What is a Rootkit?
A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system. Although this type of software has some legitimate uses, such as providing remote end-user support, most rootkits open a backdoor on victims' systems to introduce malicious software -- including computer viruses, ransomware, keylogger programs or other types of malware -- or to use the system for further network security attacks.
Rootkits often attempt to prevent the detection of malicious software by deactivating endpoint antimalware and antivirus software. They can be purchased on the dark web and installed during phishing attacks or used as a social engineering tactic to trick users into giving them permission to install them on their systems. This often gives remote cybercriminals administrator access to the system.
Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but today, most antimalware programs can scan for and remove rootkits hiding within a system. Since rootkits can't spread by themselves, they depend on clandestine methods to infect computers.
When unsuspecting users give rootkit installer programs permission to be installed on their systems, the rootkits install and conceal themselves until hackers activate them. Rootkits contain malicious tools, including banking credential stealers, password stealers, keyloggers, antivirus disablers and bots for distributed denial-of-service attacks.
Rootkits are installed through the same common vectors as any malicious software, including email phishing campaigns, executable malicious files, crafted malicious PDF files and Microsoft Word documents. They are also connected to compromised shared drives or downloaded software infected with the rootkit from risky websites.
What Can Be Compromised During a Rootkit Attack?
A rootkit attack can have the following consequences:
1. Avoid Detection: A primary goal of a rootkit is to avoid detection to remain installed and accessible on the victim's system.
2. Unwitting Access: Although rootkit developers aim to keep their malware undetectable, and there aren't many easily identifiable symptoms that flag a rootkit infection, the following are four indicators that a system has been compromised:
Rootkits are classified based on how they infect, operate or persist on the target system.
Tips for Preventing a Rootkit Attack
Although it's difficult to detect a rootkit attack, an organization can build its defense strategy in the following ways:
1. Regular System Updates: Keeping the operating system and applications up-to-date with the latest security patches is crucial.
2. Strong Passwords and Two-Factor Authentication (2FA): Implementing strong passwords and 2FA can prevent unauthorized access to accounts.
3. Endpoint Antivirus Protection: Regularly scanning the system for malware using endpoint antivirus software can detect rootkits early on.
Notable Rootkit Attacks
The following illustrates several notable rootkit attacks:
Gamer Attacks Targeting Microsoft Digital Signature.
In 2023, a China-based hacking team initiated a campaign that targeted gamers in that country using a rootkit with a valid Microsoft digital signature. The attack allowed it to load into game devices without being blocked and to download unsigned kernel mode drivers directly into memory.
Spicy Hot Pot Attack.
In 2020, an incident involving Zirconium, a Chinese advanced persistent threat group that developed a set of rootkit-like functions to infiltrate and compromise targeted systems via social engineering and spear phishing. The group, associated with the Chinese government, employed its custom malware to gain unauthorized access to networks in pursuit of sensitive information.
Dig Deeper on Threats and Vulnerabilities: What is Malware? Prevention, Detection and How Attacks Work 12 Common Types of Malware Attacks and How to Prevent Them