How to Protect Against Rootkit Malware Kernel-Level Attacks
Avoiding malware attacks, like the Microsoft cross-signed rootkit driver, requires the right cybersecurity protection.
For security purposes, it should go without saying, that anything users bring into an enterprise digital environment, like software drivers that have access to the system kernel, must be free from malicious code or software. Everything should be vetted and approved by an IT administrator.
The Windows security model is based upon securable objects. Each component of the operating system must ensure the security of the objects for which it is responsible. Drivers must be safeguarded for the security of their devices and the computers to which they’re connected.
A rootkit attack can be the most devastating malware attack any organization can experience. A rootkit that uses a driver to gain access into a computer’s operating system and kernel can cause extreme damage. They can remain undetected within a system for long periods of time, watching everything the user does. Not only are they dangerous because of the damage they can inflict, they’re also almost impossible to detect and remove. A rootkit is designed to protect a malicious program delivered by a threat actor, using a sort of invisibility cloak. Rootkit malware can steal data and take over a system for malicious purposes, all while remaining undetected. In most cases, the only way to completely remove a rootkit is to delete the computer operating system, and rebuild it from the ground up.
Rootkit malware can be dealt with utilizing specialized anti-rootkit software that detects, prevents, and removes the rootkit malware. Specifically, RevBits Endpoint Security module includes unique anti-rootkit threat detection, prevention and removal capabilities. To remove known and unknown rootkit malware, RevBits identifies suspicious callback processes, hooks, registry keys, and modified files. RevBits’ patented anti-rootkit capabilities protect computer systems and data by detecting, blocking and removing malicious drivers.
Rootkit may be the next big wave of malware attacks
While it’s very difficult to create a rootkit, both non-state and state-sponsored threat actors are becoming highly sophisticated. Many are even taking advantage of malware as a Service, where it’s possible for future versions of a rootkit to be made available. The advantage of using malware as a Service, is bad actors don’t need large resources or the highly skilled capabilities required to create and launch an attack.
Software drivers are becoming common target vectors. Drivers are a bridge between the hardware, software, and data on a computer or network. Cyberattacks using drivers are an easy way for bad actors to gain system-level privileges and remotely execute malicious code on otherwise inaccessible sections of the OS, like the kernel. One approach to ensuring the security of the Windows operating system is to prevent new drivers from loading and accessing space in the Windows OS and kernel. Unfortunately, Windows documentation doesn’t provide a solution for this. To solve this problem requires a system and method that selectively blocks unwanted drivers from being loaded and executed into the kernel.
Malicious Windows drivers that are loaded and executed within the kernel can completely disarm anti-virus security products, rendering them useless. There is no inherent method in Windows to fully prevent drivers, signed or not, from being loaded into the operating system kernel layer. Of course, this opens up opportunities for hackers to discover ways of bypassing driver signature enforcement. They can use stolen code signing certificates to sign malicious drivers, and find other ways of bypassing driver signing enforcement within the Windows OS kernel space.
RevBits anti-rootkit software detects, blocks, and removes rootkit malware
In the recent case where Microsoft signed a malicious Net filter driver for a gaming application, there was nothing a signature-based or behavioral-based anti-virus product could do. There needs to be a system and process in place that enables an administrator to decide which drivers and applications are permitted access to a kernel space. RevBits Endpoint Security module includes patented anti-rootkit software that can catch and block drivers in memory, before they access the kernel space. This allows administrators to decide which drivers are allowed, and which ones are denied access to the kernel space. RevBits ES module has a U.S. patent for detecting and blocking signed and unsigned drivers attempting to access the kernel-level OS. RevBits will detect and alert on known and unknown malicious rootkits, using our unique modeling techniques, and remove them through our callback capabilities, whether their signed by Microsoft or any other CA.
RevBits Endpoint Security module is part of the RevBits Cyber Intelligence Platform (CIP), a unified security platform that automates and integrates a suite of security modules that detect, alert, respond, and intelligently analyze layered security data across the IT and security stack. All security data is coalesced and presented within the RevBits unified dashboard for rapid forensics and mitigation.
Click here to learn more about RevBits patented technology for protecting Windows OS and Kernel.
In the taming of every frontier, there has been a deep need for security and protection, from known and unknown threats. From circling the wagons and sentry-armed forts, to our modern security forces and services, we have realized the need to guard what is precious against compromise or calamity.
An air gapped network is physically isolated from other unsecured networks, like the Internet. Due to this isolation, the most common way to pass data is through removable media, like a USB device or external hard drive. If a cyber attacker gains access into an air gapped network they can move laterally across it, and even gain elevated rights and privileges to access otherwise protected resources.
Rootkit cloaked malware programs are highly sophisticated and not easily discovered. They can live in machines for long periods of time. These malicious programs hide their processes and files, spying on all user activity for days, weeks, and months; while conducting their malicious scanning, deleting and installing at will.