A rootkit is a type of malware that enables hackers to gain access to a hacked computer at the root level. Sometimes root access is also called admin access. It basically confers super user account access, giving the administrator complete control of a computer.
What do rootkits do?
Rootkits essentially allow a hacker to create a back door into a computer so they can control it and initiate commands remotely.
It sounds scary doesn’t it? And it is. A user has no knowledge that a rootkit has been installed and that an unknown person can remotely access all functions on their computer.
With backdoor access attackers can steal or falsify documents and conceal other malware such as password-stealing key loggers and viruses.
Attackers can even subvert the login mechanism, by leaving the login to appear normal but also installing a secret login combination that allows an attacker direct access, bypassing authentication and authorisation processes.
How are rootkits installed?
One of the most common ways for hackers to distribute rootkits is through documents attached to emails such as PDFs, or sending an infected link in an email designed to exploit vulnerabilities such as software and operating systems that have not been updated.
If a document is opened or a malicious link clicked on something called a dropper initiates which in turn launches a loader program. The dropper then deletes itself and the loader then causes a buffer overflow which loads the rootkit into the computer’s memory.
A buffer overflow happens when a process attempts to write more data to a fixed length block of memory, or buffer, than it is allocated to hold. Buffers are created to contain a defined amount of data so the extra data, in this case the rootkit, can overwrite data values in the memory.
Different types of rootkits
- User-mode rootkits - User-mode rootkits alter security and hide processes, files, system drivers, network ports and even system services. User-mode rootkits are installed on the infected computer by copying required files to the computer's hard drive. They automatically launch every time the computer boots up.
- Kernel-mode rootkit - Kernel-mode rootkits place the rootkit on the same level as the operating system. As a result the operating system is compromised.
- User-mode/kernel-mode hybrid rootkit - This hybrid rootkit combines user-mode characteristics with kernel-mode characteristics. This approach is typically is one of the most popular rootkits among hackers because of its high rate of success in penetrating computers.
- Firmware rootkits - Firmware rootkits can hide in firmware when the computer is shut down. When the computer is restarted the rootkit reinstalls itself. The firmware could be anything from microprocessor code to a router.
Symptoms of rootkit installation
- If a computer locks up or fails to respond to any kind of input from the mouse or keyboard
- The settings in Windows change without permission, for instance the screensaver changes
- Web pages or network connections don’t function or are slow and intermittent
Protection against rootkits
The basic essential is to ensure you are running good anti-virus software while also ensuring every piece of software running on the computer is updated. BullGuard Internet Security
2018 includes award-winning triple defence layers as well as vulnerability scanner that alerts you if software needs updating.