We may earn affiliate commissions for the recommended products. Learn more.

What is a rootkit? How can you protect your device?

Rootkits are the sneakiest, toughest-to-find kind of malicious software.

You see, most of the time, you’ll learn pretty quickly that your computer has malware. Although some kinds of malware need to be subtle, most actually announce their presence in some way or another. But not rootkits.

These sneaky pieces of software hide in the most remote parts of your computer, causing all sorts of trouble. Read on to find out more about them.

What is a rootkit?

The defining feature of rootkits is that they evade detection by masking themselves from the user and other software, including antivirus. Thus, the definition of a rootkit does not inherently specify what the malware actually does, only its strategy of hiding from users.

The term “rootkit” consists of two words: “root” (which, in this context, signifies the privileged account on Linux and Unix OS) and “kit” (software components which implement the tool). While not inherently malicious, rootkits usually come together with various types of malware and grant the hacker access to your computer with administrative rights.

So, rootkits might provide a backdoor for criminals, steal your data (like passwords and credit card details) directly, or enroll your computer in a botnet. Regardless, a rootkit will make it difficult for you to discover and remove it.

Types of rootkits

Security specialists put rootkits into categories based on what level of access they compromise:

  • User mode rootkits run as normal processes, just like the applications that you might start yourself. User mode rootkits hide themselves with less sophisticated techniques. While they can sneak in more easily, they are also easier to detect and remove.
  • Kernel mode rootkits replace or inject code in system-level components of your computer’s operating system. As a result, these kinds of rootkits are far more advanced and can hide themselves more effectively. Removing a kernel mode rootkit from a running system is difficult or impossible.
  • Bootkits are a special type of rootkits that infects a computer’s Master Boot Record or UEFI code. Which is actually some of the first software that runs after you press the power button. As a result, bootkits run underneath the operating system and cannot be removed without reformatting the hard drive.
  • Firmware or hardware rootkits compromise components like the Intel Management Engine coprocessor or your network card firmware. This type of rootkit is the hardest to install, but also the most difficult to remove. Sometimes, victims have to throw away and replace infected hardware.

How to detect rootkit malware

Detecting rootkits is often really hard - hackers design them to be as hard to find as possible. However, if you have a rootkit, it's probably not a never-before-seen variety. Criminals usually target the most powerful, hard-to-find rootkits towards targets like major companies, not individuals.

Some anti-malware software can scan for and remove rootkits just like other kinds of malware. That said, antivirus scanning might not be enough. In addition to searching your disk for malicious files, quality antivirus software looks for heuristics. To put it another way, it looks for behavior that’s out of the ordinary, potentially indicating an infection.

In addition to using antivirus software that includes heuristics features, you should also look out for symptoms of a malware infection. If your computer is suddenly slow or behaves strangely even after rebooting it, you could have malware, including rootkits.

Some specific anti-rootkit software also exists. This type of specialized anti-malware can be a great way to verify that you have a known rootkit on your computer if you already suspect it. However, you don’t need to have this software on your machine for preventative protection - regular antivirus is better for that.

How to protect your PC against rootkits

  • Be careful with unknown email attachments and websites. You see, these attack vectors are how most malware ends up on your computer. Don’t open attachments you aren’t expecting and never allow Office macros to run from unknown email attachments. Be careful with web-based advertisements that contain fake download links as well as any unexpected downloads.
  • Use a strong anti-malware solution with always-on scanning and heuristic features. Powerful antivirus software can often detect the installers and loaders for rootkits before they end up on your machine.
  • Stay on top of updates. Lots of malware, including kernel-mode rootkits, rely on security vulnerabilities to infiltrate your system. Therefore, by keeping it up to date, you can make sure that many of these attacks won’t be successful.

Rootkit examples

With so many high-profile cases, rootkits are arguably the most famous type of malware, even if people don’t necessarily call them by that name. Here are a few of the biggest rootkit examples:

  • Stuxnet. Sometimes considered the first true cyberweapon, Stuxnet was a sophisticated malware attack used by the US and Israeli governments to destroy an Iranian nuclear facility. In addition to being a worm (it spread via vulnerabilities in Windows), Stuxnet hid from users, making it a rootkit. It arrived on victim computers through USB flash drives and then attacked programmable logic controllers, causing centrifuges used to separate nuclear materials to destroy themselves.
  • Sony BMG copy protection. In 2005, after years of falling music sales due to the rise of Napster and other music piracy systems, Sony BMG needed a solution. To make it harder to get music off of CDs onto computers, they used a series of programs to interfere with CD copying software. These programs hid themselves from users and the operating system, leading security researchers to classify them as rootkits.
  • 2008 credit card swiper attacks. This rootkit installed itself shortly after credit card chip and PIN devices left the factory in China. The Pakistani-Chinese organized crime ring that built the software received credit card details in Pakistan. Afterwards, the financial information was used to clone credit cards and drain victims’ bank accounts.


Leave a Reply

Your email address will not be published. Required fields are markedmarked