IT Strategies for Your Business: Rootkits

IT Strategies for Your Business: Rootkits

The music industry had a huge piracy problem in 2005. Sony felt that it needed to do something about it. With every CD someone purchased from Sony BMG, it included digital rights management software (Extended Copy Protection) created by a third party. Although this software came with a free music player, it also came with software that limited the customer’s ability to access the CD. Once this software was discovered, it led to hackers taking advantage of the vulnerability in the CD by conducting additional malware attacks.

Eventually, this led to a civil lawsuit and criminal investigations, and Sony had to shut down the software. Extended Copy Protection was an example of a rootkit.

Rootkits are a type of malware that is designed to remain hidden on a computer. The person using the computer may not notice them, but they are active. Rootkits give hackers the ability to remotely control a computer.

In this blog, we will dive into the different types of rootkits, and how to protect yourself and your business from them.

This is a built-in video player that would have came with a CD from Sony BMG back in 2005.

What are the Different Types of Rootkits?

Rootkits can allow hackers to steal passwords or banking information. They can also give hackers the ability to disable the software and track keys that are typed, like a keylogger.

There are five types of rootkits hackers can use to affect your computer: firmware, bootloader, memory, application, and kernel mode.

Firmware rootkits are designed to infect the BIOS and UEFI chips. The BIOS and UEFI chips run the most basic processes of a computer.

Firmware rootkits can be installed in a router, hard drive, or network card. If a rootkit is installed on a hard drive, hackers would use firmware rootkits to pick up data written on the drive.

The bootloader on a computer is an important tool. It loads the computer operating system when the computer is turned on. A bootloader rootkit would attack this system by replacing it with the hacker’s version. In this case, the rootkit is activated before the computer is even turned on.

A memory rootkit will attack the computer's RAM – Random Access Memory. These rootkits will carry out damaging activities in the background. Sometimes further work is required to get rid of them, but memory rootkits do not last very long. They only exist until the RAM is cleared, or by restarting the computer.

Application rootkits replace regular files in a computer with harmful files. These rootkits can also change the way certain applications work. Programs like Word, Paint, or Notepad could be used by hackers to gain access to a computer. Application rootkits are harder to spot because the infected programs are designed to run normally.

A kernel-mode rootkit changes how an operating system (OS) functions. These rootkits can add their code to parts of the OS core, known as the kernel. The kernel is the central part of an OS – it is like the brain stem or limbic system of your computer. When hackers use these rootkits, they can control how Windows or macOS function; they can make changes to hardware and software.

Kernel panic error message as a result of a rootkit attack.

How Can I Defend Against Rootkits?

Because rootkits are difficult to detect, it is crucial that you and your team practice caution when using the Internet, or when downloading applications or data.

Your IT team should make sure that your staff has the most up-to-date operating system. Updating computers can get annoying, but these updates are crucial. Windows and macOS updates will include security packages that protect against rootkits, especially bootloader and kernel-mode rootkits. Also, your antivirus software should be regularly updated to keep up with the latest security patches.

One of the more common ways rootkits are installed on computers is through phishing emails. Phishing emails are sent by hackers to trick you into providing sensitive information. These emails will almost always have a link to a website or file that seems legit. Usually, it is just a rootkit.

Example of a phishing email.

You and your staff should be careful when opening attachments. Do not open attachments from senders you do not know. If there is a message that there is an issue with your account, log into the website directly in another tab.

Your IT team should have antivirus software in place that has rootkit scanning tools. These scanners can compare your files with a database of known viruses. Then the scanners will determine if there is any weird activity on your hard drive.

Because rootkits can attach themselves to common applications without people noticing, rootkit scanning tools can make them easier to spot.

Wrapping Up

The common theme with all types of rootkits is they are difficult to notice. However, they are easily preventable; most hackers that use them cannot install them without getting direct access. You and your team should continue to practice safe web browsing and downloading.

The antivirus software your IT team installs will do some of the work ahead of time, but your staff should be mindful of how they use their machines. Not every antivirus client can pick up on rootkits.

Another line of defense is to make sure that automatic updates for your OS should be set at a secure and convenient time, as well as your antivirus software.

Hopefully, most of your music is mostly on a streaming service and isn't on a CD with a built-in rootkit!

Back to blog