A rootkit is a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a computer system has been compromised. Contrary to what its name implies a rootkit does not grant you administrator access as it requires prior access to execute and tamper with security files and processes.
A hacker may attempt to use a rootkit to replace vital system executables which may then be used to hide processes and files the hacker has installed along with the presence of the rootkit. A rootkit is intended to seize control of the operating system. Typically rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms.
Often they are Trojans as well thus fooling users into believing they are safe to run on their systems. Rootkits may also install a “backdoor” in a system by replacing the login mechanism with an executable that accepts a secret login combination which in turn allows an attacker to access the system regardless of changes to the actual accounts on the system.
Fundamentally, rootkits let an otherwise standard user perform tasks requiring admin rights, including but not limited to installing all sorts of software applications onto the targeted computer. Due to their stealthy nature, Rootkits are not only able to conceal their presence on the PC, but also draw a veil over any program installed with their help. These functionalities turn Rootkits into an effective means of smuggling malicious software into computer systems. The implications may vary from simple eavesdropping or monitoring to remote code execution and even ensnaring the host PC into a botnet.
Landing on the PC
While planting a Rootkit onto your PC may be child’s play for a hacker, the latter will have to acquire administrator rights if he/she wants actually to install the rootkit. To gain privileged access, the attacker will need to take advantage of existing software vulnerabilities. Should this fail to yield any results, he/she may try to take possession of your administrator password, either by launching a brute force attack or by deploying some social engineering tricks, say, phishing techniques. Should the attack bear fruit, the intruder will be able to manage your entire PC system. That includes breaking down all barriers to a Rootkit installation, too.
In spite of their secretive nature, Rootkits still leave a trail of footprints indicative of such an infection. So, whenever your system experiences
- anti-malware program crashes
- abnormally high network traffic in idle mode
- sudden changes in your OS settings or
- freezing USB input devices, there is ample room for concern for an ongoing Rootkit infection.
Once a Rootkit has infiltrated your PC, it is likely to remain firmly planted on it. Moreover, it has quite a good chance of lingering on for weeks, months, or even years on end because Rootkits are inherently hard to detect. They may be configured to target various parts of a computer system. While some may affect system memory, others could attack the firmware. Still others may reach as far as the kernel itself. Each Rootkit type requires a different detection technique and is subject to a different removal procedure. What is more, the Rootkit itself may — and most probably will — impede detection by subverting the anti-virus software designed to catch it (yes, Rootkits are capable of doing that). Last but not least, Rootkits can be configured to not only pave the way for backdoor attacks but also conceal the malware’s existence subsequently.
Rootkits’ dogged persistence and robust self-defense mechanisms may turn pretty much any removal attempt into a somewhat arduous task. Nevertheless, removing a Rootkit is possible, as long as you employ the right method. The table below outlines the three main Rootkit types and their corresponding removal methods:
|Rootkit Type||Removal Method|
|Memory Rootkits||Signature scan and memory dump analysis|
|Kernel Rootkits||New clean OS installation|
|Firmware Rootkits||Hardware replacement|
Memory-embedded Rootkits are best identifiable via the so-called memory dump — a process which examines the system’s memory contents for any system problems and errors. It provides a detailed snapshot of the computer’s state before any crashes or failures. Kernel Rootkits, on the other hand, get to the very heart of the operating system by modifying the kernel. As a result, they become an integral part of the OS, load in parallel with the OS during startup, and are fully capable of curbing any system call, process, or data that may expose them to the user. Finally, firmware-tailored Rootkits may go as far as damage your main hardware and peripheral equipment beyond repair, forcing you into shelling out good money on replacements.
Also, many anti-malware program vendors have already integrated specialized Rootkit scanners into their software solutions. For the time being, however, security researchers cling to the idea that the best way to neutralize a Rootkit infection is to install a clean OS image.
How Can You Detect Rootkits? Check for Rootkits with SpyHunter!
SpyHunter is a powerful malware remediation and protection tool designed to help provide users with in-depth system security analysis, detection and removal of a wide range of threats like Rootkits as well as a one-on-one tech support service.
There are currently 86 articles listed on rootkits.
|Name||Threat Level||Detection Count||Date|
|BackDoor-Spyeye!rootkit||February 15, 2010|
|BDS/ZAccess.AL||20 % (Normal)||0||October 25, 2012|
|BDS/ZAccess.V||20 % (Normal)||4,637||August 23, 2012|
|Crisis||20 % (Normal)||0||August 22, 2012|
|Facefish Backdoor||June 1, 2021|
|FontOnLake Malware||October 8, 2021|
|Gen.Rootkit||December 9, 2010|
|Generic Rootkit.ej||March 2, 2010|
|Generic Rootkit.g||60 % (Medium)||0||August 12, 2009|
|Hack Tool.HOC||October 1, 2010|
|iLOBleed Rootkit||December 31, 2021|
|LoJax||October 8, 2018|
|Mal/ZAccess-D||100 % (High)||1||December 12, 2011|
|MBR:Alureon-K [Rtk]||December 2, 2011|
|MBR:Alureon-L||100 % (High)||0||December 20, 2012|
|Mebroot||March 18, 2015|
|Moriya Rootkit||May 7, 2021|
|MosaicRegressor||October 6, 2020|
|NTOSKRNL-HOOK||July 22, 2009|
|Perkiler Malware Description||March 27, 2021|
|Phase Bot||80 % (High)||2||January 13, 2015|
|Podnuha!sd6||August 4, 2009|
|Rootkit TDSS.d||80 % (High)||2||August 23, 2011|
|Rootkit Win32.tdss.mbr||November 10, 2010|
|Rootkit.0access.H||20 % (Normal)||0||March 7, 2012|