Trending keywords: security, cloud, container,
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
Content
A rootkit is a collection of malicious software tools that gives attackers administrator-level access to an endpoint. In addition, most rootkits are designed to hide themselves so that they are difficult to detect.
Rootkits are so-called because they are software “kits” that allow attackers to operate as if they were the root user on an infected system. On Linux and other Unix-like operating systems, root is the name of the account that has full access rights. (To be clear, rootkits aren’t only a risk for Linux; they can also affect Windows, macOS, and virtually any other type of operating system, even if the admin- or superuser-level accounts on the system are not called root.)
Keep moving forward for a guide to rootkits, how they work, different types of rootkits, and how to prevent rootkit attacks.
How do Rootkits work?
As we explain below in the section on rootkit techniques, there are various means by which attackers can install rootkits on a system, and rootkits may operate in several different parts of the system.
However, all rootkits work in the same basic way, using the following process:
- Attackers gain access to a system (by, for example, exploiting a software vulnerability) in a way that allows them to install malware.
- The malware circumvents standard access controls to give attackers the ability to perform the same activities as the root or administrator user.
- The rootkit software obscures its presence by modifying binaries and processes so that they do not appear malicious.
Once this process is complete, attackers can use the rootkits to perform actions like exfiltrating sensitive data from the infected endpoint, taking control of applications and using the endpoint to run illicit software, like cryptominers.
Rootkits vs. Trojans and Backdoors
Rootkits are a kind of malware, but there are other types of malware – such as the malware associated with trojans and backdoors – that are distinct from rootkits.
Rootkits are different from trojans because trojans are any type of software that gives attackers access to at least part of a system. In most cases, the level of access that trojans provide to attackers is limited; a trojan might allow attackers to view sensitive data, for instance, but not run commands as the administrative user. In contrast, rootkits provide complete, administrator-level access.
Along similar lines, rootkits are different from backdoors because a backdoor is any malware that enables unauthorized access to a system, not necessarily the administrator-level access provided by a rootkit.
It’s worth noting that there is ambiguity surrounding the terms trojan and backdoor; they are both generic terms that could refer to a wide range of malware types and attack techniques. Arguably, rootkits could be described as a type of trojan as well as a type of backdoor, but there are many other types of trojans and backdoors.
Rootkit techniques
Rootkits can be broken into categories based on how they operate.
Kernel-Mode Rootkits
Kernel-level rootkits operate in what’s known as kernel space. That means they run as programs controlled directly by the kernel, and they have the same level of access to the operating system as kernel processes. Since the kernel is the core program inside an operating system that controls all other operations, running in kernel mode means that rootkits can easily access any other resources on the system.
User-Mode Rootkits
User-mode rootkits run in userspace or userland, which is the same part of the operating system where standard applications are hosted. Instead of taking control of the system from the level of the kernel, user-mode rootkits typically exploit other types of vulnerabilities in the operating system (such as weaknesses within access control systems) that allow them to gain administrator-level access even though they are not actually running with kernel-level privileges.
Bootkits
A bootkit is a rootkit that is installed in the boot record of an endpoint. When the system boots, the rootkit is loaded. That means that the rootkit has control over all aspects of the system from close to the very start of each system session.
An advantage of this approach for attackers is that loading the rootkit during boot makes it easy to hide the rootkit, because software that is designed to detect rootkits may not be operational until after the system has fully booted, so it can’t detect bootkits that are loaded earlier. Bootkits also usually hide in boot records rather than on standard file system partitions, which also makes them harder to detect in some cases.
Hypervisor-Based Rootkits
Hypervisor-based rootkits operate within hypervisors, which is software that starts and manages virtual machines. From the hypervisor, rootkits can control operations and access resources inside virtual machines.
This type of rootkit only works with virtual machines, not bare-metal servers. But since many workloads today are virtualized, hypervisor-based rootkits have become a major risk.
Rootkit Attack prevention and mitigation
Once a rootkit has infected a system, it can begin causing harm immediately, and it may be difficult to detect until significant damage has occurred. That’s why it’s important to try to prevent attackers from installing rootkits in the first place, and to take steps to mitigate the impact of rootkits in the event they are installed.
The most important step toward rootkit prevention is ensuring that software is up-to-date and scanning it for vulnerabilities. Because attackers often exploit vulnerabilities in operating systems or applications to install rootkits, keeping systems free of vulnerabilities will prevent most rootkit attacks.
Blocking unnecessary network ports can also help to prevent rootkits by making it harder for attackers to find and exploit vulnerabilities over the network. So can following the principle of least privilege when configuring user accounts, since attackers could take advantage of excess privileges in user accounts they control to install rootkit software.
As for mitigating rootkits, segmenting resources from each other is a useful technique because it minimizes the extent of the resources that rootkit attackers can access in the event that they take control of a system. You can enforce segmentation at the network level, which reduces the risk that a rootkit attack against one endpoint can spread to other endpoints. In addition, dividing physical servers into virtual machines and using each virtual machine for a different workload helps to provide workload segmentation and reduce the risk that a rootkit installed on one virtual machine can impact workloads hosted on other virtual machines. (That said, a hypervisor-based rootkit might be able to infect all virtual machines under this scenario.)
Rootkit Detection and Response
In addition to taking steps to prevent rootkit installation and mitigate the scope of rootkit attacks, organizations should ensure they are actively searching for rootkits that may be lurking on their systems. Although rootkits are designed to evade detection, some techniques are available for identifying rootkits:
- File integrity monitoring: Changes to files could indicate a rootkit attack, especially if the changes involve binaries (such as those that run low-level operating system programs or boot record data) that would not normally change. By monitoring files continuously for unusual changes, you may be able to detect rootkit attacks.
- Process monitoring: Unusual process activity, such as unexpected process forking or renaming, could also be indicative of a rootkit attack.
- Performance changes: In some cases, rootkits might lead to performance changes on a system, such as longer booting times or slower response rates. If you notice changes like these and you can’t attribute them to other sources, you might have a rootkit.
- Memory inspection: Analyzing data stored in system memory can reveal some rootkits, especially if the rootkits store data in ways that are linked to rootkit activity.
Tools like Sysdig Inspect, an open source solution for scanning systems for security risks and unusual changes, can help to automate the process of detecting rootkits, among other types of risks.
Removing and Recovering from Rootkits
If you detect a rootkit, your first step should be to remove it. Since it may be difficult to detect all components of a rootkit, the best way to remove rootkits is to wipe the infected system entirely and either rebuild it from scratch or (if you have backups) restore it to a prior state that you determine to be rootkit-free. However, it may be possible in some cases to remove rootkits by simply deleting the binaries that they use to operate, assuming you have high confidence in where those binaries are.
You should also, of course, make sure you know how the rootkit was installed in the first place and that you address the vulnerabilities that enabled the rootkit attack. Otherwise, attackers might just reinstall the rootkit after you remove it.
Finally, analyze files, user accounts, applications, and other resources on a previously infected system to look for changes that the rootkit might have made. You want to make sure that no data was deleted or modified, for instance, and that attackers didn’t use the rootkit to install other malware that is not part of the rootkit itself and may linger on your system after the rootkit has been removed.
Conclusion
Given the extensive access that they provide to attackers, rootkits are one of the most dangerous types of attacks that can occur on modern systems. They are also constantly evolving as attackers devise new ways of deploying and hiding rootkit software.
Fortunately, it’s possible to erect strong defenses against rootkits by ensuring that systems and the software running on them are free from vulnerabilities. Techniques like segmentation can also reduce the risk of rootkit attacks, and comprehensive system scans can detect many types of rootkits so that you can contain the damage once a breach has already occurred.