Rootkit attacks are considered by many server administrators to be one of the worst pieces of malware that can exist on a dedicated server. Many web hosting providers will simply reload the Operating System in order to “resolve” such a hopeless issue. Rootkits simply are extremely difficult to detect and completely get rid of. Prevent a rootkit from getting on a dedicated server is the best defense.
What makes rootkit attacks so serious an issue is that it obtains root level access. This provides privileged access to a server resulting in control of every aspect of a server. This means that the malware can execute administrator level tasks and at the same time remain undetected.
Rootkit attacks control 100%
This malware is similar to viruses and trojans, but rootkits have complete access to a server. It enables a hacker to even delete and stop services as well as attack other servers and services and cause various other types of network abuse such as spamming, port scanning, DoS etc. It therefore and without surprise is the most popular with hackers and cybercriminals of all sorts around the globe. Security software also has a very difficult time detecting rootkit attacks. It does not act malicious or have ominous patterns and traits like other unwanted software such as viruses, malware, and trojans etc.
Rootkits working as a background process can log all activity that happens on a dedicated server. One such feature is key-stroke logging which leads to sensitive e-commerce data, user-names and passwords. This can also include work habits to impersonate employees and possibly even gain access to other vital systems outside that particular dedicated server. This is also one technique in which rootkits end up on a dedicated server in the first place. Any existing vulnerabilities and security holes mean possible access for a rootkit. Discarded thumb drives can cause an office worker to get curious and simply check and see what is on it, or what appears are genuine office colleague email communication can have attachments with the rootkit inside.
A server administrator noticing odd server behavior is a warning sign. This leads them to believe a possible rootkit infection. Such signs may be sluggish and slow loading or network speeds or settings being changed for no apparent reason. Task managers may be able to help in determining what is currently running on the system. Unfortunately, since rootkits are so easily disguised as part of the Operating System this can easily be impossible to find in such a simple and quick way. In many cases, however, two options remain;
running special diagnostic routines that came with the OS
simply reinstalling the entire OS which means losing all data.
Trying to get rid of a rootkit can be beyond the scope of many inexperienced server administrators. Many dedicated server providers can assist in such a scenario but can also be beyond their scope. Each provider will be different in their abilities to assist in rootkit removal. The most certain course of action to ensure the rootkit is completely removed is to simply perform a fresh OS reinstall. Backing up data may be the most difficult since backing up data may very likely end up copying the rootkit along with the important data. External software protected backups may help in this regard.
Prevention is key
The best solution is the best defenses available in security software/hardware and keeping them up to date. Only install and run the mainstream software. In addition, keep it up to date and available from trustworthy sources. One example is the Apple app store which is tested and verified by Apple (although some bad apps using XcodeGhost have slipped through.) Prevention is the best course of action but rootkit attacks can happen to almost any business. Leaving your, or someone else’s guard down for a minute during a busy workday, can result in downloading unknown malware. This then rapidly spreads, especially in a networked business environment. The more passwords in a business environment the better. Keeping software and security updated and noticing unusual server activity should be a daily task.