Table of Contents
    Home / Definitions / Rootkits
    Security 3 min read

    Rootkits are a collection of stealthy software that provide privileged access in an operating system while concealing their presence. Behaving as benign programs, they hide malware, keyloggers, password and credential stealers, and bots designed to infiltrate a computer or a network, allowing cybercriminals access to protected data and take over the system undetected.

    Rootkits can be installed through a USB or downloaded into a computer via social engineering tactics like phishing. Once installed, rootkits are unnoticeable and can block security tools like antivirus or anti-malware. A rootkit not only conceals its presence but also of malware, viruses, and other software payloads to work surreptitiously. They infect the system, create a backdoor entry, and provide hackers administration-level privileges to access a computer or network remotely without the owner s knowledge or consent.

    Uses of rootkits

    Rootkits can be a force for good such as combating piracy, enforcing digital rights management (DRM), uncovering and preventing cheating in online games, and recognizing attacks in a honeypot. But generally, rootkits are a platform for hackers to provide unauthorized access, hide malicious software programs, and turn the compromised operating system into a host to attack other computers in the network.

    Types of rootkits

    As soon as rootkits enter the system, they behave with escalating privileges and can act like a Trojan horse, obscuring their existence by subverting the security tools and altering the drivers and kernel modules of an operating system. They come in five variants:

    • User mode runs along with other applications as a user and operates at a Ring 3 level with limited access to the computer. But it can intercept, modify, alter the processes, and overwrite the memory of other applications.
    • Kernel mode is the most difficult to detect and remove as it behaves and runs at Ring 0 , sharing the same privileges with the administrator of an operating system.
    • Bootkits are a type of kernel mode rootkit, which infects a computer s startup code or boot sector to attack disk encryption.
    • Hypervisor exploits the virtualization features of hardware and intercepts communications between the operating system and hardware. It behaves like a virtual machine that hosts the operating system.
    • Firmware rootkits are hidden in the system BIOS of a device or platform firmware such as hard drive, RAM, network card, router, and card reader.

    Detection and removal

    Detecting rootkits can be difficult, especially if the operating system is already infected, subverted, and compromised by a kernel mode rootkit. But there are ways to detect rootkits, including using antivirus software, checking the system s integrity, tracking CPU usage and network traffic, signature scanning, and employing difference-based detection.

    Just as rootkits can be hard to unmask, they re also impossible to remove manually. But some rootkits can be detected and removed by antivirus or antimalware. The easiest way to get rid of rootkits is to reinstall the operating system and its applications.