Rootkit Malware – An Elevated Threat Above Ordinary Ransomware
Detect, block, and remove rootkit malware with anti-rootkit software.
Rootkit cloaked malware programs are highly sophisticated and not easily discovered. They can live in machines for long periods of time. These malicious programs hide their processes and files, spying on all user activity for days, weeks, and months; while conducting their malicious scanning, deleting and installing at will.
Rootkit malware can get raw access to a computer’s operating system and kernel, so when hackers decide to become destructive, they can encrypt the computer’s disk, wipe all files, and delete backups, anti-virus files, sandbox mechanisms, and more. The type of operating system doesn’t matter. Having multi-boot and segmentation will not help. When a root-based malware breach happens, it is devastating. And the damage is far beyond what ordinary ransomware can do. In fact, rootkit malware can employ a ransomware capability that can potentially destroy a vulnerable business.
To spread malware to other machines, rootkit loaders become the delivery mechanism that install the rootkit and automatically implement its spreading capabilities. Hackers can also penetrate Active Directory to spread their rootkit malware across an organization’s computer systems.
Threat actors take advantage of multiple access exploits, like co-signing security certificates, creating fake shell companies, and finding signed and validated drivers, like the Gigabyte driver vulnerability exploited by Robinhood ransomware. A signed driver, with access to a system’s kernel, can disarm endpoint security products, which is exactly what the Robinhood ransomware did. The driver was digitally signed by Microsoft and Verisign. The hackers had raw access at the kernel-level, loaded their own driver, and were able to do whatever they wanted.
The anywhere workforce opens new doors for rootkit malware
Today’s remote workforce, whether full-time or part-time away from the corporate office, are using laptops, smartphones, printers, webcams, keyboards and many other capabilities that are all vulnerable to attack. Bad actors can all too easily infiltrate their systems, and worm their way into the organization’s digital infrastructure.
Malware cloaked within a rootkit is very persistent. For example, rootkit installed on a keyboard driver can infect the computer connected to it. If a new computer is attached to that same keyboard, the rootkit malware can infect the new computer, and so on.
An enterprise with thousands of employees can have tens of thousands of potential security vulnerabilities. To more efficiently manage these users and devices, IT can run baseline whitelisting to establish clean images. If new hardware is identified, but has yet to be whitelisted, IT can approve the device’s file name, driver, and signature with a single click of a mouse. This will ensure a strong security posture.
My experience overcoming a major rootkit attack
Not long ago, I helped a large retail company that had seven thousand of their computers infected with rootkit malware. The company had already contacted their two security companies that had well-known anti-virus and endpoint security products installed on all seven thousand machines. Unfortunately, the rootkit had penetrated the organization’s computers without being discovered by the anti-virus and endpoint security products.
The company contacted me, and gave me access to some of the infected computers. Upon analysis, I discovered a malicious rootkit had been installed and had assumed authority over the system’s callback functions. This is why, every time the anti-virus security products went to the registry to remove the malicious software, they failed. The rootkit’s malware had obtained full authority, control, and oversight of the system’s process, file system and registry functions.
Fixing the machines required gaining authority over the kernel’s process tasks. This involved installing new process, network, file system, and registry callback functions. To remove the rootkit and its malware, I utilized RevBits patented anti-rootkit technology. I was able to load my own driver that went into the Windows kernel, removed the malicious process and registry callbacks, and deleted the hacker’s files. RevBits signed the new driver certificate, and the solution was deployed across all seven thousand infected computers.
The ability to unhook, or remove the registry, file system and network callbacks is included within RevBit’s Endpoint Security module that discovers known and unknown malicious software. And in the future, if rootkit malware is somehow able to get into a computer’s kernel, it can be rapidly removed through the RevBits administration panel.
Click here to learn more about RevBits patented anti-rootkit malware technology for protecting business-critical computer systems.
Click here for a demo on how RevBits helps detect threats early, and remediate them quickly.
In the taming of every frontier, there has been a deep need for security and protection, from known and unknown threats. From circling the wagons and sentry-armed forts, to our modern security forces and services, we have realized the need to guard what is precious against compromise or calamity.
An air gapped network is physically isolated from other unsecured networks, like the Internet. Due to this isolation, the most common way to pass data is through removable media, like a USB device or external hard drive. If a cyber attacker gains access into an air gapped network they can move laterally across it, and even gain elevated rights and privileges to access otherwise protected resources.
For security purposes, it should go without saying, that anything users bring into an enterprise digital environment, like software drivers that have access to the system kernel, must be free from malicious code or software. Everything should be vetted and approved by an IT administrator.