Rootkits

Voor de Nederlandse versie van deze pagina klik hier.
For the Dutch version of this page click here.

What is a rootkit?

Malware authors use rootkits to hide malware on your PC.
Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove.
Malware hidden by rootkits often monitor, filter, and steal your data or abuse your computer’s resources, such as using your PC for bitcoin mining.

How do hackers use rootkits?

By using a rootkit, a hacker hopes to protect and maintain their hidden presence on your PC for as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. All this time it will steal information and resources from your PC.

How do rootkits work?

Put simply, some of the things your PC does are intercepted by the rootkit. This means that after a rootkit is installed, you can’t trust any information that your PC reports about itself.

For example, if you were to ask your PC to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. In other words, rootkits are all about hiding things. They want to hide themselves on your PC, and they want to hide malicious activity on your PC.

How common are rootkits?

Many modern malware families use rootkits to try and avoid detection and removal, including:













How do I protect myself against rootkits?

Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.

Help prevent a malware infection on your computer

Windows 10 and Windows 8.1 also have a number of built-in technologies to help protect you from rootkits:

Securing the Windows 8 boot process


What if I think I have a rootkit on my PC?

Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your PC, and your antimalware software isn’t detecting it, you might need an extra tool that lets you to boot to a known good or trusted environment.

In this case, use Windows Defender Offline.

Windows Defender Offline is a standalone tool that has the latest antimalware updates from Microsoft. It’s designed to be used on PC that aren't working correctly due to a possible malware infection.

What if I can’t remove a rootkit?

If the problem persists, we strongly recommend that you reinstall your operating system and your security software. You should then restore your data from backup.

My antivirus software detects and removes some malware, but then it comes back


Prevent malware from infecting your PC

Malware authors are always looking for new ways to infect your PC. Follow the simple tips below to stay protected and minimize threats to your data 














Enable Windows security features

Windows Defender Antivirus provides comprehensive protection through real-time detection and removal of malware using next-gen antimalware technologies. Windows Defender Antivirus uses the cloud, machine learning, and behavior analysis to rapidly respond to emerging threats.

For effective antimalware protection, enable Windows Defender Antivirus and keep it up-to-date with automatic Microsoft Updates

To enable next-gen protection:

  1. Search for Windows Defender Security Center to open the app.
  2. Go to Virus & threat protection.
  3. Make sure the switches for Cloud-delivered protection and Automatic sample submission are set to On.
Windows Defender Antivirus is built into Windows 10 and Windows 8.1. If your computer is running Windows 7 or earlier, you can download and use Microsoft Security Essentials (MSE).






For increased protection, Windows Defender Firewall blocks unwanted inbound network connections. It can also control which applications on your computer can initiate outbound connections and can warn of malware suddenly trying to establish a remote connection.

Read the articles below to learn how turn on Windows Defender Firewall:

Keep software up-to-date

Exploits typically abuse vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office. To protect your PC from exploits, always keep software up-to-date.
To keep Microsoft software up to date, ensure that automatic Microsoft Updates are enabled. Also, by upgrading to the latest version of Windows, you automatically benefit from a host of built-in security enhancements. 

Watch out for threats on email or instant messaging

Email and other messaging tools are a few of the most common ways your PC can get infected. Attachments or links on messages can open malware directly or can stealthily trigger a download. Some emails will instruct you to allow macros or other executable content—these instructions are designed to make it easier for malware to infect your computer.

To avoid threats that arrive via email or other messaging tools:
  • Learn to identify suspicious messages. Never open attachments or links in suspicious looking messages.
  • Exercise caution when dealing with messages received from unknown sources or received unexpectedly from known sources.
  • Use extreme caution when accepting file transfers.
  • Social engineering attacks often use email as a way of gaining access to your personal information. Emails that request personal information or require you to access third-party sites might be part of social engineering attacks. Always use caution when providing personal or credential information.
  • If you receive a notification from your bank or credit card company requiring immediate action, contact your bank or credit card company using contact information on their official website. Do not use links, email addresses, or phone numbers in the suspicious email.
  • Use an email service that provides protection against malicious attachments, links, and abusive senders. Microsoft Office 365 has built-in antimalware, link protection, and spam filtering, helping protect you from malware, phishing, and other email threats.











































What are suspicious messages?

Here are some characteristics that you can use to spot potentially harmful messages:
  • The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
  • The message or the attachment asks you to enable macros, adjust security settings, or install applications. Normal emails will not ask you to do this.
  • The message contains errors. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
  • The sender address does not match the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
  • There are multiple recipients in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
  • The greeting on the message itself does not personally address you. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
  • URLs behind links do not match the link text. Try hovering over links to check if they point to a sensible URL. In some cases, malicious URLs are completely off and even point to completely unrelated domains.






















Surf the web safely

The web is filled with useful and helpful content that we use every day. While there are billions of helpful pages, the web also contains sites that have been intentionally set up for malicious purpose. Some legitimate sites also get compromised—they are modified by attackers to deliver malware and other malicious content.By visiting malicious or compromised sites, your PC can get infected with malware automatically or you can get tricked into downloading and installing malware. To avoid malware that are distributed through these websites:

Do not click links in suspicious messages you received in email or other messaging services. See the tips above about identifying suspicious messages.
Learn to spot spoofed or fake websites.
Avoid sites that are likely to contain malware.

How do I spot suspicious websites?

Check for the following characteristics to identify potentially harmful websites:

  • Check the URL in the address bar. The initial part or the domain should represent the company that owns the site you are visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled examp1e.com, the site you are visiting is suspect.
  • Sites that contain adult or pirated content are common vectors for spreading malware. Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
  • Sites that aggressively open popups and display misleading buttons. Many of these sites trick users into accepting content through constant popups or mislabeled buttons. For example, some of these sites display media play buttons to trick users into downloading and installing infected media players.







To block malicious websites, use a modern web browser like Microsoft Edge, which uses Windows Defender SmartScreen to identify phishing and malware websites. Microsoft Edge also works with Windows Defender Antivirus to check downloads for malware.

For optimal protection while browsing websites, use Windows Defender Application Guard. Application Guard helps to isolate untrusted sites, protecting you while you browse the Internet. If you browse an untrusted site through either Microsoft Edge or Internet Explorer, Application Guard opens the site in a virtualized container that is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected and the attacker can't get to your data. Application Guard is available on enterprise editions of Windows 10 version 1709 or above.

If you encounter an unsafe site, click More […] > Send feedback on Microsoft Edge. You can also report unsafe sites directly to Microsoft.


Stay away from pirated material

Using pirated content is not only illegal, it can also expose your PC to malware. Sites that offer pirated software and media are also often used to distribute malware. Many illicit media download and streaming sites try to push infected media players and codecs packages. Some of these sites can automatically install malware to visiting computers.

Pirated software is often bundled with malware and other unwanted software, including intrusive browser plugins and adware.

To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as Windows 10 S, which ensures that only vetted apps from the Windows Store are installed.

Don't attach unfamiliar removable drives

Some types of malware can spread by copying themselves to USB flash drives or other removable drives. Also, there are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public places to victimize unsuspecting individuals.

Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.


Use a non-administrator account

At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting your own privileges, you can prevent malware from making consequential changes to your computer.

By default, Windows uses User Account Control (UAC) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.

To help ensure that your everyday activities do not result in malware infection and other potentially catastrophic changes, you can use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.

Whenever necessary, you can log in as an administrator to install apps or make configuration changes that require admin privileges.

Read about creating user accounts and giving administrator privileges


Other safety tips

To further ensure that your data is protected from malware as well as other threats, make sure you:

  • Backup your files. Follow the 3-2-1 rule: make 3 copies, store in at least 2 locations, with at least 1 offline copy. You can use OneDrive for reliable cloud-based copies that allow you to access your files from multiple devices and help you recover damaged or lost files, including files locked by ransomware.
  • Be wary when connecting to public hotspots, particularly those that do not require authentication.
  • Use strong passwords and enable multi-factor authentication.
  • Do not use untrusted devices to log on to email, social media, and corporate accounts.
  • Monitor and safeguard your family’s online computing experience.













What to do if you have a malware infection

Windows Defender Antivirus helps reduce the chances of infection and will automatically remove threats that it detects.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.

Windows Malicious Software Removal Tool 32-bit or 64-bit

Windows Malicious Software Removal Tool (MSRT) helps keep Windows computers free from prevalent malware. 
MSRT finds and removes threats and reverses the changes made by these threats. 
MSRT is generally released monthly as part of Windows Update or as a standalone tool available here for download. 
Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove.

Date: 02-07-2018


Source: The information 
above on this page is from the official Microsoft website