What is a rootkit?

A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system. Although this type of software has some legitimate uses, such as providing remote end-user support, most rootkits open a backdoor on victims' systems to introduce malicious software -- including viruses, ransomware, keylogger programs or other types of malware -- or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by deactivating endpoint antimalware and antivirus software.

Rootkits, which can be purchased on the dark web, can be installed during phishing attacks or employed as a social engineering tactic to trick users into giving the rootkits permission to be installed on their systems, often giving remote cybercriminals administrator access to the system. Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but today, most antimalware programs can scan for and remove rootkits hiding within a system.

Rootkits are among the nine types of malware
This diagram shows nine different types of malware, including rootkits.

How rootkits work

Since rootkits cannot spread by themselves, they depend on clandestine methods to infect computers. When unsuspecting users give rootkit installer programs permission to be installed on their systems, the rootkits install and conceal themselves until hackers activate them. Rootkits contain malicious tools, including banking credential stealers, password stealers, keyloggers, antivirus disablers and bots for distributed denial-of-service attacks.

Rootkits are installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Microsoft Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from risky websites.

What can be compromised during a rootkit attack?

The following are some of the potential results of a rootkit attack:

  • Causes a malware infection. A rootkit can install malicious software on a computer, system or network that contains viruses, Trojans, worms, ransomware, spyware, adware and other deleterious software that compromise performance of the device or system or the privacy of its information.
  • Removes files. Rootkits install themselves through a backdoor into a system, network or device. This can happen during login or be the result of a vulnerability in security or OS software. Once in, the rootkit can automatically execute software that steals or deletes files.
  • Intercepts personal information. Rootkits known as payload rootkits often use keyloggers, which capture keystrokes without a user's consent. In other cases, these rootkits issue spam emails that install the rootkits when users open the emails. In both cases, the rootkit steals personal information, such as credit card numbers and online banking data, that is passed on to cybercriminals.
  • Steals sensitive data. By entering systems, networks and computers, rootkits can install malware that seeks sensitive and proprietary information, usually with the goal of monetizing that data or passing it to unauthorized sources. Keyloggers, screen scrapers, spyware, adware, backdoors and bots are all methods that rootkits use to steal sensitive data.
  • Changes system configurations. Once inside a system, network or computer, a rootkit can modify system configurations. It can establish a stealth mode that makes detection by standard security software difficult. Rootkits can also create a persistent state of presence that makes it difficult or impossible to shut them down, even with a system reboot. A rootkit can provide an attacker with ongoing access or change security authorization privileges to facilitate access.

Symptoms of rootkit infection

A primary goal of a rootkit is to avoid detection to remain installed and accessible on the victim's system. Although rootkit developers aim to keep their malware undetectable and there are not many easily identifiable symptoms that flag a rootkit infection, here are four indicators that a system has been compromised:

  1. Antimalware stops running. An antimalware application that just stops running indicates an active rootkit infection.
  2. Windows settings change by themselves. If Windows settings change without any apparent action by the user, the cause may be a rootkit infection. Other unusual behavior, such as background images changing or disappearing in the lock screen or pinned items changing on the taskbar, could also indicate a rootkit infection.
  3. Performance issues. Unusually slow performance or high central processing unit usage and browser redirects may also point to the presence of a rootkit infection.
  4. Computer lockups. These occur when users cannot access their computer or the computer fails to respond to input from a mouse or keyboard.

Types of rootkits

Rootkits are classified based on how they infect, operate or persist on the target system:

  • Kernel mode rootkit. This type of rootkit is designed to change the functionality of an OS. The rootkit typically adds its own code -- and, sometimes, its own data structures -- to parts of the OS core, known as the kernel. Many kernel mode rootkits exploit the fact that OSes allow device drivers or loadable modules to execute with the same level of system privileges as the OS kernel, so the rootkits are packaged as device drivers or modules to avoid detection by antivirus software.
  • User mode rootkit. Also known as an application rootkit, a user mode rootkit executes in the same way as an ordinary user program. User mode rootkits may be initialized like other ordinary programs during system startup, or they may be injected into the system by a dropper. The method depends on the OS. For example, a Windows rootkit typically focuses on manipulating the basic functionality of Windows dynamic link library files, but in a Unix system, the rootkit may replace an entire application.
  • Bootkit or bootloader rootkit. This type of rootkit infects the Master Boot Record of a hard drive or other storage device connected to the target system. Bootkits can subvert the boot process and maintain control over the system after booting and, as a result, have been used successfully to attack systems that use full disk encryption.
  • Firmware rootkit. This takes advantage of software embedded in system firmware and installs itself in firmware images used by network cards, basic input/output systems, routers, or other peripherals or devices.
  • Memory rootkit. Most types of rootkit infections can persist in systems for long periods because they install themselves on permanent system storage devices, but memory rootkits load themselves into computer memory or RAM. Memory rootkits persist only until the system RAM is cleared, usually after the computer is restarted.
  • Virtualized rootkit. These rootkits operate as malware that executes as a hypervisor controlling one or many virtual machines (VMs). Rootkits operate differently in a hypervisor-VM environment than they do on a physical machine. In a VM environment, the VMs controlled by the master hypervisor machine appear to function normally, without noticeable degradation to service or performance on the VMs that are linked to the hypervisor. This enables the rootkit to do its malicious work with less chance of being detected since all VMs linked to the hypervisor appear to be functioning normally.

Tips for preventing a rootkit attack

Although it is difficult to detect a rootkit attack, an organization can build its defense strategy in the following ways:

  • Use strong antivirus and antimalware software. Typically, rootkit detection requires specific add-ons to antimalware packages or special-purpose antirootkit scanner software.
  • Keep software up to date. Rootkit users continually probe OSes and other systems for security vulnerabilities. OS and system software vendors are aware of this, so whenever they discover vulnerabilities to their products, they immediately issue a security update to eliminate them. As a best practice, IT should immediately update software whenever a new release is issued.
  • Monitor the network. Network monitoring and observability software can alert IT immediately if there is an unusually high level of activity at any point along the network, if network nodes suddenly start going offline or if there is any other sign of network activity that can be construed as an anomaly.
  • Analyze behavior. Companies that develop strong security permission policies and continually monitor for compliance can reduce the threat of rootkits. For example, if a user who normally accesses a system during the daytime in San Jose, Calif., shows up suddenly as an active user in Europe during nighttime hours, a threat alert could be sent to IT for investigation.

Rootkit detection and removal

Once a rootkit compromises a system, the potential for malicious activity is high, but organizations can take steps to remediate a compromised system.

Rootkit removal can be difficult, especially for rootkits that have been incorporated into OS kernels, into firmware or on storage device boot sectors. While some antirootkit software can detect and remove some rootkits, this type of malware can be difficult to remove entirely.

One approach to rootkit removal is to reinstall the OS, which, in many cases, eliminates the infection. Removing bootloader rootkits may require using a clean system running a secure OS to access the infected storage device.

Rebooting a system infected with a memory rootkit removes the infection, but further work may be required to eliminate the source of the infection, which may be linked to command-and-control networks with presence in the local network or on the public internet.

Examples of rootkit attacks

Phishing and social engineering attacks. Rootkits can enter computers when users open spam emails and inadvertently download malicious software. Rootkits also use keyloggers that capture user login information. Once installed, a rootkit can give hackers access to sensitive user information and take control of computer OSes.

Application rootkit attacks. Rootkits can install themselves on commonly used applications, such as spreadsheet and word processing software. The hackers use application rootkits to gain access to users' information whenever they open the infected applications.

Network and internet of things (IoT) attacks. Significant security threats come in with IoT devices and edge computing that lack the security measures other systems and centralized computers have. Hackers find and exploit these vulnerabilities by inserting rootkits through edge points of entry. This can enable a rootkit to spread throughout a network, taking over computers and workstations and rendering them as zombie computers under outside control.

OS attacks. After entering a system, a kernel mode rootkit can attack the system's OS. The attack can include modifying the functionality of the OS, slowing system performance, and even accessing and deleting files. Kernel mode rootkits usually enter systems when a user inadvertently opens a malicious email or executes a download from an unreliable source.

Credit card swipe and scan attacks. Criminals have used rootkits to infect credit card swipers and scanners. The rootkits are programmed to record credit card information and to send the information to servers controlled by hackers. To prevent this, credit card companies have adopted chip-embedded cards, which are more impervious to attack.

Malware continues to become more sophisticated, creating a gap in current network defenses. Learn how to avert malware using a modern approach that provides protection against both known and unknown threats.

This was last updated in October 2021

Continue Reading About rootkit

Dig Deeper on Emerging cyberattacks and threats