2022's best place for Cybersecurity Insights and Advice for Everyone

#1 - Signup to our list and get regular insights and advice on how to be cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What is a Rootkit?

by Cybergal | Last Updated | January 25, 2022
Cyber Dictionary|CyberSecurity - Consumer|CyberSecurity - SMB

Rootkits first appeared in the 1990s, targeting Linux systems. Up until the late 1990’s, rootkits were mainly a Unix/Linux phenomenon, after which a Windows rootkit was spotted. It was followed by other rootkits and from then on, rootkits have become a common but challenging cyber threat.

What is a rootkit?

Historically, a rootkit was a set of tools that provided administrative level access to a network. It is a combination of the two words “root” and “kit”. Root referred to the administrative function on Linux and Unix systems while kit was the software component that ran the tool. 

Today, rootkit connotes a negative meaning. It is a nearly invisible and dangerous type of malware that allows hackers access to computers without the knowledge of the owners. It is designed in such a way that it can remain in a network or on a computer system undetected for an extended period of time. Only if discovered and removed by the affected victim or by the cyber criminal themselves, rootkits can remain resident on the affected system or network for extended periods. They are often associated with viruses, worms, and Trojans.

What do rootkits do?

Once a rootkit attacks a computer, it takes control of administrative functions without being detected. It can modify anything an administrator can, such as the following:

Rootkit infection chain example

#2 So here we are at the middle of the post. We still think it's a good idea to signup.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

How are rootkits installed?

Rootkits cannot find their way through computer systems by themselves. They need help from other malware; typically referred to as droppers and loaders. Hackers bundle these three pieces to form a blended threat

The dropper deposits the rootkit onto the victim’s computer. When the victim activates the dropper, the dropper in turn triggers the loader to go to work. The loader then installs the rootkit onto the target system. Loaders are often capable of penetrating inaccessible areas of a computer’s memory in order to install and activate the rootkit.

How rootkits are installed

Installing the blended threat is a challenge for hackers. To accomplish this they may utilize several methods, such as:

What are the basic types of rootkits?

Security experts categorize rootkits based on where and how deeply they infect devices. Here they are:

Hardware or firmware rootkit

This type of rootkit can infect the part of your computer that is external to the operating system. It can affect your computer’s hard drive or BIOS (Basic Input/Output System), the parts often responsible for booting up your system. 

Firmware rootkits are notoriously hard to remove. Some rootkits can hide inside a piece of computer hardware while the computer is turned off. When you reopen the computer, the rootkit can reinstall itself and get back to work. If a rootkit scanner finds and deactivates the rootkit while the computer is running, the rootkit can bounce back to life when you turn on your computer again.

Bootkit or bootloader rootkit

When you turn on your computer, the bootloader loads your computer’s operating system. A bootkit can replace the legitimate bootloader and attack the operating system. For Windows 8 and Windows 10 operating systems, the Secure Boot feature blocks off bootloader rootkits.

Memory rootkit

Memory rootkits hide in the computer’s RAM, or Random Access Memory, where they carry out their harmful activities. These rootkits have a short lifespan and will disappear when you power off your computer but may reappear when you power back on.

User-mode rootkit

This rootkit impacts the operating system’s administrative function. It can gain top-level privileges needed to alter your system’s security protocols. It automatically activates when you boot up your computer.

Types of rootkits

Application rootkit

An application rootkit replaces or changes standard files and applications. The infected programs will still run normally which makes it all the more difficult to detect the rootkit.

Kernel-mode rootkit

A kernel-mode rootkit lives in your computer’s operating system and can compromise the whole OS. Once this rootkit hits, everything about your computer is potentially corrupted, including the accuracy of anti-rootkit scans. Fortunately, this rootkit is difficult to hide because it causes system crashes that reveal its presence.

Hybrid rootkit

A hybrid rootkit is a blend of the user-mode and kernel-mode rootkits. As such, it enjoys the stability of a user-mode rootkit and the stealth of a kernel-mode rootkit. This hybrid user-kernel rootkit is a preference of cybercriminals.

Virtual rootkit

A virtual rootkit is a virtual machine-based rootkit (VMBR) that runs beneath an existing operating system. After placing that OS onto a virtual machine, the virtual rootkit runs separately from the computer’s OS which makes it difficult for scanners to detect it.

How to detect rootkits

Rootkits are designed to stay hidden which makes detecting them a real challenge. This allows them to remain invisible while doing their dirty job. What are the possible signs of rootkit infection? Here are the common ones:

How to prevent rootkits

Rootkits are as dangerous as viruses, but rootkits are more difficult to find. You can prevent rootkit attacks by following the same strategies you would implement against viruses and other forms of malware, such as:

Rootkits are one of the most elusive types of malware. They can linger in hard drives and operating systems undetected and take their time wreaking havoc. Once the damage is done by a rootkit, you will need to totally rebuild your computer or network using original software. That is why prevention is often the best defense.

#3 You really should sign up. "Scouts Promise" ... it really will help you stay cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.