While the term rootkit may sound like a math solving rule or even a gardening tool, it’s neither of those things. A rootkit can be quite dangerous to the personal information on your device, and it usually serves cybercriminals. Here is a brief rootkit definition in computing terms — rootkits are a kind of malware that can give a threat actor control of your computer without your consent or knowledge.
What is a rootkit? Rootkit definition
The term rootkit is a combination of the word "root" and "kit." "Root," "admin," "superuser," or “system admin” are all interchangeable terms for a user account with the admin status of an operating system. Meanwhile, "kit" means a package of software tools. So, a rootkit is a set of tools that gives someone the highest privileges in a system.
Rootkits are particularly dangerous because they are designed to hide their presence on your device. A threat actor who has gotten a rootkit onto your machine (often via phishing email) can remotely access and control it. Because they enable root-level access, rootkits can be used to do things like deactivate your antivirus software, spy on your activity, steal sensitive data, or execute other malware on the device.
Is rootkit a virus?
Contrary to popular perception, a rootkit is not a virus — it’s malware. Admittedly, that may sound confusing. A virus is just one type of malware, and while a virus only corrupts data, a rootkit is far more advanced. Thankfully, modern antivirus software that leverages cutting-edge security techniques such as behavioral heuristics can remediate different types of malware, from viruses and worms to ransomware, Trojans, and even some rootkits.
Why are rootkits so dangerous?
- They’re sneaky: Rootkit infections can spread through deceptive threat vectors like corrupt downloads, spam emails, and exploit kits. Some rootkits even rely on Trojans like Perkiler malware to breach a system’s security.
- They’re stealthy: Unlike other types of malware, a deeply concealed rootkit will not display many symptoms. It may even bypass your security software, making it challenging to remediate. Some rootkits can only be removed by formatting your storage drive and reinstalling your operating system.
- They’re capable: A few experts call rootkits the Swiss Army Knives of malware because they have multiple capabilities. Some rootkit tools can steal login credentials and financial data, disable security protocols, log keystrokes, and more. Other rootkits can allow a hacker to gain backdoor access to a system and drop more malware. With the right rootkit, a hacker can turn a system into a bot to form a botnet in order to start DDoS (Distributed-Denial-of-Service) attacks against websites.
Types of rootkits
As soon as you turn on a computer, its bootloader loads the operating system. A bootloader rootkit infiltrates this mechanism, infecting your computer with the malware before the operating system is ready to use. Bootloader rootkits are less of a menace nowadays thanks to security features like Secure boot.
Firmware is a type of software the provides rudimentary control over the piece of hardware it's written for. All types of devices, from mobile phones to washing machines, can have firmware. A firmware rootkit is challenging to find because it hides in firmware, where cybersecurity tools usually don’t look for malware.
Your operating system's kernel is a bit like its nervous system. It's a critical layer that assists with essential functions. A kernel rootkit can be catastrophic because it attacks a core component of your computer and gives a threat actor significant control over a system.
Memory rootkits reside on your computer's RAM and can slow down your machine while performing malicious tasks. You can usually clear a memory rootkit by restarting your computer, as a simple restart clears your machine’s memory of all processes.
An application rootkit may modify your regular files with rootkit code, giving the rootkit’s author access to your machine every time you run the infected files. However, this type of malware is easier to spot because files carrying such rootkits can behave atypically. In addition, your security tools have a better chance of identifying them.
What are rootkit attacks?
A rootkit attack is an attack where a threat actor uses a rootkit against your system. As mentioned above, rootkits can spread through infected downloads like mobile phone apps. More targeted rootkit attacks use social engineering like phishing emails as an attack vector.
Some sophisticated rootkits attacks are harder to execute. For example, a threat actor may need to use an infected drive to install a Bootloader rootkit on your operating system.
How are rootkits detected and removed?
Rootkits aren’t easy to detect because of their secretive nature. In addition, some rootkits can bypass cybersecurity software. Still, there are some symptoms a rootkit may present:
#1 System crashes: A rootkit that infects your computer's bootloader, hard drive, BIOS, or applications may cause system crashing software conflicts.
#2 Software Malfunctions: Are you noticing slowdowns, mysterious settings changes, or web browser malfunctions? A rootkit can be responsible for such issues.
#3 Antivirus crash: Should your antivirus deactivate without cause, try an anti-rootkit scan to search for malware. Afterwards, reinstall your cybersecurity software.
How to stop rootkit malware from infecting your system
It's important to proactively protect your devices against all types of malware, and rootkit malware is a particularly serious type of threat. From our Malwarebytes Labs' article on how to prevent a rootkit attack on your computer or mobile device, here are steps you can take to stay safe:
- Scan your systems: Use an advanced threat scanner like the one in Malwarebytes Premium to regularly scan your devices for threats. Our article has even more in-depth advice on scanning for rootkits in various ways, but having regular malware scans is a good place to start.
- Be careful of phishing attempts: Be careful what you click on and download. Email phishing attacks have gotten very sophisticated, and a phishing attempt might look nearly identical to a legitimate email from someone you trust, like your bank or favorite retailer. Always check the sender's email address to be sure it's from a legitimate domain (e.g. a PayPal email comes from paypal.com), and if you have any concerns an email might be a phishing attempt, you can forward it to the purported sender for them to take a look. Be cautious of links that come via text message from unknown numbers as well.
- Update your software: Software updates sometimes come at inopportune times, when you're in the middle of something else, but software developers send them out for good reason. Many updates include security fixes for issues the developer has found, so you don't want to wait to put those in place. It's best to update your software whenever you get a notification to do so.
- Use advanced antivirus/anti-malware: Advanced antivirus and anti-malware protection like Malwarebytes Premium utilizes a number of different methods to detect and block threats from getting onto your devices. This is a key step to protecting against various threats and types of malware.