Threat Research & Response Blog
Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.
Of all infections reported from client machines, low-level rootkits represent about 7% of infections.
Of course, measuring the prevalence of rootkits is not entirely straightforward; by definition rootkits do everything they can to remain unseen. When we added some additional checks to our default scheduled scan to look for files that are hidden from Windows API calls, some threats that had appeared relatively benign suddenly revealed that they had moved to using a rootkit to try and avoid detection:
In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports:
You can learn more about these top families in the Malware Encyclopedia:
This list includes threats that tried to run and were blocked by real-time protection. If we look at threats that had files detected as being actively hidden on disk from Windows, we get a somewhat different picture.
Rootkits tend to hide their malicious binaries on disk in predetermined locations. Here are the most popular locations we see hidden rootkit binaries living on the hard disk:
Windows may not show anything unusual in these locations, but a more thorough antirootkit scan can shine a light on the hidden rootkit threats and take appropriate action.
In terms of the type of file being hidden on user's computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising.
Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel.
Here's a sample of report volume showing computers that have had their Windows kernel altered, across a recent consecutive 10-day period:
That's about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide. If the kernel is already hooked by a "legitimate" program, the rootkit can hook at the next level, making it more difficult to trace the hook chain to the malicious code.
As Joe pointed out in his recent post on the 64-bit malware landscape, running 64-bit Windows offers even more protection for customers. For the rootkit space, the difference between 64-bit and 32-bit is even more pronounced.
In fact, it's likely that an even smaller percentage of the reported rootkit threats from 64-bit computers were actually able to successfully become active and hide anything. Enforced driver signing and features such as Kernel Patch Protection make 64-bit Windows a much more hostile environment for rootkits.
We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys. Regardless, here are a couple tips to avoid getting hit by a rootkit: