different types of rootkits, but all rootkits have one thing in common — they are able to mask their activity on a user’s device, usually by subverting the device’s built-in security and analysis tools. Here are the most well-known types of rootkits, as well as a few famous examples from the last 20 years.
The kernel is the central part of an operating system — it’s like the brain stem or limbic system of your computer. The kernel’s code and memory usage are completely separated from the “user space”, which is the code and disk space dedicated to user applications, processes, programs, and files. The OS is segmented into kernel and user spaces so that user errors and bugs can’t affect the OS as a whole.
Kernel-mode rootkits take advantage of this segmentation by fooling the OS into thinking that the rootkit is a part of the kernel — this is how they’re able to avoid all of the scanning, indexing, and diagnostics tools that an antivirus would use. These types of rootkits can make changes to software and hardware, download and install other malware, provide hackers access to user data, and even allow hackers to hijack your device remotely. Kernel rootkits can even create hidden memory caches on your hard drive that are completely hidden from your OS.
One of the more notable kernel-mode rootkits is the ZeroAccess rootkit. This rootkit finds its way onto user devices through a trojan malware installation — once a user is deceived into running the trojan, ZeroAccess hides itself at the kernel level of the user device and begins diverting CPU resources, incorporating the infected user’s device into a massive botnet. At its peak, there were several million computers in the ZeroAccess botnet, being used for tasks that require massive computational energy, such as mining Bitcoin, initiating DDoS attacks, or boosting clicks on pay-per-click advertisements.
The ZeroAccess rootkit is still out there. If your system is infected, ZeroAccess will significantly slow down your computer, drain your battery, and turn your computer into a tool for international cybercriminals.
User-Mode or Application Rootkits
User-mode rootkits run in the “user space”. User-mode rootkits intercept and modify the behavior of executable files, such as program files and applications. While they’re not as hard to detect and destroy as kernel-mode rootkits, hackers can still use user-mode rootkits to deploy malware, manipulate your files and applications, and access your data.
For Windows, most user-mode rootkits are able to infiltrate trusted programs through a process called DLL injection. DLL (dynamic link library) files are executable files that perform functions multiple programs can take advantage of, like allowing your browser, word processor, or Adobe suite to access your printer with the same driver. By using DLL injection, the rootkit deceives both the DLL and your operating system by “hooking” into a legitimate DLL. For example, if a rootkit injects itself into your printer’s DLL, your computer will allow the rootkit to act because it’s already given permission to your printer to make changes on your device. Your computer is deceived into thinking that the rootkit is a printer driver.
The most famous user-mode rootkit in recent memory is the Zacinlo rootkit. This adware-based rootkit hides itself in the user’s System32 directory and is used to screenshot user devices, send information to its control center, and insert ad content into the user’s browser. It uses a fake driver registry code to deceive Windows 10 computers, and it’s frequently able to redirect antivirus scanners in order to protect its adware payload.
Bootloader Rootkits (Bootkits)
Bootloader rootkits (bootkits) are a type of kernel-mode rootkit variant that infects the Master Boot Record (MBR). The MBR is the first sector of the computer’s hard drive. When you boot up your computer, before the operating system starts running, the MBR tells your computer how the hard drive is partitioned and how to load the operating system.
In simple terms, a bootkit loads before the operating system and gives hackers the ability to replace your computer’s legitimate boot loader with one that is under their control.
Even if you uninstall your operating system completely and reinstall it, a bootloader rootkit infection will persist on your device, and trying to remove one can even cause damage to your MBR. Fortunately, Windows 8 and 10’s Secure Boot feature as well as industry-wide standards for authenticating firmware are now able to prevent bootkits (although a 2020 study by Kaspersky Labs discovered a bootkit that was able to bypass these security measures, which could indicate significant developments in bootkit technology in the coming years).
Firmware or Hardware Rootkits
Firmware rootkits are very similar to bootkits, but they’re designed to infect the BIOS and UEFI chips, which run the most basic processes of a computer. These rootkits can be installed in a router, hard drive, or network card, and they affect an even more basic part of the device than kernel rootkits. They can even survive a complete reformatting of the disk.
One of the most famous hardware rootkit attacks occurred in 2008, when hackers installed rootkits in credit card readers that were shipped from a factory in China to stores across Europe. The rootkits automatically sent all of the credit card information they scanned to hackers in Pakistan, with several hundred million dollars estimated to have been stolen in the attack.
Firmware rootkits are extremely difficult to remove, and it’s unlikely that even an experienced tech user can disinfect a firmware infection. Bitdefender and Kaspersky both offer rootkit removal software, but if you think that you have a rootkit in your device’s firmware (or any of your IoT (Internet of Things) devices), you should probably get help from a competent IT professional in your area to ensure its removal.
Virtual or Hypervisor Rootkits
A hypervisor, also known as a virtual machine monitor (VMM), is a tool for managing virtual machines (VMs). VMs are sandboxed operating systems that are hosted on your disk but behave as separate computers. For example, many Linux users run separate virtual machines for Windows and Mac on their Linux computers, and cybersecurity researchers can run malware tests on a virtual machine without worrying about malware infecting their operating system.
The hypervisor has absolute authority over all of the VMs it’s managing — it can intercept traffic, block or alter incoming and outgoing information, shut the system down, and/or erase all associated data. Hypervisors are a necessary tool for users working with VMs, as these users need a higher-level functionality in order to manage multiple VMs on a single device.
Hypervisor rootkits exploit this functionality, running the user’s operating system as a virtual machine with the rootkit as its hypervisor. The hypervisor boots before the OS, and it can block or alter any behavior made by the OS with its hypervisor privileges.
The most famous hypervisor rootkit is known as BluePill, which was designed in 2006 by a cybersecurity researcher in Singapore. BluePill is able to install itself as the system hypervisor and make changes without the operating system’s knowledge. However, hypervisor rootkits have not been deployed as malware (yet) and still exist solely as research projects for cybersecurity teams.
How Does a Rootkit Infect a Computer?
Rootkits can be installed on a device in a few different ways, such as:
- Deceptive downloads. Most malware infections occur when users download and run files from untrustworthy sources. Rootkits can be bundled with pirated media or software, or they can be attachments sent from spoofed email addresses designed to trick users into thinking they’re downloading files from a trusted source.
- Phishing sites. Phishing sites are fake websites that mimic legitimate web pages in order to steal user information or convince them to download malware files, including rootkits.
- Drive-by downloads. By exploiting browser vulnerabilities (especially out-of-date browsers and plugins), hackers can actually force malware onto your device.
- Exploit attacks. Exploits take advantage of software vulnerabilities in your browser, operating system, or any internet-connected application, allowing hackers to access your device.
- Physical tampering. Hardware rootkits have to be installed by hand, either by hackers intercepting devices before they hit stores or by tampering with used and stolen devices.
Like all software, a rootkit starts out as an executable file. Once a rootkit is executed on your device, it deceives your system in a variety of ways. User-mode rootkits use DLL injection, while hypervisor rootkits virtualize your OS and kernel rootkits embed themselves in the kernel space, convincing your operating system that the rootkit is a legitimate system process.
No matter which part of your system a rootkit infects, a rootkit attack always starts by “hooking” the rootkit to a legitimate system process and then convincing that process that the rootkit is supposed to be there.
How to Detect a Rootkit
Rootkit detection and removal is extremely difficult, and in some cases, it can be practically impossible without advanced anti-rootkit detection equipment. This is because, once installed, a rootkit takes measures to ensure its survival by concealing its presence within the host system. Rootkits can evade standard operating system tools used for scanning and monitoring, and they can subvert the anti-malware software that is intended to find them. A device that is compromised might not be able to find unauthorized modifications to itself or its components.
Because of these technical complications, rootkit detection can take a number of different approaches, including:
Looking for Bugs and Glitches
Rootkits embed themselves in system processes, intercepting and sometimes altering the activities of those processes. Because of this, rootkits are frequently unstable, causing noticeable computer issues like system slowdown, software crashes, slow boot sequences, and even the notorious “Blue Screen of Death”. If your device is used as a part of a botnet, you will notice significant CPU usage even without running any applications, as well as rapid battery drain and even device overheating. Basically, if your computer is suddenly breaking down, you need to investigate further for malware infection, including rootkits.
Installing Antivirus Software
Advanced antivirus suites come with proprietary rootkit scanning tools (one of my favorites for rootkit detection is Bitdefender). First, these scanners compare your files to a database of known malware — this can help find a rootkit before it has embedded itself in your device, but not once it gains root access.
Next, scanners use behavior analysis to determine if any of your files are performing unusual activity on your disk. This can be particularly effective for detecting user-mode rootkits, which hook themselves to trustworthy application files. Bitdefender also offers a special Rescue Mode, which reboots your system and runs before your operating system boots in order to detect kernel-mode rootkits.
Using an Alternative Trusted Medium
An alternative trusted medium is another device (it can be another computer or a USB flash drive) that can be used to scan an infected device. Because the alternative trusted medium runs before the system boots up, the rootkit is unable to use the infected device’s operating system to conceal its presence. Panda Dome includes a USB-bootable Rescue Kit that can scan your PC during the boot sequence.
Analyzing Memory Dump
Memory dumps contain a list of the computer’s volatile memory (random access memory). Volatile data is the data stored in temporary memory on a computer while it’s running. Memory dumps contain valuable volatile data showing the state of the device before an incident such as a crash or security compromise happened. Memory dump analysis can provide unique data such as network connections, account credentials, chat messages, running processes, injected code fragments, internet history, and other key details that can be used to identify a rootkit attack. Memory dump analysis is pretty complicated, and it shouldn’t be performed by unskilled users.
Running an Integrity Check
Most files have a digital signature that is created by a legitimate publisher — this is essentially an ID or passport that allows an application to make specific changes to your system.
User-mode rootkits, which depend on DLL-injection, can perform all sorts of activity on your system while pretending to be legitimate software, but a close analysis of the hacked application’s signature and behavior can reveal whether it is behaving normally or not. Windows 10 has built-in integrity checks that occur periodically during boot and run-time, and some dedicated rootkit scanners like McAfee’s RootkitRemover perform integrity checks as well.
How to Stay Protected Against Rootkits
Unfortunately, every method of rootkit detection and removal comes with some vulnerabilities and risks. Microsoft has made significant efforts to strengthen Windows at the boot, kernel, and user level against malware infection, but hackers are constantly coming up with innovative solutions to circumvent the work of cybersecurity professionals.
Because of their nearly undetectable nature, rootkit attacks are best managed through prevention — it’s much, much easier to keep rootkits off of your computer than it is to remove them once they’ve hidden themselves in your system.
Use Anti-Malware Software with Rootkit Detection
Windows has made significant strides with its protections — features like Boot Guard, UEFI hardening, and System Guard all provide a powerful layer of anti-rootkit protection. But advanced anti-malware programs like Norton 360, Bitdefender, and McAfee have better malware protection than Windows Defender. These anti-malware suites use behavior analysis, advanced firewalls, and machine learning to provide real-time protection against rootkit download and deployment. Bitdefender and McAfee both provide advanced anti-rootkit detection and removal tools, as well.
Do NOT Ignore Updates
Updates can seem annoying, but they usually contain security patches that close up known vulnerabilities — you’re a lot less likely to get hacked by a rootkit if all of your software (including your operating system) is up-to-date. Software vulnerabilities can provide a route for hackers to create a backdoor into your system, use exploits to install malware on your system, or make an easy target for rootkits to hook into your files and gain access to your operating system. Some anti-malware suites like Norton and Avira include vulnerability scanners that can give you live updates if any of your software is out of date.
Get Anti-Phishing Protection
Phishing sites can be used to steal user information or to convince users to install malware onto their devices. Phishing sites are designed to perfectly mimic legitimate sites, and they can be very hard to detect (but some phishing sites are blatantly fraudulent and you can identify them using common sense). Anti-phishing tools from antiviruses like Avira use a massive database of known phishing sites as well as certificate scanning and tracker blocking to help prevent phishing attacks and block suspicious websites.
Avoid Pirated Software and Media
Cracked software and pirated media may be free, but they’re often the bait used by cybercriminals to install rootkits and other malware onto victim’s devices. Once you run a pirated file on your disk, you’re giving an unknown agent permission to make changes on your device, which can include installing rootkits (and once a rootkit has been given permission to run, it can quickly hide itself on your machine).
Of course, the best antivirus scanners will perform real-time virus scans, and they should be able to block malware files before you have a chance to run them. But with new malware variants being released every day, it’s better to be cautious and avoid pirated software and media.
Frequently Asked Questions
Can rootkits be removed?
Yes, but it’s much, much easier to prevent rootkits from infecting your device than it is to remove them. This is because every type of rootkit is able to convince your computer that it’s part of an essential system process, like the kernel-level of the OS, the master boot record, a hypervisor, or a DLL file.
There are rootkit detection and removal tools — Bitdefender and McAfee both make specialized anti-rootkit software, which can remove the majority of rootkits from your disk.
However, if you think your system has been infected with a rootkit, you should consult with a cybersecurity expert, as many rootkits can survive defragmentation of the hard drive or a total OS reinstall.
Where do rootkits hide?
If you’re wondering whether or not you can find a rootkit yourself by using the Task Manager or Resource Monitor, the answer is, “No”. Rootkits manipulate your operating system’s own monitoring systems to hide their activity, so once a rootkit is running on your system, you can’t use your own computer’s detection tools to find it.
Rootkits can hide in a wide variety of locations on your disk, such as:
- Kernel-mode files. The part of the OS dedicated to fundamental system processes.
- DLL (dynamic link library) files. The files that are used by multiple programs to perform important functions.
- Master boot record. The area that tells your disk which operating system and which files to run during boot.
- Hypervisor level. The process that runs and controls virtual machines.
- BIOS and UEFI chips. The fundamental hardware of the computer.
What are the most famous examples of rootkits?
The most famous examples of rootkits in the last decade include ZeroAccess and Zacinlo:
- ZeroAccess. In 2012, it was discovered that ZeroAccess infected around 4 million devices. This bootkit/rootkit hybrid is primarily used for cryptomining and click fraud.
- Zacinlo. In 2018, Bitdefender published its findings about Zacinlo, a spyware tool that is able to infect Windows 10’s user-space using a fake app registry code. Zacinlo is used mostly to steal user data, but it can also insert search results and content into your browser.
Can antivirus software detect rootkits?
Sometimes, yes. Some of the most well-known rootkits leave a few signs on user devices, which make them detectable by antivirus scanners.
For example, both Bitdefender and McAfee’s rootkit removers are able to detect the ZeroAccess, TDSS, and Necurs family of rootkits on user devices. In my testing, anti-malware suites like Norton and TotalAV were also able to detect these known rootkits.
However, because rootkits subvert the computer’s own detection systems to hide their presence on user devices, it’s always possible that a new type of rootkit will be able to escape detection.
If you think you’ve been infected by a rootkit, I recommend downloading antivirus software and also taking your device to an IT specialist to ensure that the rootkit is completely removed from your device.