How Does Rootkit Work?

A rootkit is a collection of computer software, typically malicious, that is designed to grant an unauthorized user access to a computer or certain programs. Once a rootkit is installed, it is easy to mask its presence, so an attacker can maintain privileged access while remaining undetected. Etymologically, “root” refers to the targeted admin account, and “kit” refers to the software components that implement the tool.

Rootkits grant attackers full control over a system, which means they can modify existing software at will—particularly the software designed to detect its presence. As a result, rootkit detection is difficult since the software responsible for detecting it is often usurped or blinded by an attack. Typically, the only visible symptoms are slower-than-average system speeds and irregular network traffic. Unfortunately, with increasingly high-speed computers and high bandwidth networks, it can become easy for users or administrators to not notice the additional CPU or network activity.

How do rootkits work?

Rootkits work by using a process called modification—the changing of user account permissions and security. Usually this is a process only granted by a computer administrator. While modification is often used in computing to make positive changes that seek to improve systems, attackers wanting full control will use modification to grant themselves unlimited access so they can cause damage. Additionally, attackers tend to use clandestine methods of infection since rootkits are not designed to spread by themselves.

What’s more, an attacker can install a rootkit once they’ve obtained root or administrator access. Attackers can gain this access through the exploitation of known vulnerabilities, such as privilege escalation, or by obtaining private passwords via phishing. Alarmingly, this process can sometimes be automated.

Is rootkit a malware?

Technically speaking, rootkits are not malware themselves, but rather a process used to deploy malware on a target. However, the term does carry a negative connotation since it is so often referenced in relation to cyberattacks. The way rootkits work is ultimately similar to malware— they run without restrictions on a target computer, go undetected by security products and IT administrators, and work to steal something from the targeted computer. Clearly, rootkits threaten customer security, and must be prevented and addressed.

What are the types of rootkit?

There are different types of rootkits, and they are classified by the way they infect a targeted system. Here are the most commonly used ones:

  • Kernel mode rootkit: These are designed to change the functionality of an operating system by inserting malware onto the kernel—the central part of an operating system that controls operations between hardware and applications. Although kernel mode rootkits can be difficult to deploy because they cause systems to crash if the attacker’s code fails, they pose big threats since kernels have the highest levels of privileges within a system.
  • User mode rootkit: These rootkits are executed by acting as ordinary user programs. They are sometimes referred to as an application rootkit since they operate where applications typically run. They tend to be easier to deploy but often pose less damage than kernel rootkits.
  • Bootkits: These extend the abilities of traditional rootkits by infecting the master boot record—small programs that are activated during a system startup. This makes them more persistent forms of attacks since the bootkits will run when a system turns on after a defensive reset. What’s more, they will remain active in a system’s memory where IT teams do not regularly scan.
  • Firmware rootkits: These take advantage of software embedded in a system’s firmware—routers, network cards, hard drives—which can allow a rootkit to remain hidden for longer since these devices are not typically inspected for code integrity.

Why is a rootkit used?

Attackers will use rootkits for many purposes, but most commonly they will be utilized to improve stealth capabilities in malware. Increased stealth can ensure that malicious payloads remain undetected while they exfiltrate or destroy data from a network. It is also fairly common for rootkits to be used to help unauthorized users gain backdoor access into systems. Rootkits achieve this by subverting login mechanisms to accept secret login access for an attacker.

What’s more, rootkits can be deployed to compromise a computer so an attacker can use it as bot for a distributed-denial-of-service (DDoS) attack. In these cases, if a DDoS is detected and traced, it will lead the victim to the compromised computer instead of the attacker’s. These compromised computers are often referred to as “zombie computers” and in addition to being used in DDoS attacks, they can be deployed in click fraud efforts or spam distribution.

There are occasions where rootkits can be employed by administrators for good uses, but it is not quite as common. Occasionally, IT teams will run rootkits in a honeypot to detect attacks, to enhance their emulation and security software, or to improve device anti-theft protection. However, more often than not, rootkits will be used externally and against a system, so it’s important for managed services providers (MSPs) to know how to detect and defend their customers against them.

How to detect a rootkit 

Because there aren’t many commercial rootkit removal tools available that can locate and remove rootkits, the removal process can be complicated, sometimes even impossible. This is especially true in cases where the root resides in the kernel. Reinstallation of an operating system is sometimes the only viable solution to the problem. In the case of firmware rootkits, removal may require hardware replacement or specialized equipment.

One of the best methods MSPs can utilize for their customers is a rootkit scan. Rootkit scans must be operated by a separate clean system when an infected computer is powered down. The scan will look for signatures left by hackers and can identify if there has been any foul play on the network.

Additionally, a memory dump analysis can be an effective strategy in detecting rootkits, especially considering that bootkits latch onto a system’s memory to operate. If there is a rootkit in your customer’s network, it won’t be hidden if it is executing commands from memory, and MSPs will be able to see the instructions it is sending out.

Another reliable method of detecting rootkits is behavioral analysis. Rather than looking for a rootkit directly by searching memory or playing a game of cat and mouse with attack signatures, you can look for rootkit symptoms in a system—slow operating speeds, odd network traffic, or other common deviant patterns of behavior.

A highly advisable strategy MSPs can deploy in customers’ systems is the principle of least privilege (PoLP). This is when a system restricts every module on a network so it can only gain access to the information and resources that are necessary for its specific purpose. Not only does this ensure tighter security between the arms of a network, it also prevents unauthorized users from installing malicious software to network kernels, thereby preventing rootkits from breaking in.

Luckily, rootkit attacks are generally in decline as OS security systems continue to improve endpoint defenses and more CPUs utilize built-in kernel protection modes. But they still exist, and MSPs must know how to prevent rootkits and stop breaches that may be harming their customers’ IT infrastructures.

Read about other outsider threats that could impact your systems and networks in our Security Resource Center.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

If this issue persists, please visit our Contact Sales page for local phone numbers.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site