What is a Rootkit?

Read time 7 mins

Written March 2021


Cybersecurity is an issue that many people find difficult to handle, thanks to the sheer range of threats the average system faces. From spyware and adware, ransomware, phishing attacks, data hacks, and viruses, the threats are widely varied and to make matters more confusing, they often overlap in manner, form, and intent.

The key to effective Cybersecurity lies in building as comprehensive a working knowledge of the system as possible.  This can be achieved using techniques such as Red Teaming, Cyber Kill Chain analysis and Penetration Testing, which examine it in detail and ascertain the weak spots, loopholes and security issues. In addition to a strong working understanding of the system itself, the best Cybersecurity strategy is built on a foundation of knowledge of the ever-evolving nature of the threats faced. Part of that foundation consists of understanding issues like rootkits – what it is, how to spot if a rootkit has been deployed and how to protect your systems from rootkits.

A rootkit is malicious software that enables an unauthorised individual to gain privileged access to a system and restricted areas. Although a rootkit can be non-malicious in nature, this piece will look at the kind of rootkit used by malicious actors to attack a system and gain a degree of control over said system. Rather than being a single entity in itself, like a virus, a rootkit may arrive on a system equipped with multiple tools such as anti-virus disablers, bots for DDoS attacks, key loggers, or spyware designed to steal information such as banking credentials.

The term rootkit is a compound noun consisting of the word ‘root’, which refers to the administrator account in Unix and Linux operating systems (an account which is the equivalent of the administrator account in Windows systems), and ‘kit’, which covers programmes which enable a malicious actor to obtain unauthorised access to the restricted areas of a system.

In essence, a rootkit is a form of malware but of a particularly insidious nature in that it can remain hidden within a device for a prolonged period. During this time, Cyber criminals will exercise a large degree of control over that device. Once in place, a rootkit can enable Cyber criminals to steal passwords and financial information, subvert or disable security and even track the keys being used on the keyboard, making it much easier to steal personal information.

Although a rootkit may bear some superficial resemblance to a virus, particularly in the ways and means that Cyber criminals might use to place a rootkit within a system, it is not strictly speaking a virus. A virus is a piece of code that, once in place, sets about damaging that system or device by destroying data, corrupting system files and wasting resources. A virus will also utilise the device’s resources to duplicate itself and spread across to other devices and systems that are part of the same network. One of the key differences between a virus and a rootkit is that a virus’s presence will usually become fairly apparent. In contrast, a rootkit will attempt to impact the system or device in an undetected, stealth-based manner.

Types of Rootkit

The term rootkit is an umbrella term that covers several different types of threat. Some of these include:

  • Hardware/firmware
    This type of rootkit is named after the part of a system within which it is installed. A rootkit of this kind could infect the hard drive or system BIOS and/or the name given to the software contained in the motherboard of the device. Once in situ, it could also infect the router being used, intercepting data as it is written onto the disk.
  • Bootloader
    The bootloader is a tool that loads the operating system of a device every time it is turned on. A bootloader toolkit will target this area of a device, replacing the actual bootloader with one which is hacked. Once in place, it has already infected the device and is activated before the operating system is even turned on.
  • Memory rootkit
    This is hidden away within the RAM (Random Access Memory) of a device. The good news about memory rootkits is that the RAM position means that the rootkit will vanish once the system has been rebooted. However, it can carry out the kind of harmful activity associated with rootkits per se.
  • Application
    An application rootkit works by replacing the files within a device with rootkit files, and in some cases, will alter the way the applications themselves work. Programmes likely to be infected by this kind include Word and Notepad. Every time the programme concerned is run, the Cyber-criminal responsible for the rootkit will gain access to the device. The threat posed by application rootkits is amplified because the programmes in question will continue to run as normal after being infected, making it far more difficult to detect.
  • Kernel mode
    Kernel mode rootkits attack the core of the operating system of a device. Once this has happened, the tools it carries can be used by Cybercriminals to alter how the fundamentals of the operating system function. This enables them to gain access to the device with ease and steal personal information undetected. Since they are likely to cause frequent system crashes, kernel mode rootkits are more likely than others to alert technicians or users to its presence on a device.

Signs a rootkit is present on a device

Rootkits, by definition, are designed to act in a way that makes them difficult to detect. Unlike some viruses or types of malware such as adware, the presence of a rootkit won’t always be obvious, which is one of the aspects that makes them so dangerous. That said, in general terms, the possibility of a rootkit being present should be considered whenever a device shows signs of a drop in operational efficiency, and the following symptoms are amongst those that users should be looking out for:

  • The computer locking and failing to respond to input from peripherals such as a mouse or keyboard
  • Settings in Windows change without permission, such as the taskbar being hidden from view or the screensaver changing
  • Web pages and other online activities running slowly, taking longer than normal to load or functioning intermittently

In general, a more advanced rootkit will function within a device without any overt indication of its presence. The last of these, however – the network slowing down – is more difficult for the rootkit to hide because activities such as the device being co-opted into a spam relay or DDoS attack will result in an increase of traffic, which unavoidably noticeably slows a device down.

How rootkits are installed

In most cases, a rootkit is installed in a device after a user clicks on a malicious link. This link could be part of a phishing email, a PDF, a social media post or a website, for example. This is why the advice never to click on or open a link from a source you don’t trust and know is 100% important.

How to deal with rootkits

As with any form of malware, the best way to deal with a rootkit is to take steps to ensure that your systems aren’t vulnerable to them in the first place. Chief amongst these is to avoid phishing attempts by operating extreme caution when it comes to opening attachments or clicking on links in emails. The same caution applies to downloading software from less than fully authorised and reputable sources. Free software may seem tempting, but the actual price to pay might include the presence of a rootkit on your device. Another hugely important measure to take is to update your software whenever a fix, patch or update is released. Even the best software programmes contain vulnerabilities and weak spots which Cyber-criminals are only too happy to exploit. Although companies generally release fixes when a vulnerability becomes apparent, older, legacy software might no longer be supported. For this reason, as well as downloading all of the updates which are supplied for software, it’s important to replace older software with more secure, newer versions.

One of the best ways of protecting your devices from rootkits is to install the latest anti-virus and anti-malware technology. The most up to date iterations of this kind of protection will use techniques such as anomaly detection based on machine learning and behavioural heuristics. In simple terms, this means that the anti-virus technology can determine the origin of a rootkit based on its behaviour and, having detected the malware, prevent it from infecting the system.

Another key aspect to protecting your data, assets and business from any form of malware or malicious activity is to have a robust Cyber Security Strategy. A solid Cyber Security Strategies core purpose is to offer robust threat detection, provide sufficient protection and have a process in place should a Cyber attack take place. Cyber Security specialists are top of their game when it comes to the latest developments and tools, and are constantly evolving and advancing their processes with emerging threats, making them a vital component in your business’s safety and security.

Discover our Cyber Security services and how we could help protect your business.
Get In Touch