As malware go, rootkits are one of the more nasty ones. They are difficult to detect and are capable of causing more serious damage to any system they are installed in.
What is a rootkit?
Essentially, a rootkit is a software application designed to provide privileged access (hence the “root” in the name) to a computer system for extended periods of time. The program runs in the background without the computer user or owner knowing about it’s existence or activity. Often, the rootkit will then download an additional application or open backdoors for other applications to perform malicious activity eg sending mass emails. Increasingly, rootkits are used to gain control of infected PCs and turn them into “zombies”. used by cyber-criminals for DDoS attacks and credit-card data theft.
How are rootkits spread?
Like most malware, rootkits are spread via email (as attachments), on removable drives and as file downloads from the internet.
What can a rootkit do?
Once installed, a rootkit starts whenever the system starts. It has “root” privileges (“administrator” in the Windows world) and is therefore capable of executing files, launching commands, controlling network access, changing system configurations, collecting user data such as passwords and even changing log files to hide it’s activity.
How can I remove a rootkit?
Rootkits are very difficult to remove simply because they are able to conceal their existence extremely well. Most anti-virus software scanners are not even capable of detecting rootkits, while those that can detect can only do so for a limited number of known rootkits. Some signs of rootkit activity include:
– new user accounts
– user applications running with root/admin privileges
– suspicious log entries
– suspicious daemons/processes/services
However, most are stealthy and evolving, managing to remain invisible or running as “system” processes.
In many cases, the only solution is to completely wipe and reinstall the operating system.
How can I protect myself from rootkits?
The best protection against rootkits is prevention. As with other malware,
– only install applications from known, credible/verified sources
– do not open unknown email attachments
– open suspect files in a sandbox environment such as a VM
– keep your OS updated and patched
– keep your antivirus software updated
– monitor your servers and networks for unusual/suspicious activity