Rootkits - Stealthy Malware Deep in Your OS
About 2 min read
A rootkit is malware that lurks deep within a system and hides its own presence from the OS and security software. The name derives from "root," the highest privilege in Unix/Linux, and attackers use it to maintain persistent access to a system. Because it is extremely difficult to detect, there are cases where information is stolen over long periods without the infection ever being noticed. In 2024, several new variants of UEFI rootkits were discovered, heightening the importance of firmware-level security measures.
Real-World Use Cases
"During a forensic investigation, we discovered a kernel-mode rootkit. It did not appear in the normal process list or network connection list, and we were only able to detect it through analysis of a memory dump. About 8 months had passed from infection to discovery, and quantifying the amount of information leaked during that time is a challenge."
The Hiding Structure of Rootkits
Types of Rootkits
Kernel-mode rootkits are embedded in the OS kernel and are the hardest to detect. User-mode rootkits run at the application layer, hiding processes and files. Bootkits infect the OS boot process and begin operating before the OS is loaded. UEFI rootkits infect the firmware, making them the most troublesome type, as they cannot be removed even by reinstalling the OS.rootkit detection books on Amazon lets you learn the technical details.
A Real-World Damage Scenario
At one company, an attacker who broke in via a backdoor installed a kernel-mode rootkit and maintained access to the customer database for six months. Because the rootkit hid its processes and network communication, ordinary security monitoring could not detect it, and it only came to light through a report from an external party. In incident response, investigations must be conducted on the assumption that a rootkit may be present.
Detection and Removal
Because ordinary virus scans cannot detect them, dedicated rootkit detection tools or scanning from outside the OS (booting from bootable media) are necessary. If a kernel-mode rootkit is confirmed, a clean reinstall of the OS is the most reliable countermeasure. As preventive measures, keeping the OS and software up to date, protecting administrator accounts with strong random passwords, and enabling multi-factor authentication can reduce the risk of initial intrusion.system security guides (Amazon) are also helpful references.
Was this article helpful?