How to Protect Against Rootkit Malware Kernel-Level Attacks
For security purposes, anything users bring into an enterprise digital environment that has access to the system kernel, must be free from malicious code or software.
Join the DZone community and get the full member experience.Join For Free
For security purposes, it should go without saying, that anything users bring into an enterprise digital environment, like software drivers that have access to the system kernel, must be free from malicious code or software. Everything should be vetted and approved by an IT administrator.
The Windows security model is based upon securable objects. Each component of the operating system must ensure the security of the objects for which it is responsible. Drivers must be safeguarded for the security of their devices and the computers to which they’re connected.
A rootkit attack can be the most devastating malware attack any organization can experience. A rootkit that uses a driver to gain access into a computer’s operating system and the kernel can cause extreme damage. They can remain undetected within a system for long periods of time, watching everything the user does. Not only are they dangerous because of the damage they can inflict, but they’re also almost impossible to detect and remove. A rootkit is designed to protect a malicious program delivered by a threat actor, using a sort of invisibility cloak. Rootkit malware can steal data and take over a system for malicious purposes, all while remaining undetected. In most cases, the only way to completely remove a rootkit is to delete the computer operating system and rebuild it from the ground up.
Rootkit malware can be dealt with utilizing specialized anti-rootkit software that detects, prevents, and removes rootkit malware. For instance, the RevBits Endpoint Security module includes unique anti-rootkit threat detection, prevention, and removal capabilities. To remove known and unknown rootkit malware, it identifies suspicious callback processes, hooks, registry keys, and modified files. RevBits’ patented anti-rootkit capabilities protect computer systems and data by detecting, blocking, and removing malicious drivers.
Rootkit May Be the Next Big Wave of Malware Attacks
While it’s very difficult to create a rootkit, both non-state and state-sponsored threat actors are becoming highly sophisticated. Many are even taking advantage of malware as a Service, where it’s possible for future versions of a rootkit to be made available. The advantage of using malware as a Service, is bad actors don’t need large resources or the highly skilled capabilities required to create and launch an attack.
Software drivers are becoming common target vectors. Drivers are a bridge between the hardware, software, and data on a computer or network. Cyberattacks using drivers are an easy way for bad actors to gain system-level privileges and remotely execute malicious code on otherwise inaccessible sections of the OS, like the kernel. One approach to ensuring the security of the Windows operating system is to prevent new drivers from loading and accessing space in the Windows OS and kernel. Unfortunately, Windows documentation doesn’t provide a solution for this. Solving this problem requires a system and method that selectively blocks unwanted drivers from being loaded and executed into the kernel.
Malicious Windows drivers that are loaded and executed within the kernel can completely disarm anti-virus security products, rendering them useless. There is no inherent method in Windows to fully prevent drivers, signed or not, from being loaded into the operating system kernel layer. Of course, this opens up opportunities for hackers to discover ways of bypassing driver signature enforcement. They can use stolen code signing certificates to sign malicious drivers and find other ways of bypassing driver signing enforcement within the Windows OS kernel space.
Anti-Rootkit Software Detects, Blocks, and Removes Rootkit Malware
In the recent case where Microsoft signed a malicious Net filter driver for a gaming application, there was nothing a signature-based or behavioral-based anti-virus product could do. There needs to be a system and process in place that enables an administrator to decide which drivers and applications are permitted access to kernel space. The anti-rootkit software like RevBits includes patented anti-rootkit software that can catch and block drivers in memory before they access the kernel space. This allows administrators to decide which drivers are allowed, and which ones are denied access to the kernel space. It has a U.S. patent for detecting and blocking signed and unsigned drivers attempting to access the kernel-level OS. The anti-rootkit software will detect and alert on known and unknown malicious rootkits, using unique modeling techniques, and remove them through the callback capabilities, whether they are signed by Microsoft or any other CA.
The anti-rootkit software like RevBits Endpoint Security module is part of the RevBits Cyber Intelligence Platform (CIP), a unified security platform that automates and integrates a suite of security modules that detect, alert, respond, and intelligently analyze layered security data across the IT and security stack. All security data is coalesced and presented within the RevBits unified dashboard for rapid forensics and mitigation.
Published at DZone with permission of Neal Hesterberg. See the original article here.
Opinions expressed by DZone contributors are their own.