A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software, such as viruses, ransomware, keylogger programs or other types of malware, or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by endpoint antivirus software.
Rootkits can be installed in a number of ways, including phishing attacks or social engineering tactics to trick users into giving the rootkit permission to be installed on the victim system, often giving remote cybercriminals administrator access to the system.
Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but most antimalware programs today have the ability to scan for and remove rootkits hiding within a system.
How rootkits work
Since rootkits can't spread by themselves, they depend on clandestine methods to infect computers. Typically, they spread by hiding in software that may appear to be legitimate and could actually provide legitimate functions.
When users give a rootkit installer program permission to be installed on their system, the rootkit surreptitiously installs itself as well and conceals itself until a hacker activates it. A rootkit will contain malicious tools, including banking credential stealers, password stealers, keyloggers, antivirus disablers and bots for distributed denial-of-service attacks.
Rootkits are typically installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from risky websites.
Symptoms of rootkit infection
One of the primary objectives of a rootkit is to avoid detection in order to remain installed and accessible on the victim system, so rootkit developers aim to keep their malware undetectable, which means there may not be many detectable symptoms that flag a rootkit infection.
One common symptom of a rootkit infection is that antimalware protection stops working. An antimalware application that just stops running indicates that there is an active rootkit infection.
Another symptom of a rootkit infection can be observed when Windows settings change independently, without any apparent action by the user. Other unusual behavior, such as background images changing or disappearing in the lock screen or pinned items changing on the taskbar, could also indicate a rootkit infection.
Finally, unusually slow performance or high CPU usage and browser redirects may also indicate the presence of a rootkit infection.
Types of rootkits
There are several different types of rootkits characterized by the way the rootkit infects, operates or persists on the target system.
A kernel mode rootkit is designed to change the functionality of an OS. This type of rootkit typically adds its own code -- and, sometimes, its own data structures -- to parts of the OS core, known as the kernel. Many kernel mode rootkits exploit the fact that OSes allow device drivers or loadable modules to execute with the same level of system privileges as the OS kernel, so the rootkits are packaged as device drivers or modules to avoid detection by antivirus software.
A user mode rootkit, also sometimes called an application rootkit, executes in the same way as an ordinary user program. User mode rootkits may be initialized like other ordinary programs during system startup, or they may be injected into the system by a dropper. The method depends on the OS. For example, a Windows rootkit typically focuses on manipulating the basic functionality of Windows dynamic link library files, but in a Unix system, an entire application may be completely replaced by the rootkit.
A bootkit, or bootloader rootkit, infects the master boot record of a hard drive or other storage device connected to the target system. Bootkits are able to subvert the boot process and maintain control over the system after booting and, as a result, have been used successfully to attack systems that use full disk encryption.
Firmware rootkits take advantage of software embedded in system firmware and install themselves in firmware images used by network cards, BIOSes, routers or other peripherals or devices.
Most types of rootkit infections can persist in systems for long periods of time, because they install themselves on permanent system storage devices, but memory rootkits load themselves into computer memory (RAM). Memory rootkits persist only until the system RAM is cleared, usually after the computer is restarted.
Rootkit detection and removal
Rootkits are designed to be difficult to detect and remove; rootkit developers attempt to hide their malware from users and administrators, as well as from many types of security products. Once a rootkit compromises a system, the potential for malicious activity is very high.
Typically, rootkit detection requires specific add-ons to antimalware packages or special-purpose antirootkit scanner software.
There are many rootkit detection tools suitable for power users or for IT professionals provided by antimalware vendors, which usually offer rootkit scanners or other rootkit detection tools to their customers. While free and paid third-party rootkit scanners are also available, care should be taken that any security scanning software is provided by a reputable publisher because threat actors have been known to package and distribute malware as security software.
Rootkit removal can be difficult, especially for rootkits that have been incorporated into OS kernels, into firmware or on storage device boot sectors. While some antirootkit software is able to detect, as well as remove, some rootkits, this type of malware can be difficult to remove entirely.
One approach to rootkit removal is to reinstall the OS, which, in many cases, will eliminate the infection. Removing bootloader rootkits may require using a clean system running a secure OS to access the infected storage device.
Rebooting a system infected with a memory rootkit will remove the infection, but further work may be required to eliminate the source of the infection, which may be linked to command and control networks with presence in the local network or on the public internet.