IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is a rootkit?

We look at this malicious tool and how to detect and remove it

"Rootkit" and a virus inside a warning triangle

Of all the viruses and malware out on the internet, perhaps the most dangerous of these is a rootkit. This is because of how much damage it can cause and how hard it is to find and remove.

Rootkits are bits of software created to hide on a system. They are dangerous because you may not even know one is on your system. This suits any hacker that uses them to control your computer.

In essence, rootkits are designed to maintain continued privileged access to a computer while actively hiding its presence. Initially an assortment of tools allowing administrator-level access to a computer or network, "root" refers to an admin account on Linux or Unix systems. The term "kit" refers to the software parts that execute the tools.

While rootkits were originally benign tools for admins to do things on computers, they are now associated with malware, such as Trojans, worms, and viruses, that need to hide their actions from users or anti-malware applications.

How do rootkits get onto a device? 

Rootkits normally comprise three components: the dropper, loader, and rootkit. 

The dropper is an executable that deploys the loader. This could be an attachment in a phishing email or an unusual download from a compromised website. 

Once activated by the dropper, the loader starts the rootkit, typically by causing a buffer overflow that loads the rootkit into memory.

The rootkit then modifies user account permissions and security — this is normally a process only granted by a computer administrator. Hackers wanting full control will modify such permissions to give themselves unlimited access so they can spy on users, steal data, or cause damage.

What types of rootkits are there?

Several kinds of rootkit can infect a victim’s system. Here’s a rundown on some of the main types.

Firmware rootkit 

This inserts code onto a device's firmware to create persistence in hardware, such as a system bios, hard drive, or network card. As they run on hardware, this enables hackers to monitor online activity and act as keyloggers and intercept data written to the disk.

Memory rootkits

These rootkits operate in memory only and decrease RAM performance while carrying out malicious processes in the background. Since they exist in RAM and don’t inject permanent code, memory rootkits disappear when the system is rebooted.

Bootloader rootkit

The bootloader is a small piece of code that usually loads your computer’s operating system. A bootloader rootkit can attack a computer and replace a legitimate bootloader with one containing a rootkit, meaning the rootkit is operational before the OS starts up. 

Modern operating systems, such as Windows 8 and 10, are largely immune to such rootkits as they use Secure Boot technology.

Kernel rootkits

These are designed to change how an operating system functions. They add their code to the core of the OS, known as the kernel. This is complex to do and if deployed incorrectly can have a noticeable effect on device performance. But they are difficult to detect as they have the same privileges as the operating system.

Application-level rootkits

These run on a victim computer by altering standard application files with rootkit files or changing applications behavior with patches or injected code. Criminals can use these to steal personal information.

Hypervisor or virtualized rootkit

A hypervisor rootkit can use hardware virtualization to deploy the hardware and the kernel acting as virtualized hardware. This allows it to intercept any communication between the hardware and the host operating system. 

User-mode rootkits

These replace executables and system libraries and modifies the behavior of application programming interfaces. These change security subsystems and give administrators bogus information about the device. 

These rootkits can also tap into system calls and filter output to conceal system processes, files, system drivers, block network ports, and system services. User-mode rootkits can stay on an infected computer by copying files on the hard drive and launching automatically with every system reboot.

What are some common rootkit families and examples?

Many rootkits have been developed over the years. Below are some of the more common ones.

  • NTRootKit: Hackers use this tool to get admin access to Windows NT/2K systems
  • HackerDefender: This is a user-mode rootkit that modifies several Windows and Native API functions to hide information from other applications.
  • ZeroAccess: Discovered in 2011, this is a kernel-mode rootkit. It can work on 32- and 64-bit Windows versions from a single installer. It downloads and installs malware on the infected machine to make it part of a botnet.
  • Necurs – This Is a kernel-mode rootkit designed to carry out unauthorized actions to take control of an operating system. In 2014, it was incorporated into the Gameover Zeus botnet as a protective mechanism to prevent users from removing malware from an infected machine.

How can you detect a rootkit?

It can be very difficult to detect a rootkit because it is designed to remain hidden from users, admins, and computers. But it is not impossible. 

Some tools can scan and detect rootkits. One drawback is that quite a few cannot detect all types of rootkits, especially those at the kernel level. So organizations suspecting a rootkit is running on a device may have to use scanners from multiple vendors.

Detection methods include behavioral-based methods (I.e. flag up any unusual behavior on a suspected device), signature scanning, and memory dump analysis.

How can you remove a rootkit on your device?

Removing a rootkit is a tedious process and requires special tools because this type of code can bury itself deep within the operating system and beyond down to the bare metal.

The first thing to do is find out if there is a rootkit on a system. A system process analyzer, such as Sysinternals' Process Explorer, can help figure out what is going on inside a computer and if anything is erroneous.

Several rootkit removers can make this job less tiresome. 

TDSSKiller from Kaspersky is fast and good at finding and removing TDSS and its variants. GMER is another application that detects and removes rootkits. 

There are also rootkit removal tools from Sophos and Malwarebytes that can scan a system for rootkits and remove them. 

Lastly, Sysinternals' RootkitRevealer works by looking at services running at the Windows API level and comparing them with raw data on a device’s hard drive.

Can you prevent a rootkit from infecting a system?

Prevention is always best, so if you believe your systems could be at risk from rootkit infections, regular scans with any of the above tools will help ease concerns.

Phishing emails are common delivery mediums for rootkits, so train staff to avoid opening emails from an unknown source.

Updating software is always a good strategy for preventing rootkit infection, as it closes off any vulnerabilities rootkits exploit to infect systems.

Lastly, monitor network traffic for unusual signs of data transfer. This can help in isolating network segments that could be under attack to prevent any attack from multiplying.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022
Hyundai vulnerability allowed remote hacking of locks, engine
Security

Hyundai vulnerability allowed remote hacking of locks, engine

30 Nov 2022
Getting board-level buy-in for security strategy
Whitepaper

Getting board-level buy-in for security strategy

30 Nov 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

28 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022