You sit down at your computer and turn it on. It takes a long time to boot up and when you finally get to your desktop, the background has been changed. Nobody else uses your computer, so what’s up?
Maybe you need to clean up your hard drive to make it run faster. Maybe you were sleepwalking again and in your travels you sat down and decided that you absolutely had to have your new nephew’s picture as your wallpaper and you changed it.
Or maybe not. Maybe the reality is that your computer has been hit by a rootkit. If you don’t know anything about rootkits, prepare yourself for a big surprise.
No ordinary antivirus software can catch a rootkit on its way in to your computer. Once it’s in, it will hide where you won’t ever find it; you won’t even know it’s there. By the time you do, it will have stolen any sensitive information you had, destroyed your files, and rendered your computer completely useless.
There’s more. Let’s take a look.
The Basic Rootkit
In layman’s terms, a rootkit is a nasty, scary, even dangerous form of malware that is now one of the all-time highest malware security risks. It will enter your computer without your permission, shut down your antivirus protection undetected, and let an attacker become the unauthorized administrator so as to take complete virtual control and have root access to your system. (Note that rootkits have gone mobile now.)
Rootkits don’t discriminate as to what operating system they invade. Whether it’s Windows, Apple, or Linux, an installed rootkit will stealthily replace sections of a computer’s operating system with ones that look normal, thus evading detection and allowing detrimental commands to be carried out. A computer’s BIOS (Basic Input Output System) is what is used to start the system after the computer is turned on, and a rootkit can take control of it, as well.
Vulnerabilities in the security system (like an unpatched hole), a contaminated torrent, or downloaded software, are just three ways a rootkit can gain access to your computer.
You Can’t Detect Them
Malicious rootkits have evolved ten-fold. The first rootkit engineered (early 1990s) hid effectively enough, but hackers have gotten more advanced; thus, rootkits are more sophisticated and close to impossible to detect. They’re specifically written to be able to defend themselves against ordinary security software, ultimately side-stepping any barriers that should be blocking them from your computer.
You can try to find rootkits by using a free tool such as chkrootkit (for Linux and Mac) or Rootkit Revealer for Windows, but only if you update them consistently. Let it be noted that there is no assurance that you will find a rootkit in this way; they have become far more advanced than any tool’s capabilities to detect them.
One proven way to find a rootkit is to completely shut down the computer and then boot from an uninfected flash drive or a rescue disk. A rootkit can’t hide when it is not being run.
The good news is that sometimes you do find them. The bad news is that when you do, they have probably already destroyed your computer, data files, and taken your sensitive information, too.
But wait, there’s more.
What They Do
A rootkit is written almost always for the sole purpose of making money illicitly. Once it has escaped detection, it will hide where nobody can find it, thus providing an attacker “backdoor access” to the computer. At this point, the cybercriminal has all the elevated privileges a system administrator and programmer has. Armed with full control, he can browse through the computer remotely, taking things like your personal bank information, and rewriting software to his specifications.
Once a rootkit is installed, it will stay hidden, but there are telltale signs that you have been infected:
- Your antivirus program stops working and/or can’t be re-installed.
- You can’t open a certain program.
- Your mouse stops working.
- You can’t open a browser and/or your access to the internet has been blocked.
- Your screensaver and/or wallpaper changes and you didn’t change it.
- Your network suddenly becomes very busy, very slow, or disconnects all together.
- You can’t see your taskbar.
- Your computer won’t boot up and/or freezes.
Again, there is no other type of malware that can escape immediate detection by antivirus software and a firewall and successfully remain undetected after point of entry except a rootkit.
You Can’t Get Rid of Them
So now you know. If you are sitting at your computer some day and your antivirus program shuts down or your browser won’t open or your screensaver changes unexpectedly, you quite likely have a rootkit. RIP.
Just kidding. Kind of.
Rootkits give a whole new meaning to that point in your day when your computer is wigging out and you realize that you haven’t done a backup in a long time.
If a rootkit is found, most often it cannot be deleted. Many programs advertise the ability to delete a rootkit, but it’s only a small possibility, at best. As we previously discussed, an attacker with high system administrator privileges can do anything to a computer; to check every piece of software, every file of the operating system, etc., for any remainder of the infection would be almost impossible.
Using an antivirus program and doing manual clean up are not options for removal. Note that using System Restore is not an option, either; rootkits infect the very core (the root, for lack of a better pun) of your machine so any restore point is most likely infected by it, as well.
There is only one way to get rid of a rootkit once it has entered your computer and compromised your system, and that is to wipe your hard drive and install a new, clean copy of the operating system. You will never know if you “got it all” and the only way you can guarantee that the infection is gone.
What You Can Do
At present, there is no cure for a rootkit. There are, however, preventative measures you can take:
- Update your computer regularly. This means the whole computer, not just Windows, not just your Malwarebytes definitions, not just your graphics card drivers. It means update everything — religiously.
- Only surf safe sites. You wouldn’t go shopping in an area of the city that is known for vehicle theft, so don’t go surfing in any “bad” areas of the internet. (Note: Get an add-on for your browser called an ad-blocker. It will tell you if you have entered a bad site.)
- Have a reliable, always updated security system in place. This would consist of firewall and antivirus software, or a security suite that includes both. Fortunately, it is relatively inexpensive (if not completely free) to provide your computer with Grade-A security software. Do some research in order to choose the option that best fits your needs.
- Watch what you download. Many programs today come pre-installed with software (labeled bloatware) or add-ons (i.e. a toolbar) that carry malware, such as rootkits. When installing software, pay attention to what’s happening rather than clicking through the installation. Make sure nothing additional is being installed, or you may be sorry.
- Never open anything you don’t recognize or expect — even if the sender is someone you know! When spyware is part of a rootkit’s arsenal of programs, it uses things like social engineering tactics to trick a user into unknowingly installing it.
Ultimately, use common sense. Treat your computer like you would your house. Don’t just have a sign that says, “Warning! Guard dog on the Premises!” make sure you have the dog, too.
Have you had the misfortune of unknowingly installing a rootkit, or know someone who has? Share your story below.