Skip to main content

What Is A Rootkit Infection?

What is a Rootkit?
 
Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that's the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit -- all of which is done without end-user consent or knowledge.
 

Why use a Rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer's configuration.

 


How do rootkits propagate?
 
Rootkits can't propagate by themselves. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.
 
The dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
 
Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:
 
Instant Messenger (IM) -- One approach requires computers with IM installed. If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it's from a friend), that computer becomes infected and has a rootkit on it as well.
Rich content -- The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it's all over.
 

Generic symptoms of a Rootkit infestation
 
By design, it's difficult to know if they are installed on a computer. Rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Here's a list of noteworthy symptoms:
 
If the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
 
Settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.
 
Web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.
 
If the rootkit is working correctly, most of these symptoms aren't going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can't hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.
 

Detection and removal
 
Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up-to-date. That will go a long way toward keeping malware away.
 
Detection and removal depends on the sophistication of the rootkit. Please Contact Total Defense Technical Support immediately.
 
 

 
 
Was this article helpful?
1 out of 1 found this helpful