What is a Rootkit and How do you Detect Them?

By Fortra's Digital Defense

Rootkits – When Bad Turns to Ugly

Few words strike more fear into the heart of IT administrators than rootkit.  Once a rootkit has been discovered, it’s usually a strong indicator that one or more systems on a network have been compromised and that any data being stored on those systems is now suspect or even worse, has been captured by the rootkit attacker to be released “into the wild” of the Internet using Pastebin or similar online anonymous data posting sites. But before you become too alarmed, let’s delve a little deeper into what a rootkit is, how systems become infected with rootkits, and what you can do to prevent the rootkit infection.


What Is A Rootkit?

According to Tech Target the term rootkit is:

“A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software, such as viruses, ransomware, keylogger programs or other types of malware, or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by endpoint antivirus software.”

As you can see by the description provided above, the term rootkit can mean a number of things. A rootkit can enable an attacker to do numerous malicious things such as log keystrokes to capture passwords and other sensitive file information, all the way to giving the attacker full control over a system. Rootkits can install other malicious programs to your operating system that do other things such as disable anti-virus/anti-malware programs, take screenshots of the computer screen while the user has certain programs, and even allow the attacker to infect other system processes that the compromised operating system has privileged access to and “pivot” off of that host to attack other uninfected systems.


Types of Rootkits 

Rootkits can contain a wide range of tools that allow a hacker to steal your passwords making it easy for them to steal your credit card and bank account information. Rootkits can range from low level firmware attacks through high privileged operations. Rootkits also give hackers the ability to disable security software to track the keys that are tapped on your computer. Because rootkits hijack security software, they are hard to detect. This makes a rootkit more likely to live on your computer for a long period of time, causing long term computer damage. 

There are five common types of rootkits:


  • Hardware or Firmware Rootkits: This malware type can infect your computer’s hard drive or its system BIOS. It can also infect your router and intercept data written on your driver's disk. 
  • Bootloader Rootkit: This attack replaces the bootloader on your operating system with a hacked version. The rootkit can be activated even before your operating system is running. 
  • Memory Rootkit: This malware has access to a computer via its Random Access Memory (RAM). Fortunately these rootkits only live in your computer’s RAM until you reboot your system.
  • User Mode Rootkits: These rootkits can infect computer programs such as Word, Paint, Notepad, and more. Every time these programs are run, hackers will gain privileged access to a computer. These programs will still run normally, making it difficult to detect. Users may find it tough to perform rootkit detection.
  • Kernel Mode Rootkits: The computer’s operating system is the target of a kernel mode rootkit. Kernel mode rootkits can change how operating systems function, giving them low-level access to initiate computer commands. This makes it easy for hackers to steal data and personal information. 



How Do Systems Become Infected with Rootkits?

It can be difficult to detect and remove rootkits. There is not a wide variety of commercially available products that can completely find and remove rootkits on a system. However, there are various ways users can look for a rootkit on an infected machine. These include:

  • Behavioral-based methods: Use behavior-based methods to search for strange behavior that could lead to a rootkit on your computer such as slow operating speeds, odd network traffic, or other strange behavior patterns not normal for your machine.
  • Memory dump analysis is an effective way to detect rookits that are hiding in a systems memory. By analyzing the data from the memory dump, you should be able to locate it. 
  • Signature scanning- Rootkit scans will look for signatures left by hackers and will identify if there is any foul play on the network. They should be run on a seperate, clean computer when an infected one is powered off. 

Computer systems can become infected with rootkits in a variety of ways.  One of the most common ways that systems become infected with a rootkit is by visiting a malicious website that exploits another vulnerability resident on the user’s computer system and installs the rootkit.  It can also happen if the user attaches an infected USB thumb-drive or other media container to the system that exploits a known, or unknown, vulnerability and infects the system with the rootkit.  Viruses and other malware play a part in the rootkit scenario as well.  Many rootkits carry commands to download the rootkit from a remote source and install it using the user’s technology.


From Humble Beginnings Comes a Nightmare

In years long since past, before there was commercial software such as Microsoft Remote Desktop or even WEBEX, computer scientists created their own rootkits as a means of controlling remote systems and being able to work on items that they may not have been able to work on locally.  Fast forward to just a few years ago and you’ll find that rootkits were adopted by people in the hacking underground for more nefarious actions.  Once rootkits were weaponized the game was over.  Unpatched computers around the globe became targets for rootkits overnight and thus the use of rootkits for nefarious use was born.


Can I Stop a Rootkit From Infecting Me?

Yes, you can!

There are basic steps that every user can learn to protect themselves from becoming infected with a rootkit.  Here are some rootkit detection and prevention examples.

  • Keep your system patched against vulnerabilities and threats. Pay close to advisories from software and hardware manufacturers and apply what they release to address issues as soon as possible.  This helps ensure that the rootkit attacker won’t have an easy way to infect your device (s) and helps safeguard you. Remember though, keeping your system up-to-date includes not only the operating systems that you use but the web browser, office automation software (word processing, spreadsheet, presentation) and other applications that may have patches available for them to protect you from rootkit infection.
  • Keep your anti-virus and anti-malware software up-to-date. This is one of the most crucial things you can do to ensure that you do not become installed with a rootkit. If your anti-virus and anti-malware software is not up to date there is a chance that you’ll become infected with a rootkit that could possibly even disable your protection mechanisms and take your computer over for nefarious use.
  • Be mindful of the websites that you view . Many “bad” sites are set up to look for weaknesses in the user’s web browser and use that as an entryway to infect them.  Thankfully, many of the modern browsers have the resources to(Microsoft Edge, Google Chrome, and Mozilla Firefox) to alert users when they travel to a site that is known to be bad.  They do this by taking advantage of crowd-sourcing information about websites that may be potentially hazardous for users to visit and then making the information available to all users of the browser by putting up an alert page that warns the user that the site is known to be bad and that if they visit it they are doing so at their own risk.
  • On the application development side, make sure that your applications are tested for security issues before they go into a production setting. Primarily you want to be looking for SQL injection and buffer overflow issues. To perform rootkit detection, you can use either penetration testing or automated code reviews (or both) to detect and remove issues before the application goes into production settings.  These types of vulnerabilities could allow an attacker to compromise the system and have administrator or “root” privileges that would allow them to install a rootkit on the system and make it a system that could potentially infect the computers of users who utilize the application for business or personal use.
  • Be cautious of the software that you download and install on your computer. Over time there have been many software packages that have been compromised and had a rootkit added to them so when you install the backdoored software you’re also installing the rootkit along with it.  Always download from known good applications stores such as the Apple App Store and Google Play or from reputable sources that the Internet community as a whole feels confident in.  While this is still not 100% protection, it goes a long way to helping ensure that your system does not become infected with a rootkit from compromised apps or other types of software.  If you can, always try to check the MD5 or SHA256 sum to make sure what you download has the same hashed value as what the creator has on their website.  If it doesn’t have the same value DON’T INSTALL IT!  It has potentially been tampered with.  Even better, look for a PGP/GPG signature for the application on the creator’s website to see if you can validate the signing key used when the application was published.


What Can I Do If I Become Infected with a Rootkit?

So, say you’ve taken all of the precautions outlined in the article and you still become infected with a rootkit, what can you do?  First off, all is not lost.  Many times, there are “clean up” tools made by anti-virus and anti-malware vendors that you can use to remove your system of the rootkit and its associated tool sets.

However, with that being said, there is always a chance that the “clean up” tool will not catch all rootkits. Why?  Because just like viruses and other types of malware, rootkits are always evolving so that they can circumvent the protection measures that users put in place on their computers.


So, what do you do at this point?

If you want to be absolutely sure that your system is “clean” at that the rootkit has been removed then you will more than likely need to “scratch” the computer and wipe the drive of all of its contents.  At this point you’ll need to reinstall the operating system and all of the applications that used to reside on the platform.  Oh, and the file that you had on the system, consider them suspect as well as some attackers will use rootkits to install other types of malware into the files such as word documents, spreadsheets and even presentations.  So remember, if you re-import those files back on to your computer, you may inadvertently re-infect the system and then you’re back to square one.

If all else fails, call in a professional that deals with rootkits and similar issues so that they can guide you the recovery process.  Will it cost money?  Yes.  However, you’re also buying yourself piece of mind so that you know that when you use your computer, or if you’re in a business setting, one of your users does, at least you know that the system is safe to use and won’t start the infection process all over again.


In Closing

While rootkits can be difficult to detect and inflict damage to personal and commercial computers, it doesn’t have to be the end of the world.  There are ways to manage systems to lower your risk and in the case of infection, and a myriad of ways to recover from rootkits.  However, by putting some basic practices in place as outlined in this post, there are ways to reduce your risk and still use your computer without fear of compromise.




About Digital Defense

Our SaaS platform supports Fortra Vulnerability Management, Web Application Scanning, and Active Threat Sweep that together provide:

  • Asset discovery and tracking
  • OS and web application risk assessment
  • Targeted malware threat assessment
  • Machine learning features that leverage threat intelligence
  • Agentless & agent-based scanning
  • Penetration testing for networks, mobile applications, and web applications
  • Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors

Our SaaS platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality.

About the Author

Our Vulnerability Research Team consists of credentialed (Security+, Network+, CISSP) cybersecurity experts with decades of combined experience in research, analysis, and the discovery of unknown vulnerabilities. 

Do More to Protect Against Malicious Programming

Get the guide Dissecting Ransomware: Understanding Types, Stages, and Prevention for more information about how to better protect your organization against malicious programs.

Get the Guide

Share This