How to identify, prevent and remove rootkits in Windows 10

Rootkits are among the most difficult malware to detect and remove. Now, new variations are targeting Windows 10 systems. Use this advice to protect yourself from them.

Attackers use rootkits to hide malware on a device in a way that allows it to persist undetected over time, sometimes for years. During that time, it can steal data or resources, or surveil communications. Operating system-based rootkits are scary enough, but firmware rootkits even more so. Both seek to persist, hide and evade from processes and procedures to eradicate them.

Kernel or operating system rootkits for many years were a dangerous threat to computers. Then Microsoft made a major change in the operating system with Microsoft Vista in 2006. It required that vendors digitally sign drivers. This caused not only issues with printer drivers, but more importantly caused malware writers to change their attack methods.

Kernel Patch Protection (KPP) required malware authors to overcome a digital signing requirement. This meant that only the most advanced attackers used rootkits as part of their payload. Rootkits went from being highly used to only being seen in under 1 percent of the malware output for many years.

Zacinlo ad fraud makes Windows rootkits relevant again

Then in June 2018, the Zacinlo ad fraud operation came to light and made us once again worry about the risk of rootkits. As Bitdefender’s research pointed out, this rootkit-based malware has been in play for six years but only recently targeted the Windows 10 platform, with one key change: It used a digitally signed driver to bypass Windows 10 protections. Researchers found that 90 percent of the samples were running Windows 10.

To continue reading this article register now

Microsoft's very bad year for security: A timeline