What are Rootkits?
A rootkit is a covert computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term “rootkit” is a connection of the words “root” and “kit”, derived from Unix and Linux operating systems where the most privileged account admin is called the “root” and applications which allow unauthorized root or admin-level access to the device are know as the “kit”. Rootkits may appear as a single piece of software but are often composed of several tools that allow cyberattackers to obtain administrative-level control over the device. Cyberattackers may install rootkits through phishing, social engineering attacks, exploiting vulnerabilities, or malware from infected PDFs, pirated software, or malicious apps. Rootkits give cyberattackers the ability to initiate commands to the computer and can also hide keyloggers, hack a targeted computer to launch a DDoS attack or send out spam emails, or disable or remove security software. Types of rootkits include:
Hardware or firmware rootkit. Hardware or firmware rootkits target the firmware on a device to install malware that evades detection. Cyberattackers can then log keystrokes and monitor online activity.
Bootloader rootkit. Bootloader rootkits attack the legitimate bootloader mechanism that is responsible for loading the operating system on a computer by replacing it with a hacked one that activates before the computer operating system is fully loaded.
Kernel mode rootkits. Cyberattackers use kernel mode rootkits to target the core of the operating system, the kernel level, to access the files on the computer and to change the functionality of its operating system.
Application rootkits. Application rootkits replace standard files on the computer with rootkit files that infect programs like Microsoft Office, Paint, or Notepad. These files will continue to run normally, so cyberattackers can continue to obtain access to the computer every time the infected programs are run, and it may be difficult for end users to detect.
Virtual rootkits. Virtual rootkits load themselves underneath the computer’s operating system where it then hosts the target operating system as a virtual machine, allowing it to intercept hardware calls made by the original operating system.
The following are possible signs of a rootkit presence:
- Slow device performance
- Unusual web browser behavior
- Blue screen
- Windows settings change without permission
- Web pages not functioning properly
Prevent rootkits by using a comprehensive cybersecurity solution, keeping software up to date, being aware of phishing techniques, downloading from trusted sources, and paying attention to the computer’s performance and noting any unexpected or unusual behaviors.