Security professionals and enthusiasts are aware of rootkits, but general audiences typically don’t know about this kind of malware, which is specifically designed to hide itself and its activity in an infected system. This threat is well worth public awareness as there’s a high chance of you possibly meeting this malware in the future. Cybercriminals are constantly developing new methods to steal your data and actively sell these methods to each other.
The ability to hide itself allows this type of malware to live on the victim’s system for months and sometimes even years, letting a hacker use the computer for any purpose. Even if a computer doesn’t contain any valuable information, which is unlikely, it could still be used for producing digital currency (bitcoins), sending spam and participating in a DDoS attacks. Rootkit functionality allows hackers to hide malicious activity not only from built-in OS monitoring tools, but from antivirus and firewall sensors as well. That’s why we suggest checking your antivirus and internet security system for the existence of an anti-rootkit function and its efficiency.
What makes a rootkit invisible? It’s not that complicated to explain: malware tries to integrate its code deep into an operating system and intercept all standard requests for file reading, obtaining the running process list, etc. A rootkit processes such requests and removes any mention of files, processes and other traces related to its activity. Other techniques are utilized as well – e.g. a rootkit can inject some code into a legitimate process and use that process memory to do its dirty work. That allows a rootkit to remain invisible to less advanced antivirus solutions, which work on a high level of OS requests and don’t try to dive deeper into the OS or other low-level hardware structures. If an antivirus managed to detect a rootkit, the malware could try to deactivate the protection and delete some critical antivirus components. Some of the more crafty rootkits even use live-bait fishing technology – creating a special file to be detected by an antivirus. As soon as the antivirus software accesses that file, the rootkit has tried to shut the antivirus down and prevent it from future execution.
How can you stop this mess? First of all, to detect any suspicious activity, your antivirus must monitor critical system files on a low level, thus catching malware trying to modify the hard drive. It’s possible to find new rootkit that are still unknown to your antivirus just by comparing computer activity as seen on the OS level with results of low-level monitoring. Secondly, it’s crucial to have sufficient antivirus self-protection so malware cannot deactivate your product. And last, but not least, an antivirus has to remove 100% of rootkit components, even those injected into critical files of the OS. It’s impossible to solve this problem just by deleting files – this renders the OS nonfunctional, so your antivirus would remove those files without affecting the original functionality.
So make sure your protection meets these requirements before saying “I know, what a rootkit is and I am sure that my antivirus solution efficiently protects me from this threat.”