Rootkit Malware

Kurt Baker - November 8, 2023

What is rootkit malware?

Rootkit malware is a collection of software designed to give malicious actors control of a computer network or application. Once activated, the malicious program sets up a backdoor exploit and may deliver additional malware, such as ransomware, bots, keyloggers or trojans. Rootkits may remain in place for years because they are hard to detect, due in part to their ability to block some antivirus software and malware scanner software.

Types of rootkits

Known rootkits can be classified into a few broad families, although there are many hybrids as well. The main families are:

Firmware rootkits

A firmware rootkit targets the software that runs particular hardware components by storing themselves on the software that runs during the boot process before the operating system starts up. They are especially stealthy because they can persist through reinstallation of the operating system.

The use of firmware rootkits has grown as technology has moved away from hard-coded BIOS software and toward BIOS software that can be updated remotely. Cloud computing systems that place multiple virtual machines on a single physical system are also vulnerable.

Examples of firmware rootkits include:

  • UEFI rootkit
  • Cloaker
  • VGA rootkit

Kernel mode rootkits

A kernel mode rootkit is a sophisticated piece of malware that can add new code to the operating system or delete and edit operating system code. They are complicated to create, and if a kernel rootkit is buggy, it will heavily impact the target computer’s performance. On the bright side, a buggy kernel rootkit will leave a trail of breadcrumbs that antivirus solutions will detect.

Examples of kernel mode rootkits include:

  • Spicy Hot Pot
  • FU
  • Knark

Bootloader rootkits

Bootloader rootkits boot up concurrently with the operating system and target the Master Boot Record (MBR), which is the first code executed when starting up a computer, or the Volume Boot Record (VBR), which contains the code needed to initiate the boot process or the code for loading an operating system or application. By attaching itself to one of these types of records, a bootloader rootkit will not appear in a standard file system view and will be difficult for an antivirus or rootkit remover to detect.

Examples of bootloader rootkits include:

  • Stoned Bootkit
  • Olmasco
  • Rovnix

Virtualized rootkits

Unlike kernel mode rootkits, which boot up at the same time the targeted system boots up, a virtualized rootkit boots up before the operating system boots up. Virtualized rootkits take hold deep in the computer and are extremely difficult – or even impossible – to remove.

User Mode rootkits

User mode rootkits modify the behavior of application programming interfaces. They can display false information to administrators, intercept system calls, filter process output and take other actions to hide their presence. However, because user mode rootkits target applications rather than operating systems or other critical processes, they do leave breadcrumbs that trigger antivirus and rootkit remover alerts and they are not as hard to remove as some other types of rootkit malware.

Examples of user mode rootkits include:

  • Vanquish
  • Hacker Defender
  • Aphex

Memory rootkits

Memory rootkits load into the RAM, so they persist only until the RAM is cleared when the system is restarted. While active, their malicious activities consume the targeted system’s resources and thus reduce the performance of its RAM memory.

Rootkit example: Spicy hot pot

CrowdStrike encountered an interesting use of a rootkit that hijacks browsers in order to change users’ homepages to a page controlled by the attacker. This is a different approach from typical browser hijackers, which use malicious executables or registry keys to change users’ homepages.

The rootkit

This malware, dubbed Spicy Hot Pot, uploads memory dumps from users’ systems to its operator’s servers and inserts a local update capability that ensures the malware is able to remain updated. In an advancement from previous browser hijackers, Spicy Hot Pot incorporates another step to remain stealthy: it drops two kernel-mode drivers to the disk, and these install themselves during the malware infection process.

These malicious drivers perform a number of functions. They can:

  • Hinder security software from intercepting their callback functions
  • Collect memory dumps created on the computer system from a specific directory
  • Enable the malicious actor to update the malware any way they wish
  • Intercept and modify user input and output requests
  • Intercept attempts by administrators to display the malicious files, rendering them effectively invisible, even to a rootkit scanner

Discovery

Spicy Hot Pot was exposed when the CrowdStrike Falcon® Complete team was alerted to a suspicious binary that was trying to run in a customer’s Windows 10 environment. Investigation revealed that the binary was bundled with a browser hijacking rootkit. This rootkit placed seven executables and two malicious drivers onto the customer system before it disabled the targeted machine’s hibernation mode. The kernel drivers dropped to disk were not visible to users because the rootkit prevented the malware files from being displayed.

Investigation

The CrowdStrike team recognized the rootkit was one that had been observed as early as 2019 and that had been spawning variants ever since. CrowdStrike was able to simulate the malware’s actions, and in the process discovered the presence of a variant that was more widespread than the rootkit under investigation. This variant had a creation timestamp dating back four years, which indicated that Spicy Hot Pot was based on an older cracking tool that had likely been repackaged and redistributed by its creator.

Of the nine files dropped by the Spicy Hot Pot rootkit, eight were signed by different signing certificates issued to a single entity. These signing certificates had expiration dates as old as 10 years and as young as one minute, but all had expired. Despite the fact they were expired, they were still able to be successfully installed due to exceptions to driver signing enforcement.

The CrowdStrike team then compared the first signing certificate to a public repository of malware samples and found hundreds of unique malware samples that were related to Spicy Hot Pot. The implication was that the malware operator was comfortable continuing to use these certificates and was unlikely to stop any time soon.

Even though Spicy Hot Pot filters user input and output requests to hide its files, CrowdStrike Falcon® was able to use telemetry to expose the infection actions programmed into the malware, and Falcon Real Time Response (RTR) capability was able to locate the kernel drivers and dropped binaries present on the targeted system.

Remediation

Like other rootkits, Spicy Hot Pot’s kernel filter drivers cannot be stopped by a user. A malicious driver prevents removal of registry keys, services, or the drivers itself, so removing it remotely can be a challenge. As is typical, removing rootkit malware often requires powering down a machine or booting it in safe mode, neither of which can be done remotely. However, CrowdStrike was able to find a way to stop Spicy Hot Pot from running at startup, which made remote remediation possible.

Spicy Hot Pot places malicious drivers into the WindowsApps folder. By renaming the folder, the filter drivers were made visible because the path referenced by the malicious drivers no longer existed and so the drivers failed to load. At this point, the services and registry keys associated with the Spicy Hot Pot rootkit could be removed.

How to protect against rootkits

Rootkits spread in the same ways as any malware: email, USB drives, vulnerabilities, etc. Organizations should conduct all the standard endpoint protection practices, such as security awareness training, vulnerability management programs and device control to protect their endpoints. Those steps will stop some malware from penetrating the infrastructure, but it won’t stop all malware and it won’t help with remediation.

Most endpoint protection solutions focus on the local operating system and the applications that sit on top of it. Advances in this area, such as machine learning, endpoint detection and response, and behavioral analytics have made it harder for cybercriminals to achieve their objectives. In response, malicious actors have shifted their attention to the computing layers beneath the operating system the software that runs the hardware. Rootkit malware is on the rise.

The best protection from rootkit malware is an endpoint protection solution that uses advanced technologies such as artificial intelligence, telemetry and real-time response capabilities that can identify hard-to-detect rootkits and stop them before they execute. Another key feature is continuous, auditable monitoring of each endpoint’s BIOS to prevent kernel rootkit attacks. With these capabilities, organizations will be able to stop attacks before they have a chance to activate and even to detect dormant threats sleeping in the depths of their computing layers.

GET TO KNOW THE AUTHOR

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.