Rootkit - A malicious program that applies different techniques of concealing malicious code and activities from detection and counteracts against attempted remediation by antivirus. Anti-Rootkit technology, part of Kaspersky Lab’s multi-layered, next generation protection, detects active infection by these rootkit programs and remediates systems from this type of infection.
In most cases, a rootkit includes a driver (or chain of drivers), functions in kernel mode, and performs some or all the following functionality:
Concealing of files on storage (HDD), Windows registry keys and values, processes in system, loaded modules, memory regions (in case of fileless malware), network activities, disk sectors, other objects and artefacts
Counteractions against modification and\or elimination of the rootkit by antivirus in case of detection, including restoring changed ones
Provision of access to OS kernel for malicious code\applications (for the sake of antivirus processes termination), injection of malicious code into legitimate processes, interception of network traffic (sniffing), interception of presses keys (keylogging), etc
Malware writers are interested in functioning their malicious code during long periods of time on a targeted host, even in case of running antivirus software. For this purpose they need to operate different techniques to hamper detection and remediation of the active infection. They may use both documented and undocumented methods of Operation System. RootKits are known to use different approaches of interception in user mode and in kernel mode, manipulations with objects (DKOM), techniques of bypassing filter-drivers and callback functions, etc. To support persistency on the victim system, RootKits need to start executing on early stages of Operation System boot, so they infect boot sectors, as Master Boot Record (MBR) and Volume Boot Record (VBR). RootKit with such functionality is called BootKit.
Kaspersky Lab’s Anti-rootkit technologies
Search for active infection in system memory of Operation System
Scan all the possible locations used for AutoRun
Remediate in case of active infection detection, recovery on early stage of Operation System booting
Neutralize active infections during product installation onto the infected system
This complicated multi-module protection technology implements two approaches for detection and neutralization of active infection: exact and generic*.
Exact approach: procedures of detection and neutralization are targeted against particular rootkit techniques, like presence concealing or counteractions to remediation by antivirus. This approach allows protection against a rootkit within a short period of time to cover current outbreaks, saving more time to develop a more generic approach.
Generic approach: Anti-RootKit scans active processes, system modules, memory, AutoRun objects, and provides access to the malware code to other antivirus components such as an emulator, AV engine, static heuristics, behavior-based heuristics empowered by ML model, etc. In case of triggering by any of the listed component, the anti-rootkit disinfects the system.
Anti-rootkit consists of the following components:
Installer Protector: Counteracts against active infection during security product installation onto the victim system
Low-level Disk Access, Low-level Registry Access, Containment: provide low-level access to hard drive and Windows registry, bypassing different methods of access interception. Contains implementation of techniques for active infection containment for a period of remediation
Boot Stage Cleaner: Remediates early stage of Operation System booting
System Memory Scanner: A module to search for and remediate rootkits in system memory
Filesystem Parser, Registry Parser: Parses numerous formats of File System and Window Registry
Critical Areas Scanner: Module to scans and remediate AutoRun objects, benefits from the modules described above.
*Kaspersky Lab products utilize both of these approaches.
Kaspersky Fraud Prevention
Proactive detection of cross-channel fraud in Real Time