What's happening to rootkits? Are they still a threat?
- Thread starter nsm0220
- Start date
rootkits are expensive and complicated to develop and now many security solutions have strong outbound firewalls & proactive features that block all or parts of their features. Since rootkits need to call home to fully take over the system. Also the benefits a cyber-criminal will gain from it doesn't worth its creation (unless for criminal organizations or govs/industrial spying) compared to ransomwares that generates hundreds of thousands dollars.
- May 11, 2013
- 1,687
As umbra said rootkits are not growing on trees, and neither do they spawn out of thin air.
However the latest generation of rootkits are rarely detected, because people do not know about them and Antivirus companies seem to run of out steam for the moment, in regards of tracking these rootkits.
Most of them are really well coded and very well hidden, as their origin is governmental/political and agency based, however hacker groups seem to create some nasties as well.
The very fact we do not see a spike in numbers is either a really good thing or a very bad one if you take into account what i just said.
If i am looking within our own clients then i can clearly see a very sharp rise in dedicated attacks where rootkits and specialized Trojans are being planted, trough out our networks.
Obviously our clients and partners are very well protected and if such a attack actually makes it the damage is NILL as we virtually directly can stop a attacker in his tracks.
But fact is the techniques used are far more sophisticated then your average hacker club.
Infact some of these attacks are governmental sponsored (Asia, Middle East and yes even US sponsored) As we managed to trace some back.
The malware caught and used during these attacks where submitted to law enforcement and AV companies and the feedback was pretty straight forward.
Most of these malwares are from a different world compared to your average rootkit and trojan.
But enough about my work... what i was trying to point out is that what you do not see is just a calm before the storm, usually when a silence hit like this then usually a few future famous names make then news. (remember Sasser? Blaster? netsky? Nima?) they where not rootkits but they where rootkit capable or did support rootkit injection after infection.
And the new generation of malwares really do differ from traditional malware, as some of the malwares could be a program that you are using every day, and it works great..nothing you notice thing tho is that if you look within the program then suddenly you find out that your company is being plundered from technological secrets and small amounts of money and all data is intercepted... then the fun really starts as hackers got all the login details and so on... and really traditional firewalls really are just 1 minutes extra work for these hackers.
So not seeing rootkits means usually find a shelter as the ##### is to hit the fan.
On top of that these Trojans and rootkits are not being spread on a mass scale pure for their own survival, But their creators plant them on major ISP relay and grid servers, knowing that sooner or later your router will make a connection to it, downloads new ISP router firmware and viola another bot pc. (just to name a example.)
And your local security software (Even if you put all the AV's on the world on your pc) would not notice a damn thing about it.
Last edited:
Also you have to know that "advanced" rootkits that Nvt talked about are mostly first made by agencies or corporations for spying purposes, and ask yourself:
If a government create such powerful rootkits , will they try to bypass common home users security solutions? Of course not ! They will ask to the local security vendors to whitelist them until they dont need it anymore then the code goes into the wild
If a government create such powerful rootkits , will they try to bypass common home users security solutions? Of course not ! They will ask to the local security vendors to whitelist them until they dont need it anymore then the code goes into the wild
- May 11, 2013
- 1,687
Also let me point out that the Antivirus industry is a multibillion industry, however if you take into account the whole security package the whole ABC story then it makes a multi billion anti malware industry look like pocket money.
If you take into account that there are dedicated malware market places on the net where you can buy custom made undetectable nasties for just a few hundred dollar up to several thousands of dollars and you take into account that it would cost a company held hostage with this malware a over a million to remove it then it seems logical that the demands by a attacker to have them pay 100k a bargain just to save their data.
And you have to realize that 1 dedicated rootkit attack might cost 250k to set up but if successful a attacker can make millions of it.
Now if you are talking about governmental sponsored attacks the gains can be worth more then billions.
For example the ASA radar blueprint has been stolen using a dedicated hack (The F35, F22, Euro Typoon, gripen) radar.
By the Chinese.
if they would need to research this technology then it would cost them hundredths of billions, now its a standard on all the J version attack aircraft which saves them trillions.
Not to mention that they can make dedicated counter measures against such technology.
You might think what does that have to do with rootkits? Well everything as these attacks can steal your hotmail or gmail account just as easy as they can steal the blue prints to some really expensive and great technology.
and as i said earlier if you can achieve this with a 10.000 dollar piece of code then you understand how big the market and demand is for such malware.
So not seeing them worries me tbh.
If you take into account that there are dedicated malware market places on the net where you can buy custom made undetectable nasties for just a few hundred dollar up to several thousands of dollars and you take into account that it would cost a company held hostage with this malware a over a million to remove it then it seems logical that the demands by a attacker to have them pay 100k a bargain just to save their data.
And you have to realize that 1 dedicated rootkit attack might cost 250k to set up but if successful a attacker can make millions of it.
Now if you are talking about governmental sponsored attacks the gains can be worth more then billions.
For example the ASA radar blueprint has been stolen using a dedicated hack (The F35, F22, Euro Typoon, gripen) radar.
By the Chinese.
if they would need to research this technology then it would cost them hundredths of billions, now its a standard on all the J version attack aircraft which saves them trillions.
Not to mention that they can make dedicated counter measures against such technology.
You might think what does that have to do with rootkits? Well everything as these attacks can steal your hotmail or gmail account just as easy as they can steal the blue prints to some really expensive and great technology.
and as i said earlier if you can achieve this with a 10.000 dollar piece of code then you understand how big the market and demand is for such malware.
So not seeing them worries me tbh.
- May 11, 2013
- 1,687
true that is if the malware is Governmental in terms of sponsor, however these hacking clubs and i am talking about the more dedicated hacker clubs they have access to some really nasty malwares that even would trouble ANY government if being hit.
I even venture to say that the lone wolf on the net is more capable then the governmental sponsored agency and cyber squad as GOV oriented attacks do have a game plan and do not try to screw over the rest of the world just just hit their target and be done with it.
And these lone wolfs and small dedicated clubs do not give a damn if their malware is being spread.. they just collect.
True and those REAL hackers are not just script-kiddies looking for fun, they are highly skilled coders (often ex professionals in the industry) going rogue and often recruited by criminal organizations.
To be back to the topic i even feel that a new kind of rootkit is already/ will be soon released.
To be back to the topic i even feel that a new kind of rootkit is already/ will be soon released.
- Jan 22, 2014
- 1,804
- May 11, 2013
- 1,687
+1
Actually to add to the quote i forgot to mention that often industrial networks are very well protected so directly hacking it might not always be a option.
Like i mentioned before home users can play a vital role here to wear down the security of a company, imagine yourself a nations KEY ISP provider, they have better security as their commercial counterparts and they are charged with critical network components of a nation.
Hacking those directly equals a phone call to a nations secret service and tell them what you are up to.
So hackers go from the top down and hack weaker links, and a home user can provide a really good tool.
if you infect their routers or their PC with a bot based rootkit, then you can remote attack the ISP network and wear it down.
I have seen attacks coming in from over 25k slave computers and hundreds of slave servers and these computers where virtually all home users from different nations, the only few things they did have in common:
1: They have NO security or virtually none.
2: They have FAST internet and weak ISP provider.
3: They are online virtually 24/7 and are infected.
So even tho i do agree with Umbra it is not entirely correct that real hackers pass by a home user.
And given the increase of security across the globe you will see more home users being targeted, just because they are so easy to hack and if you slave them into a bot network they can be potentially the biggest danger to a targeted company next to the initial attack itself.
One of the things that do happen is that a company receives such amount of Data (DDOS) that they switch off vital key services to avoid data loss or reroute them to a dummy server (DDOS Protection), however during shutting down or switching the security levels of that vital system is at its lowest and will last from 20 second up to 2 minutes.
While a hacker only needs 10 seconds to apply his rootkit during such a event.
They can pinpoint this event in realtime.
That said GOV sponsored attacks usually do not reach the public masses, but for all other hacking clubs and individuals the average home user is just another tool to use.
So the odds that a person is being targeted for infection with the aim to actually participate into a much larger attack is so much higher then you are surfing and accidental stumble upon rootkit X.
I do not have any statistics but i venture to say that 3 out of 10 users have been infected for exactly this reason at least ones in the past 5 years.
Obviously this is just a guess but taking into account other internet capable devices i think this problem will grow to proportions we have not seen yet.
Anyway to get back to the topic: What happened with all the rootkits? Do a scan of ur pc...who knows what turns up.lol
- Jan 22, 2014
- 1,804
- May 11, 2013
- 1,687
- May 11, 2013
- 1,687
Thanks Nvt , your previous post remind me about an infection found on cisco routers , the malware monitored the traffic passing by the router and collected the datas. In that case, there is no way you can get protected by any AVs since the malware is not on your machine nor on the server you try to reach, only by using encryption softwares, your datas may be secured.
- Jan 22, 2014
- 1,804
- May 11, 2013
- 1,687
Because the infection Umbra mentioned is not physically on your PC you can backup all you want you can install 1000 AV programs and 300 comodo firewalls and use the highest encryption of your hard drives possible. it will do you no good. Such infection will capture your packets from the router from point A to B and intercept, read and if possible modify it.
And as umbra mentioned you can encrypt and tunnel your data but often these infections are capable of intercepting the key packages as well.
So encryption will usually fail.
resetting your router does not work in most of the times, usually you will have to get the firmware off and totally replace it as the backup factory default are 9 out of 10 times infected as well.
- Jan 22, 2014
- 1,804
No i just asking, if i encrypt my files in window 8.1 pro with some 3rd party softwares, will backup affect them? Plus i don't put ant sensitive data or information in my pc thnx
- May 11, 2013
- 1,687
No i just asking, if i encrypt my files in window 8.1 pro with some 3rd party softwares, will backup affect them? Plus i don't put ant sensitive data or information in my pc thnx
Well assuming that the Rootkit/Trojan does ONLY monitor your data stream from point A to B and captures login, credit and such data your local data will be pretty save.
But if such malware is monitoring your data streams with the aim to download, install and inject code in for example your windows update stream (As it can capture and modify/inject code into a secure legit data stream) you can be infected with other malware.
And due to the fact such malware uses Windows update, or even your anti virus update data link, it can penetrate your system beyond the reach of your conventional security options.
So i assume that the reply to your question would be: You might be secure and your data night be clean under the right conditions.
But i honestly cannot judge about that as i do not know what particular infection Umbra is talking about. Because there are huge numbers of router injectors and tapping malwares out there each on with their own abilities and payload / toolset.
That said, generally if its just a packet sniffing malware you should be fine.
- Jan 22, 2014
- 1,804
well i don't believe in online banking & if i use online banking, i will use my other bank account with less then 20 dollars on it
& when i need to feel online shopping, i'll add amount on it & do shopping.the infection i talked about was a malware (if my memory is good) that penetrated the routers provided by the ISP to relay datas from its customers
Similar threads
