Rootkit Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 21:32:47 +0000 en-US hourly 1 https://wordpress.org/?v=84255 200474804 SYMBIOTE Backdoor and Rootkit Dropper Revealed https://gridinsoft.com/blogs/symbiote-backdoor-rootkit/ https://gridinsoft.com/blogs/symbiote-backdoor-rootkit/#respond Mon, 20 Jun 2022 22:27:15 +0000 https://gridinsoft.com/blogs/?p=8694 Symbiote Backdoor: a Stealthy and Highly Evasive Linux Malware Researchers at Blackberry and Intezer have revealed a malignant program dubbed Symbiote used to inject rootkits and backdoors into compromised Linux servers. This software has been targeting financial institutions throughout South America. To install the pest into the system, the malefactors need root access, which they… Continue reading SYMBIOTE Backdoor and Rootkit Dropper Revealed

The post SYMBIOTE Backdoor and Rootkit Dropper Revealed appeared first on Gridinsoft Blog.

]]>
Symbiote Backdoor: a Stealthy and Highly Evasive Linux Malware

Researchers at Blackberry and Intezer have revealed a malignant program dubbed Symbiote used to inject rootkits and backdoors into compromised Linux servers. This software has been targeting financial institutions throughout South America. To install the pest into the system, the malefactors need root access, which they can obtain via either exploiting unmended vulnerabilities or account data leakages. After the initial hacking, the malware gains a foothold in the system to conduct further attacks, cover the presence of other malicious programs, and intercept confidential data.

Symbiote’s specificity is that it spreads through a separating library, which loads during the launch of all processes via the ld_preload trick and substitutes some requests of the standard library. Processing of the replaced callings covers the backdoor-related activity. For example, it excludes particular elements from the processes list, blocks access to certain files in /proc, hides files in folders, excludes the malicious separating library from the lld output (the interception of the execve function and the analysis of the calls with the LD_TRACE_LOADED_OBJECT environment variable set to 1,) doesn’t show network sockets connected with the malicious activity. To defend against the traffic inspection, the functions of the libpcap library get reassigned, /proc/net/tcp reading gets filtered, and the substitution of additional bytecode into BPF-program loaded into the kernel. These techniques allow concealing the backdoor from the sniffers launched in the same system later on.

Symbiote Evasion Techniques
Symbiote Evasion Techniques. Image: BlackBerry / Intezer.

Symbiote can also manage to hide from the file system activity analyzers by stealing confidential data not on the file-opening level but via interception of these files read in legitimate applications (for instance, the replacement of library functions allows to intercept the input of the password by a user and the data with the access key uploaded from the file.) For remote access, Symbiote intercepts some Linux Pluggable Authentication Module calls. This allows connection to the system via a secure shell with certain attacking credentials. Privilege escalation is also provided for. Hackers can gain root privileges via modifying the environment variable HTTP_SETTHIS.

The post SYMBIOTE Backdoor and Rootkit Dropper Revealed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/symbiote-backdoor-rootkit/feed/ 0 8694
How to Prevent a Rootkit Attack? https://gridinsoft.com/blogs/how-to-prevent-a-rootkit-attack/ https://gridinsoft.com/blogs/how-to-prevent-a-rootkit-attack/#respond Mon, 02 May 2022 19:25:53 +0000 https://gridinsoft.com/blogs/?p=7673 Maybe you’ve already heard somewhere the name rootkit. The name which comes from the Linux and Unix operating systems means the most privileged account admin that is called ” the root”. And the applications with the help of which a user can have admin-level access or unauthorized root access to the device are called the… Continue reading How to Prevent a Rootkit Attack?

The post How to Prevent a Rootkit Attack? appeared first on Gridinsoft Blog.

]]>
Maybe you’ve already heard somewhere the name rootkit1. The name which comes from the Linux and Unix operating systems means the most privileged account admin that is called ” the root”. And the applications with the help of which a user can have admin-level access or unauthorized root access to the device are called the “kit”.

Mostly rootkits infect operating systems and software but they can also infect a computer’s hardware and firmware. They are hard to detect due to their deep-rooted nature of infection.

What is a Rootkit Attack?

With the help of rootkit malware threat actors can have access to and control over the targeted device further conducting malicious activity. Once the rootkit is on the device it will either install other malware or steal the personal data and financial information. In addition, threat actors can use it as a botnet conducting DDoS(Denial-of-Service)2 attacks or sending spam. Rootkits can exist as a single piece of software but often they are made up of a collection of tools.

IMPORTANT NEWS FOR THE READER:The Ukrainian Computer Emergency Response Team (CERT-UA) said Ukraine has been hit by massive DDoS attacks.

The rootkit attack operates near or within the kernel of the operating system which gives threat actors the ability to make direct commands to the computer. In such a way, threat actors can install, for example, a keylogger to capture your keystrokes without you knowing this. A keylogger3 steals your personal information like online banking details or credit cards.

How Does a Rootkit Work?

Rootkits exploit the process called modification — when a user changes account permissions and security. Usually, this process is only allowed by a computer administrator.

In computing this type of modification helps to make some positive and needed changes to systems while threat actors take advantage of this in their pursuit.

But before they can install a rootkit threat actors need to obtain administrator or root access. To do so they often exploit known vulnerabilities such as obtaining private passwords via phishing or privilege escalation. Sometimes the process can be automated.

IMPORTANT NEWS FOR THE READER: The main threats that Gridinsoft Anti-Malware detects are something that is important to know.

Popular Rootkit Attack Examples

The malware4 presents a danger to anything that uses an operating system. In addition to the deep-rooted nature, the malware can also disable or remove the security software.

But some rootkits are used for purely legitimate reasons. For example, IT specialists use it for remote IT support or to assist law enforcement. It’s more often that the rootkit is used for malicious purposes by the threat actors to manipulate a computer’s operating system and provide remote users with admin access. The attackers usually install rootkits in the following ways:

  • Infecting credit card swipes or scanners. Back in the day cybercriminals used rootkits to infect scanners and credit card swipes. That was done to steal credit card information and send it to the criminal’s server. To prevent such rootkit attacks credit card companies have adopted chip-embedded cards making the credit cards more secure. 
  • Infecting the OS. Usually this type of attack occurs when a user downloads something from a suspicious source or opens an email with a malicious file. Upon activation, a kernel mode rootkit enters the system and starts doing the job. It will slow down the system performance, modify the functionality of the OS, and access/ delete files.
  • Infecting networks and IoT (Internet of Things). Threat actors look for edge points of entry in the IoT devices to insert a rootkit. After insertion, the malware will spread further down the network taking control of other computers and workstations. Because more often IoT devices and networks lack the security measures they are at a greater risk of getting infected with a rootkit than centralized computers and systems.
  • Infecting applications. Whenever a user opens the infected application like some spreadsheet or word processing software threat actors behind the rootkit infection will have instant access to the user’s information. This attack occurs when a user opens a suspicious email or clicks on some suspicious link subsequently downloading a rootkit.

How to Detect Rootkit Attacks

Even though this kind of malware is hard to detect because of its very nature to stay hidden for the longest possible time some general signs of malware infection can show its possible presence. Next, we will look at important tips on how to detect rootkit attacks:

  1. Web pages don’t work as they should. Web pages or a network activity work strangely because of the excessive traffic. 
  2. You have noticed changed Windows settings without your permission. The examples might include the incorrect date and time set, the taskbar that hides itself, and a changed screensaver.
  3. Your device has significantly slowed down in performance. Sometimes your device doesn’t respond to the keyboard or mouse input. It often freezes or does things very slowly. Also, it takes a while for the device to start. 
  4. You also noticed unusual web browser behavior. In your browser appeared an unknown bookmark or suspicious link redirection.
  5. Constant blue screen. Every time your computer needs to reboot blue screens with white text (“the blue screen of death”) appear often. 
  6. Your whole system behaves strangely. One of the abilities of a rootkit is to manipulate your OS. If you notice some strange and unusual behavior it could be a sign of a rootkit.

How to Prevent Rootkit Attacks

The rootkit will only work if you somehow launch it. Below you will find tips on how to prevent the infection with the best practices:

  • Monitor your network traffic. Make it a habit to regularly monitor your network in the presence of any malicious traffic interference. Network specialists can redeem the effect of rootkit activity by isolating the network segments. By doing so they can prevent the attack from spreading.
  • Enable next gen antivirus. It goes without saying that in today’s world, a good antivirus solution is like a vaccine against numerous cyber threats. Keep it enabled and regularly do the scans of the whole system.
  • Regularly do the updates of your software. Many software tend to have known vulnerabilities. Companies regularly do updates to patch them. If there are no vulnerabilities found for threat actors then there’s no exploit available.
  • Be careful about phishing emails. Phishing emails, you can call it so,  are the main medium for the threat actors to target your device. They will try to trick you into clicking on a malicious link or opening some suspicious attachment. The phishing email can be a fake Facebook request asking you to update your login credentials or the infected Word/Excel document, a photo, or a regular executable program.
  • Do the scans of your system. Run a regular scan of your system to detect a threat. If you want to ensure there’s no need to worry do it right after you notice anything unusual from the list described above. The habit of regularly making scans ensures the security and safety of your data.

How to Remove a Rootkit

It’s hard to detect a rootkit and remove it. Because of its hidden nature and stealthy ways of doing its job, you have to spend a large amount of time to successfully get rid of the malware.

Don’t waste any time as the rootkit may cause additional troubles and the fewer of them you will have of course the better. To prove the point it can be that the rootkit has installed some backdoor and you will also have to get rid of it.

Try to work with the Gridinsoft Anti-malware to help you remove the malware and deal with its consequences. With the easy interface to navigate it won’t make a difficult to give one trouble less.

The post How to Prevent a Rootkit Attack? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/how-to-prevent-a-rootkit-attack/feed/ 0 7673