They can have other characteristics but the major one is stealth – you may never know your device is infected. Detection is often difficult as many root kits impair or disable antivirus/malware detection software.
The usual delivery vector is via malware that you unwittingly agree to install – spear phishing emails, drive-by webpage exploits, from an infected USB key, or some other network exploit like the new ThunderStrike 2 that affects Thunderbolt cable connected Macs.
The majority take advantage of known operating system vulnerabilities and some of hardware vulnerabilities (like the newly discovered x86 vulnerability that has existed since 1977).
Removal can be complicated to impossible because most root kits ‘hide’ in the operating system kernel making a clean install the best, but not necessarily a fool proof option as some root kits can load to, and from, memory or firmware, and back to the hard disk master boot record during a clean install.
The majority can do a combination of the following:
- Steal personally identifiable information including passwords, banking details, and documents via screen intercepts or key logging
- Download and install other malware to perform specific tasks
- Turn the computer into a zombie or botnet to send spam email or launch denial of service attacks
Now I admit that I understand the Windows OS more than Mac so if there is a helpful Mac person out there feel free to comment or correct.
Windows presents the biggest target because it ts been around a lot longer than Mac OS X. ecasue has been around a lot longer than Mac OS X. Mac has 20+ known root kits. When a vulnerability is found Microsoft and Apple release a security patch or in some cases need to rewrite the OS code for the next version. If all devices were regularly patched there would not be an issue – but the fact that the majority of rootkits are still using vulnerabilities discovered up to 10 years ago speaks spades for ‘lazy users’.
Mac – OS X
Macs are not immune from Malware and virus – they simply don’t present as big of a target with <5% of the market. The first Mac rootkit OS X Opener was found in 2004. A search on ‘rootkit mac’ is the best place to start.
Mac hackers seen to be working at hiding root kits in the Boot Rom chip (this Erasable, Programmable, Read only memory - EPROM - holds the machines firmware), attached Thunderbolt device ROMs (ThunderStrike/2), Extensible Firmware Interface (EFI) code, Boot sector on the hard disk, and the kernel (Operating system).
The Safe Mac is a good place to visit for information. It has updates on the very recent DYLD privilege escalation exploit and many more. Its blog is current until mid-August when it was acquired by MalwareBytes and the information continues here. It does not hurt to install the free MalwareBytes for Mac.
Another free rootkit detector is from eset .
There is a lengthy article from Sophos on Thunderbolt and Thunderbolt 2 here and it has a Mac blog as well.
Symantec states “Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications … An attacker can exploit these issues to execute arbitrary code, gain elevated privileges, cause denial-of-service conditions, and gain unauthorized access.” Of course it recommends the A$89.99 Norton 360 that includes up to 5 installs on Windows or OS X machines.
Having 95% of the market means Windows has been the prime delivery vector for attacks on both consumers and enterprise. Interestingly because Windows has been the main target users are more likely to use Antivirus/Malware software and Windows comes with Windows Defender as standard so the days of bagging Windows as a malware magnet are over.
Still rootkits use known vulnerabilities in Windows to gain access. It is vital that you apply all patches and security updates. Belarc will run an analysis and let you know if any updates or patches are missing. This can happen if the Windows automatic update system is turned off.
Like Mac, hackers look at the BIOS, hard disk master boot record and partition table, the operating system kernel, drivers, and disguise rootkits within so called benign programs.
The better known AV products (AVG, Norton, Kaspersky, Trend, and McAfee) have rootkit detection and some like MalwareByte offer a free standalone tool to detect and remove. Do not risk using less known detection tools – it could be a Trojan - and always download from the maker’s official web site.
Windows 10 will be more secure and less prone to root kits – its new system should protect it from any new vulnerabilities discovered. Windows 8.1 and 10 hardware uses a secure boot system with a UEFI 2.3.1 (Unified Extensible Firmware Interface) that replaces the older EPROM based BIOS. Combined with a Trusted Platform Model (TPM) it can be configured to load only a trusted bootloader of the operating system e.g. one that is checked for before loading. Then ELAM (Early Launch Anti-Malware) kicks in to test all drivers and prevent unapproved ones from loading. Finally Windows logs the boot process and Windows can send it to a trusted server to assess the PC’s health. Older hardware without UEFI is not protected.
Space does not permit a detailed analysis but sufficient to say that 98% of all mobile malware has been developed for Android. Perhaps it is because Android has its roots in Linux and ‘rooting’ or side loading apps is a normal practice. Don’t be confused between rooting an Android and rootkit – they have the same objective to allow privileged administrator access to do anything.
There are a plethora of hacker’s tools and instructions and kits to gain access to even the latest Lollipop 5.x versions. Simply search for ‘rootkit Android’.
Of greater concern is the proliferation of Adware or potentially unwanted programs (PUPs). In April Symantec’s Internet Security Report stated ‘17% of all Android Apps (about 1 million) were malware in disguise.’ Then there was what Symantec calls ‘grayware or madware’ that drives advertisements to your device – many of these are permitted in Google Play store.
If you don’t have recognised antivirus/malware protection from the Google Play Store like MalwareBytes, McAfee, AVG, Norton, and Kaspersky you are crazy.
This article is about rootkits – stealthy, undetectable, and buried in firmware or the kernel. These are designed for one purpose – to gain administrator control of the device so it can do almost anything to it.
Both Apple and Microsoft are working very hard to protect your devices.
The coming release of OS X El Capitan 10.11 demonstrates Apple’s commitment to security. It will have a new security feature called System Integrity Protection (also known as "rootless") which protects certain system processes, files and folders from being modified or tampered with by other processes, even when executed by the root user. Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which the user is the de facto administrator. System Integrity Protection is enabled by default, but can be disabled.
Windows 10 is immensely more secure than previous versions having implemented secure boot.
Neither system can protect a user against stupidity – installing mal/ad/nuisance/ware, using no or weak passwords, not using AV software and generally not taking care.
The latter is best summed up by a true story.
A Mac user had a Windows 7 PC at the office and an Android smartphone. As a Mac user they had little awareness of malware and blissfully downloaded PC apps and software like VLC, TeamViewer, Newsletter of the day, Horoscope, and many more. They did the same on the Android smartphone. Both devices were acting a little strangely – getting random advertisements, slow performance, and lockups.
I installed MalwareBytes on the PC and it revealed 51 pieces of Malware including five root kits. The safest way to clean was a full reinstall of the OS.
MalwareBytes revealed 231 pieces of malware on the Android smartphone ! A full reset worked.
Moral of the story – be alert to the tricks like spear phishing, bundled software, visiting suspect web sites etc.