What is a rootkit?



It’s not a virus. It’s not a worm and it’s not a trojan. Nor is it spyware and – despite what imagery the name might evoke – it’s definitely not a piece of agricultural machinery. So then, what exactly is a rootkit?

While being closely associated with malware, rootkits are not inherently malicious. However, their ability to manipulate a computer’s operating system and provide remote users with administrator access has – unsurprisingly – made them popular tools among cybercriminals.

Read on to learn more about what rootkits are, find out how they work and what you can do to protect your system against this long-standing cyber threat.

The definition of a rootkit

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that gives someone – with legitimate or malicious intentions – privileged access to a computer.

Because it is able to make changes at the most fundamental level, a rootkit is able to conceal itself, execute files, make changes to a system and track its use without the original owner even being aware of its presence.

Historically, rootkits were confined to the world of Unix and Linux, but eventually made their way over to the Windows operating system, starting with NTRootkit, a tool targeting Windows NT that was first spotted back in 1999. Since then, rootkits have rapidly grown in popularity on Windows and today are a common, stubborn blight on the digital world.

How do rootkits work?


Rootkits are unable to spread by themselves and instead rely on clandestine tactics to infect your computer. They typically disseminate by hiding themselves in devious software that may appear to be legitimate and could actually be functional. However, when you grant the software permission to be installed on your system, the rootkit quietly sneaks inside where it may lay dormant until the hacker activates it. Rootkits are notoriously difficult to detect and remove due to their ability to conceal themselves from users, administrators and many types of security products. Simply put, once a system is compromised with a rootkit, the potential for malicious activity is high.

Other common infection vectors include email phishing scams, downloads from dodgy websites and connecting to compromised shared drives. It’s important to note that rootkits don’t always require you to run an executable – sometimes something as simple as opening a malicious PDF or Word document is enough to unleash a rootkit.

There are four main types of rootkits:

1. Kernel rootkits

Kernel rootkits are engineered to change the functionality of your operating system. These types of rootkits usually add their own code (and sometimes their own data structures) to parts of the operating system core (known as the kernel). Creating an effective kernel rootkit is fairly complex and, if implemented incorrectly, can have a noticeable impact on system performance. The good news is that most kernel rootkits are easier to detect than other types for rootkits.

SmartService is an excellent example of a kernel rootkit. Rising to prominence mid way through 2017, SmartService prevents you from launching many antivirus products, thereby essentially acting as a bodyguard for adware and trojan infections that may already existing on the machine.

2. User mode rootkits

User mode rootkits are either started as a program in the normal manner during system startup, or injected into the system by a dropper. There are many possible methods and depend heavily on the operating system used. While Windows rootkits tend to focus on manipulating the basic functionality of Windows DLL files, in Unix systems it’s common for an entire application to be completely replaced.

User mode rootkits are very popular in financial malware these days. One of the most copied financial malware named Carberp includes this technique and also had its source codes leaked several years ago, so its user mode rootkit component has been recycled over and over again and can be found in many financial malware families to this day.

3. Bootloader rootkits

Bootloader rootkits or bootkits target the building blocks of your computer by infecting the Master Boot Record (a fundamental sector that instructs your computer how to load the operating system). These types of rootkits are particularly tricky to exterminate because, if the bootloader has injected code into the MBR, removing it could damage your computer.

Modern operating systems like Windows 8 and 10 have become almost completely immune to these types of rootkits due to the introduction of Secure Boot. As a result, bootkits are almost extinct. The most prominent bootkit family has to be the Alureon/TDL-4 family that was active from 2007 to 2012. During its lifetime the Alureon malware protected by its bootkit component managed to become the second most active botnet before its creators were arrested at the end of 2011.

4. Memory rootkits

These types of rootkits exist in your computer’s memory (RAM). Unlike other types of rootkits that may stow away on your computer for years and years without your knowledge, memory rootkits are lost when you reboot your computer due to the fact that the contents of your RAM resets on startup.

Although there are many different types of rootkits, most are designed with the same task in mind: eliminating traces of itself (or accompanying software) in the operating system. They can do this in any number of ways. For example, Windows has a built-in function responsible for listing the contents of folders. A rootkit could modify this basic function (API) so that the name of the file containing the rootkit is never displayed, which would make the file suddenly become invisible to the normal user. Through manipulation of other Windows APIs, not only files and folders can be hidden, but also active programs, open network communication ports that are being used, or registry keys. Of course, these are only a few of many camouflage measures used by rootkits.

Should rootkits be considered malware?


As we touched on earlier, rootkits are commonly used by malware distributors, but does that make them malicious in and of themselves?

In a word: No. Rootkits are not inherently dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether or not the software being hidden is a legitimate or malicious program is another story.

There have been many examples of legitimate rootkits over the years, with one of the most famous cases being that of Sony BMG’s CD copy protection system. In 2005, Windows specialist Mark Russinovich discovered that simply using a Sony BMG CD protected with this system caused a piece of software to be automatically installed, without the approval of the user, which did not appear in the process list and could not be uninstalled (i.e. it hid itself from the user). This copy protection software was originally intended to prevent a music CD purchaser from reading the audio data in any manner and then possibly illegally redistributing it.

While they may have legitimate applications, it has to be said that cybercriminals are the ones who have benefited the most from leveraging the power of rootkits. Because rootkits can be used to hide running processes, files and storage folders, hackers often use them to conceal malicious software from users and make it more difficult for antivirus products to detect and remove the offending programs. Rootkits are also commonly used for keyloggers, as they can sit between your operating system and your computer’s hardware and keep tabs on every single key you press. In addition, hackers have used rootkits to create enormous botnets comprised of millions of machines, which they put to work harvesting cryptocurrency, launching massive DDoS attacks and carrying out other illegal campaigns on a huge scale.

How Emsisoft combats rootkits

Signature-reliant antivirus products struggle to detect rootkits. Many rootkits are more than capable of hiding from virus scanners and other disinfection systems, making it all but impossible for some antivirus software to analyze and deal with the corresponding signatures.

Thankfully, Emsisoft Anti-Malware operates on a different principle. Rather than relying on identifying a matching signature, Emsisoft Anti-Malware’s Behavior Blocker is able to recognize malicious attempts to gain access to relevant system functions and stop the offending program before it can make any changes to the system.

This innovative approach to fight rootkits and malware enables Emsisoft Anti-Malware to detect and block all types of digital attacks, including threats it has never encountered before.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a great (malware-free) day!



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next