Close-up of a woman scanning threat actors

Concealed & Dangerous: Unveil the Truth About Rootkits

The idea of an attacker taking full control over your computer is a terrifying one.

They could steal your files, monitor your web browsing, use your system resources for their own purposes, or even erase everything on your computer.

And with the rise of rootkits, this scary scenario is becoming a reality for more and more people.

What Is a Rootkit?

A rootkit is one of the most dastardly subtypes of malware, or malicious software.

Its name is a portmanteau of “root” — the term for the most critical, restricted parts of your operating system — and “kit” — the term for a suite of software.

And it certainly lives up to that name: it gives its creator remote access to your entire computer, including the parts most users never interact with… and the parts that, if tampered with, can do the most damage.

Root Access Defined

A root access

Normally, your computer’s root is locked down, accessible only to administrators or superusers. Ordinary user accounts can’t view or modify root files, a restriction that protects these crucial components from bad actors.

With root access, a user can use any resource, modify any file and issue any command they please. All files, even the lowest-level system files and those that interact directly with the computer’s hardware, are fully visible and editable.

Most people don’t need this level of control over their machines, so root access is typically reserved for system administrators, software developers, and other highly-technical users.

But the prospect of having limitless access to every last bit of a device is like a siren song to cybercriminals. With remote root permissions, anything is possible — and with a rootkit, getting those permissions without your knowledge or consent is all too easy.

How Rootkits Spread

Rootkits spread much like any other type of malware, often taking advantage of vulnerabilities in human behavior, security holes in software and networks, or both.

Social Engineering

Many rootkits spread via phishing or other social engineering attacks. Attackers manipulate your emotions to get you to download harmful files or perform other actions that allow the rootkit onto your computer.

They often use emails filled with harrowing legal threats, urgent financial claims, or exciting promises of riches and rewards. You’re told to download the file attached to the email, and in your heightened emotional state, you do so.

But the file isn’t the invoice, personal letter, or prize paperwork it claims to be. It’s actually a rootkit in disguise, and when you download the file, you initiate its installation.

Security Vulnerabilities

Vulnerabilities

Thousands of new software and hardware vulnerabilities are discovered every day. Even the tiniest hole in the most innocuous program can be used by an attacker to wriggle into your device and plant a rootkit.

Though these vulnerabilities are usually patched once they’re made public, they could exist for days, weeks, or even years before they’re fixed. And until you install those patches, they don’t help you one bit.

Attackers actively search for these vulnerabilities, scanning networks for potential victims and silently loading them up with rootkits.

Infected Files and Websites

Other attackers take a more hands-off approach, leaving it up to you to download and install their malware. But they know how to hide their rootkits in such a way that it’s hard for you to resist.

They may attach a rootkit to a tempting download — a “free” version of Photoshop, perhaps, or a high-quality copy of a newly released movie.

Or they may infiltrate an illegal streaming site, masking the rootkit behind a “required” video plugin for your browser.

Join Our Community

And Get Our Best Stuff for FREE
We respect your privacy and you can unsubscribe anytime.

What Rootkits Can Do

Once a rootkit has found its way onto your computer, the possibilities for the attacker are nearly limitless.

Evade Detection and Install Other Malware

Generally, the primary purpose of a rootkit is to make it easier for other varieties of malware to work.

Rootkits contain components that render antivirus programs ineffective, blocking them from seeing or removing malware. Once the antivirus is disabled, the rootkit can then begin downloading and running other malware without the risk of detection.

And the rootkit has built-in protection for itself, too: antivirus software can’t scan the parts of the computer where the rootkit lurks. Even if it could, the rootkit is so adept at cloaking itself that any actions it performs look just like normal system behavior, rendering it virtually unstoppable.

This makes the rootkit a critical part of many malware attacks. It’s there to open the door for other malware, prevent it from being removed and amplify its effects.

As we’re about to see, some of these effects can be truly horrific.

Monitor Your Activity and Keystrokes

Spyware

Root access lets an attacker see absolutely everything you do on your computer. It’s possible for them to monitor your browsing history, look at your personal files or even watch your screen in real time.

Active input from the attacker isn’t required, either. Rootkits allow keyloggers and other malware to automatically send log files back to the attacker every day, including passwords and credit card numbers.

All of this happens invisibly, deep within your system, so you’re never any the wiser about it.

Turn Your Computer Into a Bot

Attackers often try to install rootkits on as many computers as possible, then connect them all into a “botnet”: an army of hijacked machines that can do the attacker’s bidding.

Botnets are used for DDoS attacks — targeted sieges that bombard a specific website with traffic, overwhelming it and causing it to go offline.

Rootkit botnets can also be used for bitcoin mining, consuming your system’s resources to generate cryptocurrency for the attacker. They may also be used as spam machines, stealing your contacts and sending them sketchy emails, often spreading the rootkit further via attachments.

Impersonate You and Steal Your Identity

With a rootkit, an attacker can use your computer remotely, making it look to everyone else as if you’re the one performing their actions.

This lets them turn you into their fall guy for their illicit activities: ordering drugs on the dark web, sending threatening messages to others, viewing illegal materials, and countless other things you don’t want to be associated with.

Some attackers go even further, trawling your hard drive for personal files like tax documents, bank statements, and private message logs. With these sensitive files in hand, the attacker can assume your identity, wreaking havoc that extends far beyond the digital realm into your personal safety and security.

Key Rootkit Takeaways

  • Rootkits are malicious programs that give the attacker remote access to and control over files, commands, and privileges that are normally highly restricted.
  • Rootkits may spread via infected downloads or attachments, or they may enter your computer via a software or network vulnerability.
  • A rootkit installs itself so deeply in your system that it can’t be detected by antivirus programs.
  • Rootkits cloak other malware, allowing attackers to steal your files, monitor your activities, and use your computer for illegal purposes.

History of Rootkits

The earliest-known rootkit was created in 1990 by Lane Davis and Steven Dake. Targeting the Sun Microsystems SunOS UNIX platform, it was not created for malicious purposes but rather to test the limitations of the OS.

Nine years later, the first malicious rootkit was created: NTRootkit. Though intended as a cybersecurity training tool, it made its way onto Windows NT computers in the wild, where it logged keystrokes, stole passwords, and hid files.

In the early 2000s, hackers grew bolder with their use of rootkits. The 2004-2005 “Greek Watergate” attackers made use of a rootkit on the Vodafone Greece network, allowing them to wiretap over 100 members of the Greek government.

Before long, rootkits were being used in full-on cyberwarfare: the US and Israel’s Stuxnet rootkit, spotted in 2010, targeted Iranian nuclear facilities. And the Flame rootkit, which steals data from Middle Eastern governments, schools, and figureheads, is also believed to be a US government creation.

Rootkits by the Numbers

  • Rootkits comprise 8% of all malware in circulation
  • 77% of rootkit attacks are related to espionage, with 44% directed at government agencies
  • Hackers typically sell rootkits for between $45,000 and $100,000 on the dark web
  • 69% of rootkits are spread via phishing, while 62% exploit software vulnerabilities, and 31% rely on drive-by website vulnerabilities

Famous Rootkit Attacks

A rootkit attack

The Sony BMG Rootkit

In 2005, the Sony BMG record company sold CDs with DRM protection, intended to stop people from pirating music. The CDs included a program called XCP-Aurora, purportedly a music player application, that had to be installed to play the CD on a computer.

However, they also included a hidden rootkit that altered the system registry, preventing all other media players and CD rippers from accessing the tracks.

The rootkit itself also created a new vulnerability that malware developers immediately began exploiting. Sony released a patch to uninstall the rootkit, but that patch, too, created serious vulnerabilities, resulting in a CD recall and several multi-million dollar class-action lawsuits.

The ZeroAccess Rootkit

First spotted in 2011, the ZeroAccess rootkit is so insidious that it’s still in circulation despite multiple industry-wide attempts to neutralize it. Over 9 million computers have been infected by ZeroAccess, which assimilates victims into a botnet and disables their firewalls.

The botnet has two purposes: bitcoin mining and ad-click fraud, both of which have been extremely lucrative for the rootkit’s creators. It’s estimated that ZeroAccess bitcoin mining earns the attackers up to $2.7 million per year, while ad-click fraud may net them a profit of over $100,000 a day.

Rootkits as Fast as Possible (Video)

QUOTE:
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional