The evolution of rootkits and why they're here to stay

Rootkits, those sneaky bits of software that lurk deep inside a system in order to give access to hackers, have been around since the late 1980s.

A new study from Positive Technologies takes a close look at how they have evolved in recent years and just how much of a threat they present.

Positive Technologies has carried out a large-scale study of rootkits used by hacker groups over the past decade, starting in 2011. The results show that in 44 percent of cases, cybercriminals used rootkits to attack government agencies. Slightly less frequently (38 percent), rootkits were used to attack research institutes. Experts link the choice of targets to the main motive of rootkit distributors which is harvesting data.

The information handled by government and research organizations is of great value to cybercriminals. According to the study, the top five industries most attacked by rootkits include telecommunications (25 percent), manufacturing (19 percent), and financial institutions (19 percent). In addition, more than half (56 percent) are used by hackers to attack individuals. These are mainly targeted attacks as part of cyberespionage campaigns against high-ranking officials, diplomats, and employees of victim organizations.

"Rootkits, especially ones that operate in kernel mode1, are very difficult to develop, so they are deployed either by sophisticated APT2 groups that have the skills to develop these tools, or by groups with the financial means to buy rootkits on the gray market," says Yana Yurakova, a security analyst at Positive Technologies. "Attackers of this caliber are mainly focused on cyberespionage and data harvesting. They can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim's infrastructure on behalf of a paymaster."

In 77 percent of cases, the rootkit families under investigation were used to harvest data, while around a third (31 percent) were motivated by financial gain, and just 15 percent of attacks sought to exploit the victim company's infrastructure to carry out subsequent attacks.

On dark web forums the cost of an off-the-shelf rootkit ranges from $45,000 to $100,000, depending on the operating mode, target OS, terms of use (for example, time limits on how long the malware can be rented), and additional features like remote access.

Rootkits are here to stay too, the researchers believe they will continue to be developed and used by cybercriminals, and in fact, Positive Technologies specialists have identified the emergence of new versions of rootkits, indicating that attackers are still inventing new techniques to bypass protection.

You can read more about the research on the Positive Technologies site.

Image credit: ra2studio/depositphotos.com