The purpose of a rootkit is to protect malware so it can launch an attack. The rootkit acts as a shield to protect malware, by hiding it within computer processes. Threat actors are highly sophisticated, and many are taking advantage of malware as a service, where rootkit is available. This averts the need for bad actors to have large resources or highly skilled capabilities to create and launch an attack.
A rootkit that uses a software driver can gain entry into a computer operating system and kernel and deliver malware that steals data and takes over the system for malicious purposes. In most cases, the only way to completely remove a rootkit is to delete the computer operating system, and rebuild it from scratch.
Drivers provide access for bad actors to gain system-level privileges and remotely execute malicious code on otherwise inaccessible sections of the OS, like the kernel. To ensure the security of the Windows OS requires the ability to prevent new drivers from loading and accessing space in the Windows OS and kernel. To solve this problem requires a system and method that selectively blocks unwanted drivers. Unfortunately, Windows doesn’t provide a solution for this.
There is no inherent method in Windows to fully prevent drivers, signed or not, from being loaded into the operating system kernel layer. Hackers can bypass driver signature enforcement, using stolen code signing certificates to sign malicious drivers, and find other ways of bypassing driver signing enforcement within the Windows OS kernel space. Malicious Windows drivers can completely disarm endpoint detection and response (EDR) products.
RevBits Endpoint Security includes specialized anti-rootkit software. RevBits identifies suspicious callback processes, hooks, registry keys, and modified files, and uses patented anti-rootkit capabilities to protect computer systems and data by detecting, blocking and removing malicious drivers. RevBits Endpoint Security allows administrators to decide which drivers are allowed, and which ones are denied access to the kernel space. It will detect and alert on known and unknown malicious rootkits, using unique modeling techniques, removing them through callback capabilities, whether they’re signed by Microsoft or any other CA.