Rootkit

What is a rootkit?

A rootkit is a malicious software program that gives unauthorized users, like hackers and cybercriminals, access to a computer's root or administrative level while hiding its presence from verified users.

Once installed on a device, these software bundles are difficult to detect and can cause significant damage such as manipulating and stealing computer data. When a rootkit activates, hackers can take full control of a device from a remote location.

Data-centric security software is used to identify and prevent rootkits from gaining access to important files, although some even bypass these systems and turn them off without anyone else knowing. If this happens, rootkits can then install additional malware on devices, compromise privacy, and create permanent re-entry points.

Rootkit Software

Software that mention rootkit as a feature or term.

ThreatDown

REVE Antivirus

HitmanPro

Symantec End-user Endpoint Security

WithSecure Elements Endpoint Protection

ESET PROTECT

Types of rootkit

Like most malware, rootkits can be unique each time they’re created, but security experts typically assign rootkits to one of six categories.

• User-mode rootkits, the most common type, infect a system at the administrative level of a device to gain access to all parts of a computer. Most security software can detect this type, even when the infection loads upon starting the device.
• Kernel-mode rootkits go one step beyond user-mode. by compromising the entire operating system (OS). This can be incredibly difficult to remove and will likely evade any security software.
• Hybrid rootkits combine user and kernel mode to infect multiple device levels. This makes them one of the most popular rootkits for cybercriminals.
• Bootloader rootkits target the Master Boot Record (MBR). They load simultaneously as the MBR since they don’t actually live in the (OS) but deeper in the device. Most up-to-date computers now have a secure boot function that prevents these rootkits from working.
• Virtual rootkits load underneath an operating system, then move the OS to a virtual machine, essentially duplicating the device’s data in real time. This makes them very difficult to detect as they’re not actually running on the original device but still have access to its information.
• Hardware or firmware rootkits hide inside the computer hardware that triggers when a device is turned off. When the machine turns on, the firmware reactivates. Even if a rootkit is removed when the device is powered on, it can still access data, simply reloading each time the device is turned off and back on.

How rootkits are installed

Cybercriminals have the sophisticated technical skills to bundle and install malicious code on a device. They initially use a dropper to import a rootkit onto a computer, then trigger a loader to install the malware in its memory. A number of access points can enable this to happen, including:

• Using other malware. If a device already has a virus or other malware installed, rootkits can access the computer via this vulnerable entry point. This is especially common in devices where the user isn’t aware that a piece of malware is already operating.
• Working through trusted software and content files. Malicious code can be installed onto otherwise trustworthy software, apps, or files like PDFs, making it easy for users to download a rootkit accidentally.
• Opening links in messaging tools or web apps. When users click on a link on a social media app or within a file, rootkits can easily download and infect a device. This is why it’s vital to know exactly what a link is and where it goes before taking any action.

How to detect a rootkit

Although rootkits can be hard to detect, certain signs suggest the malware is operating on a device. These signs might include:

• Repeated software malfunctions. If regularly used software or applications begin to slow down, close on their own, or change settings without action from a user, this could indicate the presence of malware.
• Whole system crashes. Bootloader rootkits often cause devices to turn off on their own in an attempt to restart and load the rootkit when the device powers on.
• Spontaneous antivirus deactivation. Hackers know that antivirus software scans for rootkits, so they always try to install an antivirus avoider. If this software continually closes without user action or repeatedly fails to scan, it’s possible that a rootkit is installed on the device. 

Best practices for preventing rootkits

Proactively finding ways to avoid malware is the best way to stay protected while using a device. A number of steps can be taken to lower the risk of rootkit installation, such as:

• Regularly scanning devices. Installing and running antivirus software on at least a monthly basis detects any possible threats to a device and identifies any potentially corrupted files. These tools often have built-in cleaners that automatically remove any malicious coding.
• Never clicking on unknown links in emails or messages. Phishing attempts are becoming more common and harder to avoid. Always take care when receiving unexpected emails or messages that contain links. If possible, verify the sender before opening a message.
• Running software and application updates. Developers are constantly working on updates and fixes for various software platforms. It’s important to install the latest versions, as many updates contain patches for previous bugs that gave hackers access to a device.

Keep your digital devices updated and protected from malicious code by monitoring access points with attack surface management software.