Rootkits 101

Rootkits

A Rootkit is designed to hide the fact that an operating system has been compromised. Rootkits, in other words, allow viruses and malware to disguise as necessary files so that antivirus programs can overlook it. Rootkit enables the third party to maintain command of a computer without the user’s knowledge. Furthermore, a rootkit can remotely execute programs and change system configurations from the host machine. A rootkit infected computer can also access log files and spy on legitimate owner usage.

A rootkit is a set of software or hardware components that enable people to run arbitrary code as the root user (in windows, as system user). That gives the attacker authority to modify kernel code running on the system. If it does not give the attacker kernel access, it is not a rootkit. The easiest way to get code running in kernel mode without prompting UAC (user account control) on windows is via USB. The plug and play drives stored on a USB device are just installed when you plug in the device. Therefore, do not allow employees to plug in USBs with an unknown origin.

A preventative measure to stop malware from gaining full administrative access to your computer is to create a guest user(non-admin) and use it as the primary account. However, in windows system, a malware developer can bypass user control, which requires either esoteric setups on the target machine or hardware to be plugged into the system, or by exploiting exiting software that is running with permissions. The most common way a rootkit can infect a system is by exploiting existing software already running with system permission, then subverting user account control by misleading the user to click through it.

Guard your system by keeping everything up to date and installing necessary patches for the operating system. Do not open email file attachments from unknown sources, and be careful of software you install by reading the end-user license agreements.