What Is A Rootkit?

What Is A Rootkit

Date First Published: 9th May 2023

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 7/10

Learn more about what a rootkit is in this article.

A rootkit is a type of malware designed to give someone root or administrator-level access to a computer system without the user's permission or knowledge. Rootkits are designed to be difficult to spot and remove and allow a computer to be remotely controlled. This enables a hacker to do almost anything they want on a computer, including installing malware, disabling antivirus software, modifying files, changing system configurations, stealing sensitive information, sending junk mail, and more. Rootkits are dangerous to the security of a device and are one of the most serious types of malware, since a rootkit can modify anything that someone with root or administrator access can.

The word 'root' refers to root access to the computer, which means that it can give someone the highest privileges and permissions to a computer system. The word 'root', 'superuser' or 'admin' are all synonyms for a user account with admin access to an operating system. The word 'kit' simply refers to the package of software tools that make up the rootkit.

Types Of Rootkits

There are five main types of rootkits, which include:

  • Kernel mode rootkit - These run with the highest operating system privileges. A kernel mode rootkit attacks a core component of a computer and gives a hacker complete control over the computer. Kernel rootkits can be difficult to detect and remove because they operate at the same security level as the operating system itself and compromise the whole operating system. Usually, the rootkit adds its own code to part of the operating system core. The kernel can be thought of as the nervous system of the operating system.
  • Bootkit - Also known as a bootloader rootkit, a bootkit maintains control over a computer system when booting. It can infect the startup code, like the Master Boot Record (MBR) and can be used to attack full encryption algorithms. Since the bootloader loads the operating system, a bootkit gains root access to the computer before the operating system is ready to use.
  • Firmware rootkit - This provides control over software embedded in system firmware. It uses device or platform firmware to create a persistent malware image in hardware, such as a router, network card, hard drive, or the system BIOS. These are difficult to detect because they hide themselves in firmware, where tools don't usually scan for malware.
  • Memory rootkit - These types of rootkits load themselves into the RAM and can slow computers down whilst gaining root access. However, they only persist until the RAM is cleared, usually when the computer is restarted, clearing the memory rootkit.
  • Application rootkit - This allows a hacker to gain root access to infected files each time they are run. It may alter the normal files with rootkit code to do this. However, this type of rootkit is easier to detect because the files may behave in unexpected ways and they can be easily identified by security tools.

Is A Rootkit A Virus Or Malware?

A rootkit is a type of malware. It is not a virus because a virus is self-replicating, meaning that it copies itself to spread from one computer to another. A rootkit is not self-replicating since it requires users to manually download and install it to become infected. Rootkits don't spread by themselves. Therefore, it is incorrect to say 'rootkit virus'.

Signs Of A Rootkit

Most rootkits silently run on a computer and the goal of them is to remain undetected without any easily identifiable signs. A deeply installed rootkit will not display many signs and may even bypass security software. However, the following six signs below indicate that a computer has been compromised with a rootkit.

  • Unrecognised access to online accounts by other people.
  • Unusually slow loading or booting times. Rootkits can infect the bootloader, hard drive, and other applications of a computer and cause it to slow down.
  • Computer constantly becoming unresponsive. (e.g. computer not responding to input from a mouse or keyboard for no apparent reason)
  • Antivirus programs failing to run or work. If an antivirus program malfunctions or deactivates with no apparent cause, this is a sign of a rootkit.
  • Hijacked email (e.g. contacts receiving spam due to an attacker accessing their email account.)
  • Unexpected changes to the operating system settings or the computer's desktop background, settings, and homepage without the user's permission. This indicates an active rootkit infection.

How Do Rootkits Spread?

Rootkits spread through very similar methods to any type of malware, including:

  • Email attachments
  • Peer-to-peer networks
  • Executable files disguised as safe programs.
  • Compromised shared drives.
  • Removable media, like USB drives, CDs, and SD cards.

Rootkits are often spread using deception techniques. For example, downloads from malicious websites and email attachments may claim to include a useful file, when the file actually installs a rootkit. In extreme cases, rootkits may require you to reinstall the operating system to remove all traces of the rootkit.

How To Prevent Rootkits?

Below are 5 steps you can take to prevent rootkit attacks:

  • Make sure that your computer has strong antivirus software installed with rootkit detection to monitor any attempts of unauthorised access to your system. Some antiviruses separately scan a computer for rootkits before scanning the filesystem.
  • Keep your operating system up to date. Operating system updates are required to keep a computer protected from vulnerabilities and can patch security holes that enable unauthorised access using rootkits. It is difficult to use a rootkit to gain unauthorised access to most modern systems. Using an outdated operating system will make your computer more vulnerable to attacks that gain unauthorised access, like rootkits.
  • Only download software from websites you absolutely trust. Never download software from random websites that you don't know. This is the most common way that computers catch malware. Sometimes, when you install software from an untrusted source, it may also include a rootkit installer.
  • Do not open unexpected email attachments from people you don't know. These are a common way for infecting computers with malware, including rootkits. Also, do not click on links in phishing email messages as they may download malware on your computer.
  • Monitor and filter network traffic. In addition to a strong antivirus, you should also use traffic filtering software to monitor and scan the traffic coming in and out of networks. This will detect malware before it can infect computers.

A rootkit is one of the most difficult types of malware to remove. Therefore, it is much better to prevent a rootkit attack than to try and wipe it out. Since rootkits can be difficult to detect and are constantly being modified and updated to exploit security holes, prevention is much better than removal.


Feedback

  • Is there anything that you disagree with on this page?
  • Are there any spelling, grammatical, or punctuation errors on this page?
  • Are there any broken links or design errors on this page?

If so, it is important that you tell me as soon as possible on this page.


Comments