How to identify, prevent and remove rootkits in Windows 10

Attackers use rootkits to hide malware on a device in a way that allows it to persist undetected over time, sometimes for years. During that time, it can steal data or resources, or surveil communications. Operating system-based rootkits are scary enough, but firmware rootkits even more so. Both seek to persist, hide and evade from processes and procedures to eradicate them.

Kernel or operating system rootkits for many years were a dangerous threat to computers. Then Microsoft made a major change in the operating system with Microsoft Vista in 2006. It required that vendors digitally sign drivers. This caused not only issues with printer drivers, but more importantly caused malware writers to change their attack methods.

Kernel Patch Protection (KPP) required malware authors to overcome a digital signing requirement. This meant that only the most advanced attackers used rootkits as part of their payload. Rootkits went from being highly used to only being seen in under 1 percent of the malware output for many years.

Zacinlo ad fraud makes Windows rootkits relevant again

Then in June 2018, the Zacinlo ad fraud operation came to light and made us once again worry about the risk of rootkits. As Bitdefender’s research pointed out, this rootkit-based malware has been in play for six years but only recently targeted the Windows 10 platform, with one key change: It used a digitally signed driver to bypass Windows 10 protections. Researchers found that 90 percent of the samples were running Windows 10.

Rootkits, by definition, go out of their way to ensure that they persist when someone runs basic cleaning methods on an operating system, and injecting the malware into a signed Windows 10 driver meant that’s exactly what the Zacinlo malware could do. Bitdefender lists these Zacinlo components:

• A rootkit driver that protects itself as well as its other components. It can stop processes deemed dangerous to the functionality of the adware while also protecting the adware from being stopped or deleted.
• Man-in-the-browser capabilities that intercept and decrypt SSL communications. This allows the adware to inject custom JavaScript code into web pages visited by the user.

Zacinlo’s rootkit component is highly configurable and stores all configuration data encrypted inside the Windows Registry, according to Bitdefender. During Windows shut-down, the rootkit rewrites itself from memory to disk under a different name and updates its registry key. This is how it evades detection by normal antivirus techniques.

How to detect rootkit malware in Windows 10

Often the best way to determine if a machine is infected by a rootkit is to review outbound TCP/IP packets from a potentially impacted device. If you have a large network with a standalone egress filtering firewall, then you have a key tool at your disposal. That firewall will allow you to see exactly what your workstations and network devices are connecting to as outbound packets in your network.

Your first goal will be to review the firewall’s reporting and see if will show what you need to see in case of attack. If you only see IP addresses in the firewall logs, add user authentication data so that tracking is easier.

Microsoft

Ideally, you have a logging solution that alerts you to unusual traffic or allows you to block firewall traffic from geographic locations. As the attackers aim to be silent and not alert you to their activities, you may need to investigate implementing a formal log management (LM) and security information and event management (SIEM) system. Firewall and event log files are often rolled off the system quickly. To do forensic investigations or comply with regulations, you may need to implement a storage mechanism for logging.

In a home or small business setting, check to see if you can identify traffic in the firewall logs of your ISP’s modem, or your personal firewall/router if you have such a device. Export these log files into a database parser program that can filter and sort the traffic.

At a minimum, a system that is misbehaving can often be a key indicator that a rootkit is installed. Excessive CPU or internet bandwidth usage is often an indicator of infection. While a Windows 10 machine may have more internet activity than prior operating systems with the need for packets being sent to Windows update and telemetry, you should still be able to determine when the machine is not behaving normally.

If your router does not provide you with good advice as to what your systems are doing, it’s time to upgrade. Some personal routers include subscription services to scan for vulnerabilities and identify when devices attempt to contact other internet addresses. Log in now to your router and review what logging it has and if it can be adjusted and customized.

Netgear

How to prevent a rootkit malware attack

You have many ways prevent rootkit malware from installing on your systems. One way is to have stricter driver signing requirements. Windows S mode, in fact, allows only trusted binaries issued by the Windows store application to be installed on the computer. Enabling Windows Defender Device Guard with a Windows Enterprise license will also ensure that you have extra protection.

Put processes in place to enable end users to notify the help desk or security that they believe a rootkit is on their machine so that appropriate investigation can be undertaken. Often a well-informed user is key to determine if a machine has been infected. If you are an IT admin, ensure that you train your users to spot and report rootkit symptoms.

Even basic security awareness training will help prevent rootkits. The NIST guide to handling malware incidents on desktops and laptops lists the following IT policies as key in protecting systems. Users should not:

• Open suspicious emails or email attachments or click on hyperlinks from unknown or known senders, or visit websites that are likely to contain malicious content
• Click on suspicious web browser popup windows
• Opening files with file extensions that are likely to be associated with malware (e.g., .bat, .com, .exe, .pif or .vbs)
• Disable malware security control mechanisms (e.g., antivirus software, content filtering software, reputation software or personal firewall)
• Use administrator-level accounts for regular host operation
• Download or execute applications from untrusted sources

How to remove rootkit malware

To clean up rootkits, you have several options. You can run the Windows Defender offline scan from inside Windows 10. Go to the Windows Defender Security Center, into Advanced scans and check the radius box to enable the Windows Defender offline scan. Once you reboot your system it will boot under the operating system with a Windows PE clean boot and scan the hard drive.

Microsoft

Additional tools such as those from MalwareBytes and Kaspersky will perform similar tasks. If a scan raises suspicion of a rootkit infection, treat it as a security incident. Take the suspected device offline from the network and internet immediately.

If you are still unsure if your system has a rootkit, several helpful forums can walk you through the process of analysis and detection. The BleepingComputer forums are an excellent venue to assist in the evaluation of a system. Another helpful venue for Windows 10 computers is the TenForums site.

Once you determine your system is infected, totally rebuild the computer using original software. Alternatively, if you have a full backup, you can roll the system back to before the incident occurred and monitor the system for signs of re-infection. As part of the clean-up routine, reset the password to the system and change the master password to your master password software at the same time.

Firmware rootkits require a different approach

Rootkits embedded in a device’s firmware can be more difficult to recover from and clean up. Unified Extensible Firmware Interface (UEFI) rootkits are among the scariest of this type. In September 2018, APT28 was the first UEFI rootkit found in the wild. The rootkit was embedded in the flash memory of a device’s Serial Peripheral Interface (SPI). That gave the rootkit persistence against both reinstallation of the operating system and replacement of the hard drive.

To protect yourself from BIOS, UEFI or other firmware rootkits, ensure that your systems’ firmware is up to date. Check to see if your system is using secure boot. Secure boot has been around for many years and is designed to protect the preboot system by ensuring only trusted code can be run during this process. To determine if your Windows 10 system is currently running in secure boot state, open your Start menu and type “System Information”. In the resulting window, scroll down and look for the Secure boot state. If it lists that it’s on, then your system is already running in this protected mode.

Microsoft

GITHUB lists many resources to help you determine if your firmware is current. Make updating system BIOS and firmware part of your computer security process. If you do not have a tool from the hardware vendor to automatically check and install bios updates, you may wish to install one. HP, for example, has a HP support assistant tool.

Remember that rootkits are not just for Windows devices. They can be introduced into internet of things (IoT) devices as well. If you suspect a device has been turned into a malicious device, reset it to factory defaults, then ensure it’s up to date on its firmware. Last but not least, reset the password associated with the username or account with the device.

If you are impacted by a rootkit, the best way to recover is to fully reinstall the operating system and install or reinstall firmware. Reset passwords to accounts as needed. Prevention is obviously easier than the cure, but you can recover as long as you ensure that you have the ability to reinstall the operating system and applications.

Start now by downloading and storing a clean Windows 10 ISO on a flash drive, and make sure you have key applications and installation codes either backed up or stored at offsite locations that can be accessed should infection occur.