A rootkit is a type of malware designed to give hackers access to and control over a target device. Although most rootkits affect the software and the operating system, some can also infect your computer’s hardware and firmware. Rootkits are adept at concealing their presence, but while they remain hidden, they are active.
Once they gain unauthorized access to computers, rootkits enable cybercriminals to steal personal data and financial information, install malware or use computers as part of a botnet to circulate spam and participate in DDoS (distributed denial of service) attacks.
The name “rootkit” derives from Unix and Linux operating systems, where the most privileged account admin is called the "root". The applications which allow unauthorized root or admin-level access to the device are known as the "kit".
A rootkit is software used by cybercriminals to gain control over a target computer or network. Rootkits can sometimes appear as a single piece of software but are often made up of a collection of tools that allow hackers administrator-level control over the target device.
Hackers install rootkits on target machines in a number of ways:
Rootkits operate near or within the kernel of the operating system, which gives them the ability to initiate commands to the computer. Anything which uses an operating system is a potential target for a rootkit – which, as the Internet of Things expands, may include items like your fridge or thermostat.
Rootkits can hide keyloggers, which capture your keystrokes without your consent. This makes it easy for cybercriminals to steal your personal information, such as credit card or online banking details. Rootkits can allow hackers to use your computer to launch DDoS attacks or send out spam emails. They can even disable or remove security software.
Some rootkits are used for legitimate purposes – for example, providing remote IT support or assisting law enforcement. Mostly though, they are used for malicious purposes. What makes rootkits so dangerous is the various forms of malware they can deliver, which can manipulate a computer’s operating system and provide remote users with admin access.
Hardware or firmware rootkits can affect your hard drive, your router, or your system’s BIOS, which is the software installed on a small memory chip in your computer’s motherboard. Instead of targeting your operating system, they target the firmware of your device to install malware which is difficult to detect. Because they affect hardware, they allow hackers to log your keystrokes as well as monitor online activity. Although less common than other types, hardware or firmware rootkits are a severe threat to online safety.
The bootloader mechanism is responsible for loading the operating system on a computer. Bootloader rootkits attack this system, replacing your computer’s legitimate bootloader with a hacked one. This activates the rootkit even before your computer’s operating system is fully loaded.
Memory rootkits hide in your computer’s random-access memory (RAM) and use your computer’s resources to carry out malicious activities in the background. Memory rootkits affect your computer’s RAM performance. Because they only live in your computer’s RAM and don’t inject permanent code, memory rootkits disappear as soon as you reboot the system – though sometimes further work is needed to get rid of them. Their short lifespan means they tend not to be perceived as a significant threat.
Application rootkits replace standard files in your computer with rootkit files and may even change the way standard applications work. These rootkits infect programs like Microsoft Office, Notepad, or Paint. Attackers can obtain access to your computer every time you run those programs. Because the infected programs still run normally, rootkit detection is difficult for users – but antivirus programs can detect them since they both operate on the application layer.
Kernel mode rootkits are among the most severe types of this threat as they target the very core of your operating system (i.e., the kernel level). Hackers use them not only to access the files on your computer but also to change the functionality of your operating system by adding their own code.
A virtual rootkit loads itself underneath the computer’s operating system. It then hosts the target operating systems as a virtual machine, which allows it to intercept hardware calls made by the original operating system. This type of rootkit does not have to modify the kernel to subvert the operating system and can be very difficult to detect.
One of the most notorious rootkits in history is Stuxnet, a malicious computer worm discovered in 2010 and believed to have been in development since 2005. Stuxnet caused substantial damage to the nuclear program of Iran. Although neither country admitted responsibility, it is widely believed to be a cyberweapon jointly created by the US and Israel in a collaborative effort known as the Olympic Games.
Other notable examples of rootkits include:
In 2012, cybersecurity experts discovered Flame, a rootkit primarily used for cyber espionage in the Middle East. Flame – also known as Flamer, sKyWIper, and Skywiper – affects a computer’s entire operating system, giving it the ability to monitor traffic, capture screenshots and audio, and log keystrokes from the device. The hackers behind Flame were not found, but research suggests they used 80 servers across three continents to access infected computers.
In 2012, Necurs emerged as a rootkit and was reportedly detected in 83,000 infections that year. Associated with elite cybercriminals in Eastern Europe, Necurs is considered to stand out due to its technical complexity and ability to evolve.
In 2011, cybersecurity experts discovered ZeroAccess, a kernel mode rootkit that infected more than 2 million computers around the world. Rather than directly affecting the functionality of the infected computer, this rootkit downloads and installs malware on the infected machine and makes it part of a worldwide botnet used by hackers to carry out cyberattacks. ZeroAccess is in active use today.
In 2008, the TDSS rootkit was detected for the first time. This is similar to bootloader rootkits because it loads and runs at the operating systems' early stages – making detection and removal a challenge.
Detecting the presence of a rootkit on a computer can be difficult, as this kind of malware is explicitly designed to stay hidden. Rootkits can also disable security software, which makes the task even harder. As a result, rootkit malware could remain on your computer for a long time causing significant damage.
Possible signs of rootkit malware include:
A large volume of Windows error messages or blue screens with white text (sometimes called “the blue screen of death”), while your computer constantly needs to reboot.
This might include unrecognized bookmarks or link redirection.
Your device may take a while to start and perform slowly or freeze often. It might also fail to respond to input from the mouse or keyboard.
Examples might include your screensaver changing, the taskbar hiding itself, or the incorrect date and time displaying – when you haven’t changed anything.
Web pages or network activities appear intermittent or don’t function properly because of excessive network traffic.
A rootkit scan is the best way to detect a rootkit infection, which your antivirus solution can initiate. If you suspect a rootkit virus, one way to detect the infection is to power down the computer and execute the scan from a known clean system.
Behavioral analysis is another method of rootkit detection. This means that instead of looking for the rootkit, you look for rootkit-like behaviors. Whereas targeted scans work well if you know the system is behaving oddly, a behavioral analysis may alert you to a rootkit before you realize you are under attack.
Removing a rootkit is a complex process and typically requires specialized tools, such as the TDSSKiller utility from Kaspersky, which can detect and remove the TDSS rootkit. Sometimes the only way to eliminate a well-hidden rootkit entirely is to erase your computer’s operating system and rebuild from scratch.
On Windows, removal typically involves running a scan. If there is a deep infection, the only way to remove the rootkit is by reinstalling Windows. It is better to do this via an external media device instead of using the built-in Windows installer. Some rootkits infect the BIOS, which will require a repair to fix. If you still have a rootkit after a repair, you may need to get a new PC.
On a Mac, keep up to date with new releases. Mac updates don't just add new features – they also remove malware, including rootkits. Apple has built-in security features to protect from malware. However, there are no known rootkit detectors on macOS, so if you suspect a rootkit on your device, you should reinstall macOS. Doing so removes most apps and rootkits on your machine. As above, if the rootkit has infected the BIOS, it will require a repair to fix – and if the rootkit remains, you may need to buy a new device.
Because rootkits can be dangerous and difficult to detect, it is important to stay vigilant when browsing the internet or downloading programs. Many of the same protective measures you take to avoid computer viruses also help to minimize the risk of rootkits:
Be proactive about securing your devices and install a comprehensive and advanced antivirus solution. Kaspersky Total Security provides full-scale protection from cyber threats and also allows you to run rootkit scans.
Ongoing software updates are essential for staying safe and preventing hackers from infecting you with malware. Keep all programs and your operating system up to date to avoid rootkit attacks that take advantage of vulnerabilities.
Phishing is a type of social engineering attack where scammers use email to trick users into providing them with their financial information or downloading malicious software, such as rootkits. To prevent rootkits from infiltrating your computer, avoid opening suspicious emails, especially if the sender is unfamiliar to you. If you are unsure if a link is trustworthy, don’t click on it.
Be careful when opening attachments and avoid opening attachments from people you don’t know to prevent rootkit from being installed on your computer. Download software from reputable sites only. Don't ignore your web browser's warnings when it tells you a website you are trying to visit is unsafe.
Behavioral issues could indicate that a rootkit is in operation. Stay alert to any unexpected changes and try to find out why these are happening.
Rootkits are one of the most challenging types of malware to find and remove. Because they are difficult to detect, prevention is often the best defense. To ensure continual protection, continue learning about the latest cybersecurity threats.