{"id":11945,"date":"2020-01-09T11:40:00","date_gmt":"2020-01-09T16:40:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11945"},"modified":"2021-03-11T13:28:53","modified_gmt":"2021-03-11T18:28:53","slug":"what-is-a-rootkit-and-how-does-it-work","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-is-a-rootkit-and-how-does-it-work\/","title":{"rendered":"What Is a Rootkit and How Does It Work?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-here-s-everything-you-need-to-know-about-the-most-dangerous-breed-of-security-threats\">Here\u2019s everything you need to know about the most\ndangerous breed of security threats<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The cyber security industry might not have\nperfected the techniques to thwart security threats completely, but it has\ndefinitely mastered the art of naming security threats. Names like trojans,\nworms, viruses, malware, ransomware are a testament to this. But today, we&#8217;re\ngoing to talk about another threat that might not have as original a name as\nothers but definitely trumps all of them when it comes to destroying your\nprivacy and security: rootkits. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What is a rootkit and what does it mean for\nyou in terms of data security and privacy?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Today, we&#8217;re going to explore this\npernicious threat \u2014 one that might be lurking on your computer right now.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-a-rootkit-something-difficult-to-detect-and-impossible-to-ignore\">What Is a Rootkit? Something Difficult to Detect and\nImpossible to Ignore<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"474\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/rootkits-1.png\" alt=\"Graphic: What is a rootkit? Breaking down the levels of privilege.\" class=\"wp-image-11949\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/rootkits-1.png 688w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/rootkits-1-300x207.png 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you find yourself wondering &#8220;what is a rootkit,&#8221; we&#8217;ve got your answer. A rootkit is a collection of programs\/software tools \u2014 typically malicious \u2014 that gives a threat actor remote administrative access to and control over a computer while hiding its presence on that machine. In simpler words, a rootkit is typically associated with malware that you can&#8217;t see but make sure that the cyber-criminal sees your computer and, possibly, your actions as well. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s like an enemy country\u2019s secret agent who infiltrates your computer to provide continuous privilege access while masking their identity \u2014 all without you knowing it. And it can potentially remain hidden for <em>years<\/em> if undetected.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Rootkits As Fast As Possible\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/0LvF0KtBWxY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As you can see, the term \u201crootkit\u201d has been\nderived from two words: \u201croot\u201d and \u201ckit.\u201d The term root is the traditional name\nof the most privileged administrator-level access in a UNIX system. In UNIX,\nroot access gives a user full rights to control and change almost everything. The\nword \u201ckit,\u201d on the other hand, refers to the group of software applications\nthat form the tool.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The thing that makes rootkit so unique is\nthat it remains hidden inside your system and is designed to keep malware\ndetection applications and other security tools at bay. Most antivirus and\nanti-malware applications are unable to distinguish rootkits from other\nsoftware your system trusts because it piggybacks on those trusted\napplications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-can-a-rootkit-do\">What Can a Rootkit Do? <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A more appropriate question is be \u201cWhat <em>can\u2019t<\/em>\na rootkit do?\u201d The reason why a rootkit is regarded as being so dangerous is\nthat it can do almost everything to your privacy and security you&#8217;re afraid of.\nA rootkit can contain malicious tools that allow cybercriminals to: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>track everything you type on\nyour computer. <\/li><li>steal your usernames, passwords,\nand credit card information. <\/li><li>disable the security\napplications you might have installed on your computer. <\/li><li>alter other sensitive settings\nand programs in your system.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-a-rootkit-7-different-types-of-rootkits\">What Is a Rootkit? 7 Different Types of Rootkits<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Depending upon its location in the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Protection_ring\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">hierarchical protection domains or protection rings<\/a>, we can classify rootkits into at least seven types. These types range from the lowest privilege level to the kernel-mode (highest privileges).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-user-mode-rootkits\">User Mode Rootkits <strong><\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In terms of user privileges, these rootkits\nrank the lowest. User mode rootkits, sometimes referred to as application\nrootkits, start as a program during system start-up, or they&#8217;re injected into\nthe system. These rootkits \u2014 depending upon the operating system \u2014 operate\nthrough various ways to intercept and modify the standard behavior of\napplication programming interfaces (APIs). For example, this could be a .DLL\nfile in Windows and a .dylib file in Mac OS X. These rootkits are quite popular\nin financial and banking malware. One such piece of malware, named Carberp, was\nbased on this technique, and its user mode rootkit component has been used in\nmany financial malware families. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-hardware-firmware-rootkits\">Hardware\/Firmware Rootkits <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As the name suggests, this type of rootkit\nis intended to infect hardware or firmware such as hard drives, routers,\nnetwork cards, and even your system\u2019s basic input operating software (BIOS).\nThese rootkits can seize the data written on the disk or data transmitting\nthrough a router.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-bootloader-rootkits\">Bootloader Rootkits <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sometimes called a bootkit, a bootloader is\na program\/code that runs as soon as you turn your computer on and the operating\nsystem starts to load. If your computer has been infected with a bootloader\nrootkit, it could replace the original bootloader. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-memory-rootkits\">Memory Rootkits <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Much like the name suggests, these rootkits\nusually hide inside the computer\u2019s RAM (random access memory). The lifespan of\nthese kits is quite short, and most of them disappear once the system reboots.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-kernel-mode-rootkits\">Kernel Mode Rootkits <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Kernel mode rootkits target the innermost\ncircle of the protection ring, and that&#8217;s why they&#8217;re the most dangerous. They\ninfect the core of the operating system by adding or replacing portions of it,\nwhich allows them to conceal malware. These rootkits have unrestricted access\nand can modify data structures, making them exceedingly difficult to detect.&nbsp; <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-detect-and-remove-rootkits\">How to Detect and Remove Rootkits<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike other security threats, the\ndetection of rootkits is quite tricky since they disguise themselves. However,\nthere are tools provided by anti-malware providers to scan and detect rootkits.\nUnfortunately, many of them can\u2019t detect all varieties of rootkits \u2014 especially\nif a given rootkit has infected the kernel \u2014 so one method of detection is to\nuse scanners or solutions from multiple vendors. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Other methods of rootkit detection are\nquite complicated and expensive for organizations. These methods can include behaviour-based\ndetection methods, signature scanning, and firewall and event log analysis. For\nconsumers, these solutions aren\u2019t of much use \u2014 reinstalling the operating\nsystem (OS) might be the only solution out for these types of users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-best-practices-to-protect-your-endpoint-devices-from-rootkits\">Best Practices to Protect Your Endpoint Devices from\nRootkits<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There\u2019s not much you can do once your\ncomputer has been infected with a rootkit. However, you can stop them from\nentering into your computer in the first place. Here are the best practices to\nkeep your computer safe from sinister rootkits:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-only-download-computer-drivers-from-authorized-sources\">Only Download Computer Drivers from Authorized Sources<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most common routes a rootkit enters is through drivers that disguise themselves as original drivers. Therefore, you should always insist on installing drivers from authorized sources only. <a href=\"https:\/\/www.thesslstore.com\/blog\/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam\/\">Here\u2019s a post that will help you determine whether the website is fake or genuine.<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-always-check-an-email-thoroughly-before-engaging-with-it-or-any-attachments\">Always Check an Email Thoroughly Before Engaging with It\nor Any Attachments<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Spoofy emails are one of the favorite\nweapons in the arsenal of cybercriminals. That&#8217;s because they don&#8217;t have to do\nmuch apart from sending you an email. You do the rest while they have their pi\u00f1a\ncolada. Phishing emails often lead users to download something, and often,\nrootkits come as a part of the package.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are many types of phishing emails out\nthere: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>some claim to be official\nemails from companies; <\/li><li>some appear to be sent from\nsomeone you know; <\/li><li>some give you a lucrative offer\nthat you can\u2019t (or don\u2019t want to) refuse; and <\/li><li>some give you some sort of\nwarning to do something within a certain period. <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You should always check the email header information and sender\u2019s email address before clicking or downloading something sent via email. <a href=\"https:\/\/www.thesslstore.com\/blog\/phishing-email-examples-the-best-worst\/\">Here are some examples of phishing emails that will give you a better idea of how phishing emails look.<\/a><\/p>\n\n\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-maintain-an-up-to-date-os-browser-and-security-software\">Maintain an Up to Date OS, Browser and Security Software<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s face it; nobody wants to see the\nupdate pop up whenever we start a computer. As annoying as updates are, they\nexist for a reason \u2014 many reasons, in fact. Keeping your system, browser, and\nsecurity software up to date is one of the most effective ways to protect\nagainst rootkits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-be-careful-about-what-you-download-and-whom-you-give-access-to-do-so\">Be Careful About What You Download (and Whom You Give\nAccess to Do So)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As much as we love downloading (illegally)\nthe just-released episodes of our favorite TV shows, we should be extremely\nvigilant about downloading anything from the internet. Most of\nthe time, rootkits come as a part of the package, and there&#8217;s no way you can\nsniff them out. That&#8217;s why the best strategy is to only download\/buy digital\nproducts from official sources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For organizations, another recommendation is to implement a <a href=\"https:\/\/www.us-cert.gov\/bsi\/articles\/knowledge\/principles\/least-privilege\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">policy of least privilege<\/a>. This entails only giving the ability to download or install programs to users who need it for their jobs or to perform specific functions. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-final-word\">A Final Word<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Rootkits aren&#8217;t much different from other threats when it comes to getting inside a computer system. However, they&#8217;re entirely different once they infect the system. Removing them from your system is a mightily difficult task, and you don&#8217;t want to find yourself in a position of needing to do so. That&#8217;s why it&#8217;s always a wise choice to stay vigilant when browsing on the internet and engaging with emails. We hope this answers your questions on the topic of &#8220;what is a rootkit?&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here\u2019s everything you need to know about the most dangerous breed of security threats The cyber security industry might not have perfected the techniques to thwart security threats completely, but&#8230;<\/p>\n","protected":false},"author":10,"featured_media":11946,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[11666],"class_list":["post-11945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-rootkit","post-with-tags"],"views":31037,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/what-is-a-rootkit.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11945"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11945\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11946"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}