Rootkit Risks: Impacts and Prevention Strategies
Table of Contents
In the world of hacking, there are many different types of malware and many ways to compromise a company's security. Rootkits are a type of malware that has been around for decades; their persistence is a testament to their usefulness in cybercrime. Rootkits help cybercriminals take unauthorized control of a computer to carry out persistent and successful cyberattacks.
What is a Rootkit?
A rootkit is what it sounds like: a set of tools that work at the root of something; in this case, malicious tools that work deeply within a computer or device to take unauthorized control. A rootkit is malware. It typically enters a system using phishing, software flaws, and API vulnerabilities, and often utilizes social engineering.
Once installed, the rootkit malware sits stealthily, undetected, performing malicious tasks via a command and control (C&C) component that the hacker uses to manipulate the malware. This direct connection allows a cybercriminal to adjust the malware, allowing it to perform nefarious tasks like data exfiltration, privilege escalation, and further malware infection.
Rootkit malware is difficult to detect using conventional antivirus (AV) measures because the code has the ability to block well-known antivirus AV tools or it is able to use evasive tactics like obfuscation and polymorphism (changing its signature dynamically).
Rootkits are complex software. However, cybercriminals can find them for sale on the dark web, making them accessible to less technically savvy criminals.
Types of Rootkits
There are several types of rootkits, each having its own set of capabilities and functionality:
Bootkit
A bootkit or bootloader is associated with the Master Boot Record (MBR) and runs when the machine boots up. The hacker must compromise the MBR to initiate a bootkit infection, which can then attack full disk encryption and control the system at the kernel level, i.e., a privileged level of execution. An example of a bootkit was TDSS, which was used to open a backdoor into a system to deliver further malware.
Firmware Rootkit
Some rootkits work at the firmware level, infecting a computer's hard drive and routers. A recent firmware rootkit, ComicStrand, attaches to the UEFI (Unified Extensible Firmware Interface). This firmware rootkit acted in stealth as an Advanced Persistent Threat (APT), exfiltrating data slowly over time.
Memory Rootkit
This rootkit is installed in the computer's RAM. Memory rootkits are the shortest-lived rootkits, only lasting until a computer is restarted. However, in the meantime, this type of rootkit can steal login credentials and other sensitive data. An example is the Scranos Operation rootkit.
Application Rootkit
An application or user-mode rootkit replaces files with malicious files that change the way that common applications like Notepad and Word behave. Every time a user runs the application, the malicious files run, allowing the hacker to access the machine.
Kernel Rootkit
This type of rootkit also works at the kernel level like a bootkit. At this level, hackers who use a C&C to control the malware have privileged control over the machine. A highly dangerous and successful kernel-mode rootkit was known as ZeroAccess. The rootkit infected over 1 million machines, creating a massive botnet that was used for cryptojacking.
The Financial Costs of Rootkit Infections
A recent report found that 77% of rootkits were used to steal company information. The report also found that 31% were used for financial gain, and 15% exploited a company's infrastructure to carry out further attacks, like ransomware. The following types of cyber threats are risks associated with rootkits:
Botnet
Kernel-mode rootkits can be used to create massive botnets, incorporating any infected computers. Once a computer becomes part of a botnet, it can be used to carry out DDoS attacks or to perform cryptomining (cryptojacking). Costs associated with DDoS include ransom costs at a median demand of $81,000 and downtime costs per server per hour of $1000 - $5000. Cryptojacking costs include damage to computer equipment and large electricity bills.
Ransomware
The Necurs rootkit malware was used to spread Locky ransomware. This rootkit was spread through drive-by downloads, an infection caused by malicious ads and websites, and Necurs was able to block antivirus software. Ransomware recovery costs an average of $2.73 million.
Login Credentials and PII Theft
Rootkit malware can initiate keylogger functionality, stealing login credentials. Stolen login credentials lead to much larger data breaches. According to theVerizon Data Breach Investigations Report, SMB data breach costs vary from $120,000 to $1.24 million.
Each compromised employee record can end up on the dark web, selling for an average of $20-$100. Data for sale on the dark web is typically used to carry out further targeted cyberattacks.
Theft of Financial Information
Rootkits may be configured to steal financial information and credit card/bank details. These are then used to commit fraud in the name of an individual or company. Like employee PII, financial data ends up for sale on dark web marketplaces. Bank account access, for example, sells on the dark web for between $200 and $1000, depending on the balance.
Industrial Espionage
Theft of company secrets and proprietary information is a core remit of many rootkits. IP may then be sold on the dark web, and this company information then forms part of intelligence gathering for cybercriminals intent on targeting a company or sector. Intellectual property theft can lead to loss of competitive edge and customers.
Scanning for Rootkits
If you believe you may be infected by a rootkit, you will likely see various identifying signals, including slow-running machines, system crashes, and browser and app malfunctions. Some advanced scanners have anti-rootkit scanning capability. The scanner will regularly scan a computer for evidence of rootkit infection. However, a rootkit scanner should be used in combination with a defense-in-depth approach to cybersecurity, with the following recommended measures:
How To Protect Your Company from Rootkits
In addition to anti-rootkit scanners, you should consider implementing the following security measures:
Security Awareness and Phishing Simulations
Rootkits are often delivered using phishing emails. Educate your employees about how phishing works and how to spot a phishing campaign. However, you should use security awareness training modules in combination with phishing simulations, which are behavior-led training that modifies the training based on individual risk levels.
Patching and Updates
Keep your software and firmware up to date and security patches installed when they are released. This helps prevent drive-by-downloads and other software vulnerabilities from being exploited during rootkit attacks.
Next-Gen Antivirus Software (NGAV)
NGAV tools use AI to identify evasive and emerging malware threats.
Dark Web Monitoring
Rootkit attackers sell and buy company information on the dark web. This information provides intelligence for a successful targeted attack. The information stolen using a rootkit is then sold on the dark web. However, a dark web monitoring service, like Sentinex, allows an SMB to see if its company details are being sold on dark web marketplaces. This knowledge enables an SMB and its employees to prepare for and prevent cyberattacks.
FAQ
Does anti-virus software protect against rootkits?
Conventional antivirus software struggles to identify rootkits because the malware uses evasive tactics to hide. Rootkits will often also disable specific AV tools. Advanced AI-enabled Next-gen antivirus software (NGAV) is designed to identify evasive malware, like that used in rootkits. However, it is important to use several security measures and not rely on a single tool, like NGAV, as attackers are continually evolving their tactics to evade detection.
Are there any legitimate rootkits?
Yes, rootkit technology is sometimes used legitimately for remote technical support or as a honeypot to detect cybersecurity attacks.
Is a bootkit the same as a rootkit?
A bootkit, also known as a bootloader, is a type of rootkit that works at a very low level on a computer. Typically, rootkits are installed in the computer's master boot record (MBR).