[MART] - Daily Diary #367 - Malware Types - Rootkit

CTAS-MAT ctas-mat at appgate.com
Fri Oct 8 23:07:11 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

12/08/2021 - Diary entry #367

Today we will continue our thread on Malware Types, started on Daily Diary #328, talking about Rootkits. By definition, a Rootkit is a malware piece designed to enable access to a privileged area of a computer, masking itself in the system, trying to evade detection by analysts and security software. Rootkits are often considered the most dangerous pieces of malware. When fused with Remote Access Trojans or Spyware capabilities, it becomes a very sophisticated threat for Espionage.

Although Rootkits are generally related with privilege escalation and getting full-control over a device ("root" access in Linux/Unix Operational System families), they can execute either in user-mode or kernel-mode.

In user-mode (or Ring 3) Rootkits execute with the same privilege as other user applications. In that case, they use techniques such as DLL Injection and API Hooking to intercept and modify the behavior of standard applications. In Windows, it's very common for a Rootkit to inject a DLL into other applications to exfiltrate credentials and even mask its presence.

Kernel-mode (or Ring 0) is where you find the most sophisticated Rootkits. In this case, they generally need to abuse a very sensitive vulnerability, allowing them to execute arbitrary code in the kernel, or install a kernel driver. Kernel-Mode Rootkits are the most dangerous and are much harder to detect and remove after they complete their infection process. When executed in the kernel, they can completely mask their execution, and execute with more privilege than anything in the system, which allows them to disable security solutions, hide their files and bypass access-control mechanisms.

Luckily, Ring 0 Rootkits are much harder to develop, and as they need critical vulnerabilities to escalate to the kernel, keeping your system patched and up-to-date is a must when trying to be protected against this kind of threat. When a Rootkit-like malware is detected, the recommended thing to do is consider the whole perimeter as infected, preferably completely reinstalling the Operating System in all machines that can be affected.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211008/d675f57c/attachment.htm>

More information about the MART mailing list