How To Detect Rootkits |
Cyber criminals are always finding new and creative ways to execute their ill intentions. One of the sneakiest if not the most; are rootkits. Even the most reputable and powerful anti virus programs fail to detect them, because concealment is in their very nature.
And if you are unlucky enough to be a victim of the right kind of rootkit, the only solution would be to replace your device entirely. Many organizations have fallen prey to these attacks and it was challenging for them even after hiring security experts. But in this and most cases, prevention is better than cure.
But do you know why I consider this the most dangerous kind of cyber threat? The answer is on the first paragraph. Most anti-virus software today can detect almost any kind of horrible malicious activity. And they are frequently updating their library of newer and smarter threats.
But the rootkit is different. These programs are like the F-32 bombers or Solid Snake of the cyber world. And these powerful tools are a lot harder or near impossible to detect through traditional methods.
Rootkits. What Are They?
The inception of rootkits were not for bad intentions. But as Alan Grant from Jurassic Park 3 said " Some of the worst things imaginable have been done with the best intentions. Rootkits are a set of tools that enable "root" as in the high level or privileged user to control or gain administrator access to a "kit", a program or app that implements the tool.This means it can remotely operate or remain dormant on your device and do what ever the cyber criminals want it to do to your phone/pc. A rootkit can automatically download malware, adware, bloatware, keyloggers and other fraudulent friends to your device. It can also approve all kinds of permissions that you wouldn't to its host app and let it exploit your data.
Rootkits can also make changes to your computer or smartphone's behavior. It may slow your phone down or disguise itself as a system app, infect other apps that you have and the list goes on. There are many kind of rootkits that cyber criminals have used throughout the decade. You don't have to worry about all of them but the bad guys are still out there. And the first line of defense is knowing your enemy.
Classification Of Rootkits
It has always been difficult to detect and remedy attacks involving these software. However, to make things worse, there are 5 kinds of them. I'll discuss each of them in detail below.- Firmware rootkits
- User Mode Rootkit
- Memory rootkits
- Bootkits/Bootloader Rootkits
- Kernel Rootkit
Kernel Mode Rootkits
The Kernal Mode rootkit targets the operating system of your device. It changes the way your system behaves and creates its own data structures or generate codes. It resides between system app or disguises as a system driver app/program or even hide within hardware; this is one of the reasons why most anti-virus programs won't detect it and it is risky to remove.
The key purpose of alternating your system driver apps or programs is mostly to gain administrative access to your operating system. On Windows they take advantage of the operating system that allow device drivers and loadable modules to execute with the same level of authority as the operating system's kernel. They can also completely compromise a 64bit windows operating system through manipulation of the boot sequences.
Firmware Rootkits
Firmware Rootkits exploit programs embedded in the firmware of the operating system and install themselves in the firmware pictures that are used by network/LAN cards, BIOSes, Wifi Adapters, routers or other devices.For example: you bought a new graphics card but little did you know; cyber attackers have implemented rootkits and compromised the company's graphics card driver program. As soon as you install the driver, the Firmware rootkit is ready to do bad things to your system.
Memory rootkits
These problems are not permanent. Fortunately, they can only remain until the computer is turned on. The moment you restart your computer the memory gets reset and its all fresh again. But unfortunately for smartphones, they stick around. The reason being our phones are always kept running.This rootkit loads itself with your device's memory and might be in many cases responsible for the slowing down of our devices.
User Mode Rootkit
The User Mode Rootkit is also known as an application rootkit. It loads itself during your systems startup just like an ordinary user program would. Or it may be delivered by a host program you downloaded from dodgy sites or other creative ways cyber attackers may choose to infiltrate your device depending on your operating system. What it usually does is change the behavior or functionality of smaller components of a parent program/app.It usually disguises or infects existing both downloaded apps or programs that you trust in order to exploit your system.
Bootkit Rootkit
The Bootkit Rootkit tampers with the boot sector of your machine's hard drive or master boot record. Bootkits are capable of destabilizing the boot process and manipulate the operating system after booting. The bootloader/Bootkit might be the most dangerous kind of rootkit.Why? Because most Anti-viruses can only detect threats within the operating system, not the basic input out put system. The BIOS is responsible for turning on your device when you press the power button. Or the very thing that stores the BIOS i.e complementary metal-oxide-semiconductor.
Bootloader Kits are one of the most dangerous threats right now because they dwell and dabble within the BIOS or the CMOS or even both at the same time.
Ways To Stay Safe?
However, current operating systems like IOS, Android, Mac OS or Windows are constantly spending resources to make their systems more secure. Google Play Services have a big part to play over Android security. And they have successfully made these systems smart enough to detect and eliminate most of these threats. Not all of them however.Because of these defense fortifications made by our operating systems, attackers use more creative ways to mask malcontent.
Ways To Prevent Rootkit
- Do NOT download programs or apps from untrustworthy or shady developers.
- Before running an executable file, scan it with your system's anti-virus programs.
- Do not download Pirated Software, PDF content, Pirated Video content.
- Do not visit sites that your web browser warns you not to go to.
- Read reviews of the content you download or comments.
- Read reviews of the apps you download, even from the play store.
- Stay aware of new and all cyber threats through research.
- Avoid entering the deep web.
- Always update your Anti-virus
The Detection Process (The Tricky Part)
If you've been careless on the internet like I was when I loved free stuff ; your device is most likely harboring an infection. If you are dealing with a rootkit that is heavily glitched or have bugs; the typical sign of it is the slowing down of your system. But if you are dealing with very skilled cyber attackers; their programs would be significantly harder to detect.For example in my personal experience. My computer suddenly became unconditionally slow. I opened the task manager to see what was taking a toll on my system's memory. I noticed the icon of Google Chrome taking up almost 400mb of the ram of my 4 gigabyte laptop and sometimes even more. The program wasn't even running. I tried ending the task for an almost an hour but it refused to shut down.
It was a classic example of a User Mode Rootkit. As you certainly are aware; Google Chrome is one of the, if not THE most trusted web browser out there. And it was definitely not their fault. It was perhaps, my irresponsible ways with the internet or whatever. Needless to say my anti-virus (Windows Defender) program WAS up to date.
I was running Windows 8 at the time (2 years ago) and I had to setup windows all over again for it to finally go away. But you need not worry anymore as anti-virus programs over mainstream operating systems have been improved significantly with the exception of Linux.