- Invisible masters. Rootkits: what are they?
- Biggest all-time rootkit attacks
- 10 facts about rootkits from a research by Positive Technologies
- Individuals should be especially wary of rootkits.
- State institutions sit in the top-5 most attacked organizations.
- Rootkits are difficult to build, but it does not hinder attackers: all kinds of rootkits are popular.
- Concealing activity has become the main function of rootkits
- Rootkit distributors are interested in your data
- Rootkits spread mainly by social engineering methods
- The Dark Web has something to offer for almost every budget
- Top-3 popular rootkit functions
- Windows at risk
- In many cases, reinstalling the system is the only way out
- How to protect yourself?
- The main rules
Invisible masters. Rootkits: what are they?
Rootkits are programs that make the actions of intruders or malicious programs invisible. Rootkits help cybercriminals infiltrate the system and take it over, spy on it, steal data, launch malware and attacks, and cover their tracks.
Such "silent guests" may appear on your system along with phishing emails, installed applications, or come from infected websites. The rootkit can also infiltrate the system when external media is plugged in.
Even if you are cautious and reliably protected, attackers are very likely to find a loophole in your system, because they know how to plan and execute well-organized multi-step Advanced Persistent Threat (APT) cyber-attacks.
Rootkits are used as part of cyber espionage campaigns, attacks aimed at stealing money, and plans of totally disrupting the infrastructure of the attacked company. These goals are nothing but new, but rootkits are dangerous because of their high efficiency. The ability to take over other people's systems without being noticed has many times led to irreversible consequences and poses a big threat.
Biggest all-time rootkit attacks
Sony rootkit disgrace
This case was one of the first high-profile cases of rootkit distribution, albeit unintentional. In 2005, Sony BMG Music Entertainment, a music disc company, created the XCP copy protection technology. However, its developers went way too far in their counter-piracy effort. It turned out that this protection works like a rootkit.
Marc Russinovich, a co-founder of Winternals Software, was the first to announce it in his blog. He discovered that the applied DRM protection creates vulnerabilities through which the system can be attacked by worms or viruses, in addition, it puts a constant load on system resources, thereby slowing down the computer. It was impossible to remove the rootkit using conventional methods, nor was it possible to detect it.
Sony denied that their technology was malicious and claimed that they did not use it to collect personal data, although antivirus companies still added the DRM rootkit to their databases. Sony later released an uninstaller that was supposed to remove the XCP protection from the disks, but it created additional security holes. Only after the DRM rootkit became a "cover" for trojans and other viruses did Sony suspend the release of CDs with XCP.
The company had to endure many more lawsuits and reimburse the damage to its customers for a long time. Rootkits pose a danger even when they have no direct target, let alone when attackers create them intentionally, as in the following story.
UK banks become target of Kronos
Malefactors are often interested in making money. The most notorious and large-scale banking threat in the UK was the Kronos trojan armed with a Ring3 usermode rootkit.
Kronos was able to steal user credentials, personal information, and bank details of victims. The collected data were then used for fraud. It was also used to add forms to bank websites where users entered personal data, including banking card PINs.
The Kronos malware repaid itself quickly and was easy to use, so it was actively purchased and distributed. As a result, it has become a dominant threat in the global cybercrime scene, with enormous financial implications for banks and their customers that are difficult to assess.
This virus tends to disappear from the limelight for a few years, disabling the control servers, and then update itself and reconnect to infected bots.
The Strider cybercrime group and their "Eye of Sauron"
An advanced persistent threat (APT) is a multi-phased, carefully planned and orchestrated cyberattack that targets a specific industry or specific (usually large) companies. APT attacks are usually created by large criminal groups with significant financial resources and technical capabilities. One of them, known as Strider, ProjectSauron, G0041, became notorious for its large-scale campaign against the state institutions of Russia, Belgium, China, Iran, Sweden, and Rwanda.
Sauron is an internal name used in Lua scripts. And we have to admit that Sauron himself, the evil overlord from The Lord of the Rings, would be impressed by the level of cyber-power of the criminal group. Wuth the Remsec rootkit, attackers were able to launch malicious tools into the network and remain undetected for 5 years! The group created previously unknown attack vectors, stole cryptographic keys, configuration files, and collected the IP addresses of cryptographic key infrastructure servers. Strider infiltrated 30 organizations in different countries.
Analyzing the nature of the attacks, experts concluded that Strider with a high degree of probability could be a state-supported intruder. Such a sophisticated system can only be created with a very large budget and a high interest in disrupting the activity of specific countries. The targets of its attack have been governmental institutions, military agencies, research centers, telecom operators, and financial organizations.
There is one rootkit that has made the whole world shiver: it is called Stuxnet. This malware targeted Iran's nuclear facilities and caused computers to change the rotation speed of centrifuges, causing them to collapse. As a result, Iran's nuclear program was set back two years.
The United States and Israel were blamed for this attack. Firstly, creating such a virus requires substantial funding and a team of malware experts, which means that countries with strong intelligence might be involved. And second, the New York Times published stories about centrifuges that resembled Iranian ones built in Israel. This may mean that they could be used to test the worm.
However, the world trembled not because of how the virus was used, but because of how it might be used. The same thing could be easily done by terrorist organizations, since a little earlier, this virus was freely sold on the black market. Western experts are deeply concerned that in the future, such attacks may be performed by criminal groups. "They can shut down power systems, dams, pretty much any sophisticated software-controlled industrial facility," said Stuart Baker, a former Assistant Secretary for Policy at the United States Department of Homeland Security.
10 facts about rootkits from a research by Positive Technologies
On October 12, 2021 Positive Technologies published astudyof the 16 most well-known rootkit families over the past 10 years. The study analyzed the information about rootkit sales, purchase, and development on dark web forums in Russian and in English. We have recapped interesting facts and statistics from the study.
Individuals should be especially wary of rootkits
The study found that attackers used rootkits 56% of the time to attack individuals. High-ranking officials, diplomats, and employees of targeted organizations are at risk. They become the victims of rootkit attacks most often.
State institutions sit in the top-5 most attacked organizations.
Top-5 organizations most attacked by rootkits:
- governmental institutions - 44%,
- research institutes - 38%,
- telecom operators - 25%,
- industrial enterprises - 19%,
- financial organizations - 19%.
Rootkits are difficult to build, but it does not hinder attackers: all kinds of rootkits are popular.
Rootkits running in user mode are more often applied in massive attacks. They are easier to develop and exploit the rights available to normal applications. This type of rootkit accounted for 31% of attacks.
Rootkits running in kernel mode have full operating system privileges and can therefore cause more serious damage. They are much more difficult to develop, but they are popular because of their effectiveness. 38% of rootkits run in kernel mode.
31% of rootkits that combine both these modes.
Concealing activitity has become the main function of rootkits
Whereas in the past, rootkits were used to gain administrator- or system-level privileges, now they primarily hide malicious activity from the security tools. These tactics expand the scope of cybercrime. For example, in 2020, the DirtyMoe rootkit targeted less than 10 thousand computers, but in 2021 it was already 100 thousand.
Rootkit distributors are interested in your data
The motives of the malefactors are the following:
- 77% - getting information,
- 31% - monetary benefit,
- 15% - infrastructure infiltration and scanning for subsequent attacks.
Rootkits spread mainly by social engineering methods
Methods of rootkit distribution according to MITRE ATT&CK classification:
- 69% - phishing,
- 62% - gaining access to the target system by exploiting vulnerabilities in publicly available applications (web applications, databases, FTP server, etc.)
- 31% - silent installation,
- 15% - infection via removable media.
The Dark Web has something to offer for almost every budget
An average rootkit costs $2,800 on the underground market, but the price can be anywhere from $45,000 to $100,000. It depends on the operation mode (user or kernel), operating system, as well as additional features and use cases.
The rootkit can be rented for $100–200. Sometimes developers offer to customize the malware according to the buyer's goals and provide service support.
Top-3 popular rootkit functions
The following features are most popular for rootkits in the dark web:
- providing remote access,
- concealing process files and network activity,
- targeting Windows OS.
Windows at risk
The shares of operating systems targeted by rootkits are distributed as follows:
- 69% - Windows,
- 31% - Unix,
- 6% - Android,
- 6% - macOS,
- 6% - iOS.
Because of this increased attention, in Windows 10 developers have provided advanced protection from rootkit launch, but it still is unable to guarantee perfect security.
In many cases, reinstalling the system is the only way out
According to the European Network and Information Security Agency (ENISA), in most cases, the rootkit can only be deleted by reinstalling the compromised system.
To avoid this unpleasant experience, familiarize yourself with cyber security methods that will prevent or mitigate undesirable consequences of rootkits.
How to protect yourself?
This is one of the most valuable tools in the fight against rootkits because it can detect them even before they infiltrate the system. At the moment an attacker installs a rootkit, built-in analyzers notify the user of malicious or suspicious activity. The process is executed in an isolated environment that makes no harm to the main system.
Learn more about how the sandbox works.
Sandbox with proactive and covert detection technology
As for now, this is an exclusive technology of Positive Technologies.PT Sandbox - 2.4. detects rootkits not only at the installation stage but even after the system is already infected with them, which used to be nigh-impossible before.
Other methods of fighting rootkits are based on launching anti-rootkit tools inside the OS, but if a well-made malware is already installed in the OS, it cannot be detected. The technology developed by the specialists from the PT Expert Security Center, differs in that it is launched beyond the OS. Rootkits cannot hide from this agentless analysis, and attackers will not suspect that their actions have been detected.
Scanners are able to detect rootkits and related malware, even if they have managed to evade your anti-virus defenses. Nevertheless, they are usually able to find only the rootkits already added in the databases, while those that infected the system before installation may never be found.
Tools for detecting malicious activity on endpoints
These solutions focus on detecting targeted attacks and advanced threats. They reveal malicious activity on workstations, servers, and IoT devices. Agents are installed on these endpoints to monitor processes, user actions, and communications. These tools leverage machine learning algorithms to detect security incidents and alert you on them.
System integrity check
A well-known rootkit detection method is a system integrity scan. Operating system files that have been modified by attackers can become sources of threats. The integrity of the system and its components can be checked with special utilities.
Analysis of network traffic for anomalies
Anomalies can be related to both hardware and software deviations and security breaches. Both cases need to be tracked with special monitoring systems: web applications, open source programs, freeware, etc. They collect statistics on system operation, all threat events, and incoming traffic in real-time and visualize them in charts and tables.
The main rules
The rules that increase your protection against rootkits are simple as ABC:
- Install security updates regularly,
- Verify digital signatures and certificates, and
- Update antivirus databases.
Rootkits are a sophisticated attack tool, but there is nothing impossible in protecting your company from them.