Published Aug 11, 2023
Contribute to Docs

A Rootkit is a program, or a collection of software tools, that covertly grants cybercriminals the ability to gain remote access to a targeted computer or system. The term “rootkit” originates from Unix-based operating systems, such as Linux, where the most privileged account is referred to as “root”. The applications that provide unauthorized access to the device at the root or admin level are referred to as the “kit”.

Malicious Effects of Rootkit

Rootkits have significant power in hiding and can conceal themselves within files, registry settings, or processes to steal user information. A rootkit opens a backdoor on victims’ systems to introduce malicious software, including viruses, ransomware, keyloggers, or other malware, as well as systems that can exploit active security networks. Rootkits attempt to prevent malware from being detected by disabling endpoint antimalware and antivirus software. While most rootkits impact software and operating systems, certain rootkits can also infiltrate a computer’s hardware and firmware.

Types of RootKit

Different types of rootkits fall into various categories based on their actions and duration on a system. The following are the most well-known types, but there are more variations:

  • Kernel mode rootkit: Designed to manipulate critical system files, it can inject malicious code into the operating system’s kernel data structure.
  • User mode rootkit: Also known as an “application rootkit”, it replaces standard computer files with rootkit files and may alter the way standard programs work.
  • Firmware rootkit: Can affect a router or BIOS.
  • Bootloader rootkit: Also known as “bootkits,” they replace the legitimate bootloader with a corrupted version, compromising the computer’s loading process.
  • Memory rootkit: Conceals itself within the computer’s Random Access Memory (RAM) and exploits system resources to execute malicious activities unnoticed in the background. Since memory rootkits only reside in the computer’s RAM and do not inject malicious code permanently, they disappear as soon as the system is rebooted.

Rootkit Installation Methods

Rootkits are deployed via familiar channels used by any malicious software, such as email phishing campaigns, executable malicious files, malvertising, removable media like USB drives, crafted malicious document files like Microsoft Word, connecting to shared drives that have been compromised, or downloading software infected with the rootkit from risky websites.

Probable Rootkit Symptoms

Identifying a rootkit is challenging without the aid of specialized tools since various malware exhibit similar destructive behavior. However, certain situations may indicate the presence of a rootkit in the system. Here are some examples:

  • Difficulty in Detection.
  • Unclear Network Activity.
  • Unusual System Behavior.
  • Slow Performance.
  • Disabled Security Software.
  • Unexpected System Modifications.

Rootkit Prevention

Precautions can be taken to prevent the rootkit from infiltrating the system. A few of these measures include:

  • Keep the system and software updated.
  • Run security scans regularly.
  • Avoid clicking on suspicious links.
  • Refrain from installing unknown software from unreliable sources.

All contributors

Looking to contribute?

Learn Cybersecurity on Codecademy