Home » Security Bloggers Network » Types of Rootkits

Types of Rootkits

Introduction

A rootkit is simply a set of tools that can maintain root privileged access to an operating system. A malware rootkit will usually carry a malicious code/software that is deployed secretly into the target system. 

To maintain backdoor access for the malware, rootkits can exploit background system processes at various privilege levels. In a Windows system, this usually means attacking at either the user mode or kernel mode.

The importance of understanding the attack vector

Contrary to popular perception, a rootkit does not compromise the system security on its own. The penetration of an operating system’s defenses is handled by the method employed to infect the system. There are many ways to accomplish this today:

• Sending an infected file/Trojans as email attachments
• Creating malware apps masquerading as harmless banners/pop-ups on websites
• Using phishing attacks and other malware like keyloggers give hackers root access, which can then be used to inject the rootkit

A rootkit starts its dirty work once the vector has successfully compromised the system, giving it a chance to get into root privileged modes inside the OS. Once it gains access, depending on the loci of its attack, a rootkit can change installed software or even parts of the OS itself. This can make a rootkit infection difficult to detect, or even virtually invisible.

Understanding a rootkit’s position in the OS

Windows has two modes for executing code — user mode and kernel mode. Of these, the kernel mode is the most important, as it acts as the direct link between the hardware and software code. This is the highest privileged mode, or “root” in a Windows system. 

But not all programs and processes require access to the full range of processing power and system hardware. These lower-level functions are handled at a mode (Read more...)