Rootkits are one of the most challenging malware types to identify and remove. In this video, you’ll learn how rootkits are able to avoid detection and what you can do to protect against a rootkit infection.
In the Windows operating system, the highest level user of the operating system is the administrator user. In the Linux operating system, the highest level user is the root user and that’s where we get the name for rootkit, is this highest level user on a Unix or Linux device. A rootkit modifies the kernel of the operating system. It’s one that is going to the very lowest level of the operating system so that it can avoid a lot of the anti-virus or anti-malware software from identifying it in the normal part of the operating system.
It’s generally invisible, because it’s built into the kernel of the operating system itself. If you were to bring up a Task Manager and look for this rootkit software, you would not see it running as part of the operating system. Traditional anti-virus and traditional anti-malware will not be able to see the rootkit, because it’s invisible to the operating system. Once that rootkit becomes installed onto that computer, it becomes very difficult to remove.
Rootkits are often combined with additional software to create malware that becomes very difficult to remove. A good example of this is with this older Zeus or Zbot malware, which has been around for years. It’s used to listen in to you accessing your bank account information, and then uses that to remove or transfer money out of your account. Well Zeus and the Zbot itself became easy to remove, so what the malware authors did was combine it with a rootkit. The root would install itself into the kernel of the operating system, and then prevent you from removing any part of the malware that was running inside of the operating system itself.
So even if you saw the Zeus or the Zbot files running, you wouldn’t be able to stop them. It would give you an access denied. If you find the service and you try to disable the service, even if you’re the administrator of the operating system, that rootkit in the kernel provides you with an access denied and you’re not able to stop that Botnet from running. Although a rootkit is mostly in the kernel, there may be parts of the operating system that are able to identify that one’s running, so make sure that your anti-virus and your anti-malware scans are updated with the latest signatures.
If you do find or suspect that a rootkit is on your computer, you will need a very specific rootkit remover to remove that software. It’s not quite as simple as deleting a file that might be in your file system. You might also want to take advantage of using a computer that has a UEFI BIOS with secure boot, so that it’s able to look for and prevent any application from installing into the kernel of your operating system.
Category: CompTIA Security+ SY0-501