Friday 3 April 2020


Rootkit and Keyloggers


A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

The highest management level of windows operating system is administrator, similarly in Linux OS, it is called root. Rootkit is a set of software that can modify the kernel of the OS,

 
Rootkit works at the lowest level and hence it’s very difficult to detect it. It is not visible in task bar and we cannot find it in task bar because it does not run as a part of operating system, so it becomes difficult for the antivirus to detect it.

 
The attacker always tries to send software and merge it with rootkit. So it’s impossible to remove it even after you detect it because it will not allow you to remove it.

 


                          






Types of Rootkit:


User mode rootkit:

User mode rootkit attacks at the user level or the upper level – OS model. Since it works on the upper level, it will target software and other softwares or files like word, notepad etc.

Kernel Mode Rootkit:

Such software is used to target core setting of kernel model. From such software, attacker can change the registry setting and more in your computer. It is difficult to identify and handle the software because it is not a part of the OS, and difficult to detect by the antivirus.


Boot loader Rootkit:

This software affects the boot sector of computer. It affects MBR (Master boot record) or VBR (volume boot record). MBR is at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives.
 

Memory rootkit:

Memory rootkit affects the RAM of your machine. As a result, it slows down the machine, consumes more memory and due to this, the other memory gets very less memory for execution and ultimately, the machine gets very slow.

Firmware rootkit:

First we need to understand firmware, then only we can understand Firmware rootkit.
Firmware is a computer program that is "embedded" in a hardware device and is an essential part of the hardware. In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware can either provide a standardized operating environment for more complex device software (allowing more hardware-independence), or, for less complex devices, act as the device's complete operating system, performing all control, monitoring and data manipulation functions. So if someone affects firmware, then whole system of a machine will get affected.

 Firmware rootkit affects router, network card, hard drive and bios (Basic Input output system) . It’s difficult to find it and remove it because firmware is not usually inspected for code integrity, and the rootkit takes advantage out of it.


Virtual Rootkit

The rootkit designed for virtual machine is called Virtual Rootkit

How to remove Rootkit:

It’s very difficult to remove rootkit. Sometimes we need separate software to remove it. Nowadays, advance antivirus or anti-malware tools are also capable to remove rootkit.


Keyloggers


Keyloggers is a computer program that records every keystroke made by a computer user, especially, in order to gain fraudulent access to passwords and other confidential information. When you type anything it records everything. No matter what happens, it even records the space bar or the back space.

A keylogger can be either software or hardware.

Software keylogger:

Software Keylogger works in background and is difficult to notice by a normal user. In the background, it records everything. Software-based keyloggers are computer programs designed to work on the target computer's software.

Keyloggers has its uses as well, as many software and operating systems use it for trouble shooting for computer and network. Even Windows 10 OS uses keyloggers to improve typing performance.

Hardware keylogger:

These are the hardware independent of any software; it can be added externally like a pen drive which will capture all the activity in the computer.

Hardware Keylogger has two main parts:

The Micro controller interprets the key inputs and processes it for storage.

Memory: It uses non-volatile memory like flash memory to store the data irrespective of availability of power.

How to protect your machine from these:

1. We can use anti-keylogger software to protect our machine. This software work on          Signature-based or heuristic analysis.

2.We can set firewall rules to track what files are transferred from the computer and accordingly, we can make rules for that.

3.These days we are using advance antivirus (EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response), which work on machine learning. Such antivirus can be very useful to protect computer from Rootkit and Keyloggers.

Example of a few Keyloggers

Revealer Keylogger Free

Ardamax Keylogger


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)