What is a rootkit?

"Rootkit" and a virus inside a warning triangle

Of all the viruses and malware out on the internet, perhaps the most dangerous of these is a rootkit. This is because of how much damage it can cause and how hard it is to find and remove.

Rootkits are bits of software created to hide on a system. They are dangerous because you may not even know one is on your system. This suits any hacker that uses them to control your computer.

In essence, rootkits are designed to maintain continued privileged access to a computer while actively hiding its presence. Initially an assortment of tools allowing administrator-level access to a computer or network, "root" refers to an admin account on Linux or Unix systems. The term "kit" refers to the software parts that execute the tools.

While rootkits were originally benign tools for admins to do things on computers, they are now associated with malware, such as Trojans, worms, and viruses, that need to hide their actions from users or anti-malware applications.

How do rootkits get onto a device?

Rootkits normally comprise three components: the dropper, loader, and rootkit.

The dropper is an executable that deploys the loader. This could be an attachment in a phishing email or an unusual download from a compromised website.

Once activated by the dropper, the loader starts the rootkit, typically by causing a buffer overflow that loads the rootkit into memory.

The rootkit then modifies user account permissions and security — this is normally a process only granted by a computer administrator. Hackers wanting full control will modify such permissions to give themselves unlimited access so they can spy on users, steal data, or cause damage.

What types of rootkits are there?

Several kinds of rootkit can infect a victim’s system. Here’s a rundown on some of the main types.

Firmware rootkit

This inserts code onto a device's firmware to create persistence in hardware, such as a system bios, hard drive, or network card. As they run on hardware, this enables hackers to monitor online activity and act as keyloggers and intercept data written to the disk.

Memory rootkits

These rootkits operate in memory only and decrease RAM performance while carrying out malicious processes in the background. Since they exist in RAM and don’t inject permanent code, memory rootkits disappear when the system is rebooted.

Bootloader rootkit

The bootloader is a small piece of code that usually loads your computer’s operating system. A bootloader rootkit can attack a computer and replace a legitimate bootloader with one containing a rootkit, meaning the rootkit is operational before the OS starts up.

Modern operating systems, such as Windows 8 and 10, are largely immune to such rootkits as they use Secure Boot technology.

Kernel rootkits

These are designed to change how an operating system functions. They add their code to the core of the OS, known as the kernel. This is complex to do and if deployed incorrectly can have a noticeable effect on device performance. But they are difficult to detect as they have the same privileges as the operating system.

Application-level rootkits

These run on a victim computer by altering standard application files with rootkit files or changing applications behavior with patches or injected code. Criminals can use these to steal personal information.

Hypervisor or virtualized rootkit

A hypervisor rootkit can use hardware virtualization to deploy the hardware and the kernel acting as virtualized hardware. This allows it to intercept any communication between the hardware and the host operating system.

User-mode rootkits

These replace executables and system libraries and modifies the behavior of application programming interfaces. These change security subsystems and give administrators bogus information about the device.

These rootkits can also tap into system calls and filter output to conceal system processes, files, system drivers, block network ports, and system services. User-mode rootkits can stay on an infected computer by copying files on the hard drive and launching automatically with every system reboot.

What are some common rootkit families and examples?

Many rootkits have been developed over the years. Below are some of the more common ones.

  • NTRootKit: Hackers use this tool to get admin access to Windows NT/2K systems
  • HackerDefender: This is a user-mode rootkit that modifies several Windows and Native API functions to hide information from other applications.
  • ZeroAccess: Discovered in 2011, this is a kernel-mode rootkit. It can work on 32- and 64-bit Windows versions from a single installer. It downloads and installs malware on the infected machine to make it part of a botnet.
  • Necurs – This Is a kernel-mode rootkit designed to carry out unauthorized actions to take control of an operating system. In 2014, it was incorporated into the Gameover Zeus botnet as a protective mechanism to prevent users from removing malware from an infected machine.

How can you detect a rootkit?

It can be very difficult to detect a rootkit because it is designed to remain hidden from users, admins, and computers. But it is not impossible.

Some tools can scan and detect rootkits. One drawback is that quite a few cannot detect all types of rootkits, especially those at the kernel level. So organizations suspecting a rootkit is running on a device may have to use scanners from multiple vendors.

Detection methods include behavioral-based methods (I.e. flag up any unusual behavior on a suspected device), signature scanning, and memory dump analysis.

How can you remove a rootkit on your device?

Removing a rootkit is a tedious process and requires special tools because this type of code can bury itself deep within the operating system and beyond down to the bare metal.

The first thing to do is find out if there is a rootkit on a system. A system process analyzer, such as Sysinternals' Process Explorer, can help figure out what is going on inside a computer and if anything is erroneous.

Several rootkit removers can make this job less tiresome.

TDSSKiller from Kaspersky is fast and good at finding and removing TDSS and its variants. GMER is another application that detects and removes rootkits.

There are also rootkit removal tools from Sophos and Malwarebytes that can scan a system for rootkits and remove them.

Lastly, Sysinternals' RootkitRevealer works by looking at services running at the Windows API level and comparing them with raw data on a device’s hard drive.

Can you prevent a rootkit from infecting a system?

Prevention is always best, so if you believe your systems could be at risk from rootkit infections, regular scans with any of the above tools will help ease concerns.

Phishing emails are common delivery mediums for rootkits, so train staff to avoid opening emails from an unknown source.

Updating software is always a good strategy for preventing rootkit infection, as it closes off any vulnerabilities rootkits exploit to infect systems.

Lastly, monitor network traffic for unusual signs of data transfer. This can help in isolating network segments that could be under attack to prevent any attack from multiplying.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.