Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security How Does Rootkit Work?
Security

How Does Rootkit Work?

By SolarWinds MSP
10 July, 2019

A rootkit is a collection of computer software, typically malicious, that is designed to grant an unauthorized user access to a computer or certain programs. Once a rootkit is installed, it is easy to mask its presence, so an attacker can maintain privileged access while remaining undetected. Etymologically, “root” refers to the targeted admin account, and “kit” refers to the software components that implement the tool. 

Rootkits grant attackers full control over a system, which means they can modify existing software at will—particularly the software designed to detect its presence. As a result, rootkit detection is difficult since the software responsible for detecting it is often usurped or blinded by an attack. Typically, the only visible symptoms are slower-than-average system speeds and irregular network traffic. Unfortunately, with increasingly high-speed computers and high bandwidth networks, it can become easy for users or administrators to not notice the additional CPU or network activity. 

How do rootkits work?

Rootkits work by using a process called modification—the changing of user account permissions and security. Usually this is a process only granted by a computer administrator. While modification is often used in computing to make positive changes that seek to improve systems, attackers wanting full control will use modification to grant themselves unlimited access so they can cause damage. Additionally, attackers tend to use clandestine methods of infection since rootkits are not designed to spread by themselves.  

What’s more, an attacker can install a rootkit once they’ve obtained root or administrator access. Attackers can gain this access through the exploitation of known vulnerabilities, such as privilege escalation, or by obtaining private passwords via phishing. Alarmingly, this process can sometimes be automated.  

Is rootkit a malware?

Technically speaking, rootkits are not malware themselves, but rather a process used to deploy malware on a target. However, the term does carry a negative connotation since it is so often referenced in relation to cyberattacks. The way rootkits work is ultimately similar to malware— they run without restrictions on a target computer, go undetected by security products and IT administrators, and work to steal something from the targeted computer. Clearly, rootkits threaten customer security, and must be prevented and addressed. 

CTA Image

SolarWinds Remote Monitoring and Management

Get the tools you need to manage, secure, and improve all things IT—all within a single web-based dashboard.

Try It Free Learn More

What are the types of rootkit?

There are different types of rootkits, and they are classified by the way they infect a targeted system. Here are the most commonly used ones:

  • Kernel mode rootkit: These are designed to change the functionality of an operating system by inserting malware onto the kernel—the central part of an operating system that controls operations between hardware and applications. Although kernel mode rootkits can be difficult to deploy because they cause systems to crash if the attacker’s code fails, they pose big threats since kernels have the highest levels of privileges within a system. 
  • User mode rootkit: These rootkits are executed by acting as ordinary user programs. They are sometimes referred to as an application rootkit since they operate where applications typically run. They tend to be easier to deploy but often pose less damage than kernel rootkits.
  • Bootkits: These extend the abilities of traditional rootkits by infecting the master boot record—small programs that are activated during a system startup. This makes them more persistent forms of attacks since the bootkits will run when a system turns on after a defensive reset. What’s more, they will remain active in a system’s memory where IT teams do not regularly scan.
  • Firmware rootkits: These take advantage of software embedded in a system’s firmware—routers, network cards, hard drives—which can allow a rootkit to remain hidden for longer since these devices are not typically inspected for code integrity. 

Why is a rootkit used?

Attackers will use rootkits for many purposes, but most commonly they will be utilized to improve stealth capabilities in malware. Increased stealth can ensure that malicious payloads remain undetected while they exfiltrate or destroy data from a network. It is also fairly common for rootkits to be used to help unauthorized users gain backdoor access into systems. Rootkits achieve this by subverting login mechanisms to accept secret login access for an attacker.  

What’s more, rootkits can be deployed to compromise a computer so an attacker can use it as bot for a distributed-denial-of-service (DDoS) attack. In these cases, if a DDoS is detected and traced, it will lead the victim to the compromised computer instead of the attacker’s. These compromised computers are often referred to as “zombie computers” and in addition to being used in DDoS attacks, they can be deployed in click fraud efforts or spam distribution. 

There are occasions where rootkits can be employed by administrators for good uses, but it is not quite as common. Occasionally, IT teams will run rootkits in a honeypot to detect attacks, to enhance their emulation and security software, or to improve device anti-theft protection. However, more often than not, rootkits will be used externally and against a system, so it’s important for managed services providers (MSPs) to know how to detect and defend their customers against them.

How to detect a rootkit 

Because there aren’t many commercial rootkit removal tools available that can locate and remove rootkits, the removal process can be complicated, sometimes even impossible. This is especially true in cases where the root resides in the kernel. Reinstallation of an operating system is sometimes the only viable solution to the problem. In the case of firmware rootkits, removal may require hardware replacement or specialized equipment. 

One of the best methods MSPs can utilize for their customers is a rootkit scan. Rootkit scans must be operated by a separate clean system when an infected computer is powered down. The scan will look for signatures left by hackers and can identify if there has been any foul play on the network.

Additionally, a memory dump analysis can be an effective strategy in detecting rootkits, especially considering that bootkits latch onto a system’s memory to operate. If there is a rootkit in your customer’s network, it won’t be hidden if it is executing commands from memory, and MSPs will be able to see the instructions it is sending out. 

Another reliable method of detecting rootkits is behavioral analysis. Rather than looking for a rootkit directly by searching memory or playing a game of cat and mouse with attack signatures, you can look for rootkit symptoms in a system—slow operating speeds, odd network traffic, or other common deviant patterns of behavior.  

A highly advisable strategy MSPs can deploy in customers’ systems is the principle of least privilege (PoLP). This is when a system restricts every module on a network so it can only gain access to the information and resources that are necessary for its specific purpose. Not only does this ensure tighter security between the arms of a network, it also prevents unauthorized users from installing malicious software to network kernels, thereby preventing rootkits from breaking in. 

Luckily, rootkit attacks are generally in decline as OS security systems continue to improve endpoint defenses and more CPUs utilize built-in kernel protection modes. But they still exist, and MSPs must know how to prevent rootkits and stop breaches that may be harming their customers’ IT infrastructures. 

Read about other outsider threats that could impact your systems and networks in our Security Resource Center.

 

Additional reading

Why You Should Monitor Your Network All the Time
Et Tu, Admin? A New Ransomware Attack Using Admin Accounts
5 Ways to Stop Phishing Attacks
You might also like...
Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Security

What Is FIPS-140-2 Standard and When Is It Required?

Security

Malware-as-a-Service: A Crucial Reason Why Security Has Grown More Complex

Security

National Computer Security Day—It’s Not Just About the Computer Anymore

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
  • TAP Blog Series: Maximizing Your Service Delivery Opportunity
  • Why Do MSPs Choose SolarWinds Backup? IT Central Station Finds Out
  • Seven Features Remote Assistance Software Should Have
  • TAP Blog Series: Creating Your Automation Strategy—Three Key Components You Must Have in Place
Categories:
  • Security (229)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (82)
  • Business Growth (75)
  • The Head Nerds (74)
  • IT Support (41)
  • Business (39)
  • Cybersecurity (37)
  • Automation (36)
  • Operations (33)
  • Mail (33)
  • Remote Management (27)
  • ITSM (25)
  • Cloud Computing (21)
  • Networking (21)
  • Data (21)
  • Marketing (14)
  • Product (11)
  • PSA (10)
  • Mobile (4)
  • Risk Intelligence (4)
  • Service Desk (4)
  • Services & Support (4)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • GDPR (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.