{"id":3624,"date":"2011-11-02T12:35:32","date_gmt":"2011-11-02T12:35:32","guid":{"rendered":"https:\/\/www.techopedia.com\/definition\/rootkit\/"},"modified":"2023-10-16T13:11:15","modified_gmt":"2023-10-16T13:11:15","slug":"rootkit","status":"publish","type":"definition","link":"https:\/\/www.techopedia.com\/definition\/4088\/rootkit","title":{"rendered":"Rootkit"},"content":{"rendered":"

What is a Rootkit?<\/span><\/h2>\n

A rootkit is malware<\/a> used by hackers<\/a> to gain access to, and control over, a target computer<\/a>.\u00a0Typically, they impact operating systems<\/a>; however, in rare instances, a rootkit can infiltrate a manufacturing plant, becoming embedded in brand-new computers during their production.<\/p>\n

In simpler terms, a rootkit is a threat actor<\/a>\u2019s backdoor into your network<\/a>.<\/p>\n

Techopedia Explains<\/h3>\n

In Unix<\/a>, Linux<\/a>, and other Unix-like operating systems such as macOS, the “root<\/a>” is the superuser<\/a> with administrative privileges<\/a>. The \u201ckit\u201d part refers to the collection of software<\/a> tools the threat actor uses to obtain root privileges, create a backdoor, and hide it from the operating system.<\/p>\n

Although the first rootkits were created to attack Unix computers in the 1990s, today they are used to compromise systems running any of the common operating systems, including Windows<\/a>, macOS<\/a>, Linux, and Chrome OS<\/a>.<\/p>\n

How are Rootkits Installed?<\/span><\/h2>\n

The threat actors may use phishing<\/a> campaigns or other social engineering<\/a> methods to get the rootkit installed. Infections from websites<\/a> are also common, exploiting weaknesses in unpatched browsers.<\/p>\n

USB<\/a> drops are also a common method of attack. A selection of USB memory sticks laced with malicious software<\/a> are placed in different locations where they will be found at lunchtime by the staff of the target company.<\/p>\n

After lunch, of course, they plug the USB key into their computer to see if they can identify the owner. And that\u2019s all it takes \u2013 infection initiated.<\/p>\n

A typical rootkit infection process will start with a dropper<\/a>. This is a small program that installs the loader<\/a>. The loader might be contained within the dropper, but more often now, it is downloaded by the dropper. The loader then takes over and downloads<\/a> the rootkit, which will be a selection of sophisticated, malicious programs.<\/p>\n

Of course, a human can install a rootkit locally if they \u2013 or an accomplice \u2013 have physical access to the network. They can install a rootkit remotely if they have managed to compromise the network from the outside.<\/p>\n

Much rarer, and yet they have been seen in the wild, are instances where the threat actors manage to compromise the “golden image<\/a>” used to manufacture computers. This means the brand-new computer has the dropper installed, fresh from the factory.<\/p>\n

Why are Rootkits so Effective?<\/span><\/h2>\n

Great efforts are taken by the threat actors to ensure rootkits can avoid detection by anti-malware<\/a> and anti-virus<\/a> endpoint protection<\/a> suites. Also, rootkits are notoriously difficult to remove, with some rootkits able to persist inside the infected computer even after formatting \u2013 or physically replacing \u2013 the hard drive<\/a>.<\/p>\n

They can hide the dropper within the BIOS<\/a> or the UEFI<\/a>, meaning the machine will reinfect itself once it is reinitialized.<\/p>\n

Because rootkits integrate with the operating system in such a way that they seem to be legitimate components of the operating system, and with unlimited administrative privileges, nothing stands in their way. They can do what they like on the compromised machine.<\/p>\n

The more times you hack<\/a> into a network, the more chance there is you will be detected. But that\u2019s not the case if you have a private, undetectable backdoor. And that\u2019s what a rootkit provides. A secret way in, with unlimited superuser powers.<\/p>\n

Rootkits may either remove anti-virus software, appear “invisible” to anti-virus software, or prevent anti-virus software from inoculating the infected files<\/a>. They are a very sophisticated attack.<\/p>\n

Rootkits can:<\/p>\n