Not all cyber threats are as easy to detect and remove as, say, Trojan horses. In fact, some are so devious that not even your cybersecurity software may be able to detect them. If your computer has suddenly become incredibly slow, if you’re always low on RAM even with just one browser tab open, or if the Blue Screen of Death has become a common occurrence, your PC may be infected with one such “invisible” threat – a rootkit.
Key takeaway: A rootkit is a piece of software or a collection of programs designed to give hackers access to and control over a target device. Although most rootkits affect the software and the operating system, some can also infect your computer’s hardware and firmware. Read on to learn about the main types of rootkits and the best ways to remove them.
Tip: Don’t let hackers get root access to your devices. Buy antivirus software and run a full scan today.
What is a Rootkit?
A rootkit is software used by hackers to gain complete control over a target computer or network. Although it can sometimes appear as a single piece of software, a rootkit more often comprises a collection of tools that allow hackers remote access to and administrator-level control over the target machine. While rootkits can be used for good (e.g. providing remote tech support), they are mostly used for malicious purposes. All have a backdoor that allows hackers to introduce changes to the system.
Even though they have been around for more than a quarter of a century in one form or another, the history of today’s rootkits can be traced back to the mid-1990s and the surge of UNIX rootkits and DOS stealth viruses. The first rootkits for Windows were detected at the turn of the century, with some of the most notable examples being Vanquish, which recorded the victims’ passwords, and FU, which worked in kernel mode and was used to modify the structure of the system rather than just the ways to access it.
Hackers can install rootkits on the target machine in many ways, but most of them involve a phishing attack or some other type of social engineering. This way, the owners unknowingly download and install malicious software on their machines and give the hackers control of almost all aspects of the operating system. In most cases, rootkits target applications that run in user mode, although some primarily target the core operating system components in kernel mode and even the computer’s firmware (e.g. BIOS).
Like they do with other pieces of legitimate software, rootkits are often programmed to disable or completely remove any antivirus or antimalware software that may be installed on the infected computer. This was a particularly big problem in the past when most antimalware programs were unable to detect, monitor, and/or stop a rootkit attack. Cybersecurity solutions have evolved since, so some of the best antivirus software tools nowadays can successfully detect and remove rootkits from the system.
There are several types of rootkits, each targeting a different part of your computer. As a rule, the closer to the core of your computer they are, the more severe and harder to detect these infections are. While those that affect the software on your computer are fairly common and easy to handle, those that target the drivers, the memory, as well as the operating system are much trickier.
The five most common types of rootkits include the following:
- User Mode Rootkits
User mode rootkits are the furthest from the core of your computer and affect only target the software on your PC. They are thus also much easier to detect and remove than any other rootkits. Commonly referred to as application rootkits, they replace the executable files of standard programs like Word, Excel, Paint, or Notepad. As such, each time you run the infected app’s .exe file, you will give the hackers access to your computer while still being able to use the program in question as you normally do.
- Kernel Mode Rootkits
Unlike application rootkits, kernel mode rootkits are among the most severe types of this threat as they target the very core of your operating system. Hackers use them not just to access the files on your computer but also to change the functionality of your operating system by adding their own code. While these rootkits can noticeably affect the performance of your system, they are still easier to identify and deal with than some other types of rootkits whose effects go beyond just the operating system.
- Bootloader Rootkits
As the name suggests, bootloader rootkits affect the Master Boot Record (MBR) and or the Volume Boot Record (VBR) of the system. Although they have a direct impact on the system, these rootkits attach themselves to boot records rather than files, which makes them difficult to detect and remove. What’s more, if one of these rootkits injects code into the MBR, it may damage your entire computer.
Thankfully, bootloader rootkits are facing extinction. With the release of Windows 8 and 10, most PCs now have the Secure Boot option, which is designed especially to protect against bootloader rootkits. However, machines running either a 32-bit or a 64-bit version of Windows 7 may still be at risk.
- Memory Rootkits
Memory rootkits hide in your computer’s random access memory (RAM) and eat up your computational resources to carry out a variety of malicious processes in the background. This means that memory rootkits will inevitably affect the performance of your computer’s RAM. Despite that, these rootkits are rarely perceived as a major threat, mostly because they have a very short lifespan. Because they inhibit the RAM and don’t inject permanent code, memory rootkits disappear as soon as you reboot the system.
- Firmware Rootkits
Although they are comparatively rarer than other types, firmware rootkits are a serious threat to your online safety. Rather than targeting your operating system, these rootkits target the firmware of your computer to install malware that even the finest antimalware programs might not be able to detect. Firmware rootkits can infect your hard drive, your router, or your system’s BIOS. Because they affect the hardware, they allow hackers not only to monitor your online activity but also to log your keystrokes.
Over the last 25 years, innumerable rootkits have left their mark on cybersecurity. A few of them were legitimate, like the one released by Sony in 2005 to improve copy protection of audio CDs or a similar one released by Lenovo in 2015 to install undeletable software on their new laptops. Most rootkits, however, were developed by unknown hackers with the goal of compromising the victims’ computers and obtaining their sensitive information for personal gain (mostly financial) of the hackers.
Some of the most notable examples of rootkits include the following:
- In 2008, organized crime rings from China and Pakistan infected hundreds of credit card swipers intended for the Western European market with firmware rootkits. The rootkits were programmed to record the victims’ credit card info and send it all directly to a server located in Pakistan. On the whole, the hackers behind this plot managed to steal at least 10 million pounds by cloning credit cards and withdrawing funds from the unsuspecting victims’ accounts.
- In 2011, cybersecurity experts discovered ZeroAccess, a kernel mode rootkit that went on to infect more than 2 million computers around the world. Rather than directly affecting the functionality of the infected computer, this rootkit silently downloads and installs malware on the infected machine and makes it part of a worldwide botnet used by hackers to carry out cyber attacks. Despite a few serious attempts to destroy it, ZeroAccess remains active to this day.
- In 2012, experts from Iran, Russia, and Hungary discovered Flame, a rootkit that was primarily used for cyber espionage in the Middle East. Affecting the whole of the computer’s operating system, Flame has the ability to monitor network traffic, capture screenshots and audio from the computer, and even log keyboard activity. Although the culprits are still unknown, research revealed that 80 servers across three continents were used to access the infected computers.
How to Remove a Rootkit
Several types of rootkits run at a higher level of privilege than most cybersecurity programs, which is why they may be very hard to detect. To scan your systems for rootkits, you need an advanced antimalware tool that has add-ons for rootkits. Thankfully, the best antivirus software tools all come with a built-in rootkit scanner and rootkit remover, allowing you to easily detect and remove these online threats.
If you suspect your system may be infected with a rootkit, you should look for one or more tell-tale signs of an infection. They usually involve slower performance and low RAM, incorrect time and date displayed in the bottom-right corner of your screen, as well as frequent occurrences of the so-called “Blue Screen of Death”. In addition to this, some or all of the functionality of your antivirus and/or antimalware program may be automatically disabled upon the first launch of the rootkit-infected software.
Although some rootkits can affect your hardware, all of them stem from a malicious software installation. As such, your best bet is to use only the best antivirus software that is equipped to offer real-time protection against all major threats, including viruses, malware, and rootkits. Make sure to run regular scans of your system and to update your virus definitions on a daily basis. To avoid bootloader rootkits, it is also recommended to update your current operating system to Windows 8 or above.
- CS Online
- Heimdal Security
- PC World
- The Register
- Wikipedia (1)
- Wikipedia (2)
- Wikipedia (3)
- ZD Net
Founder of SoftwareLab
Welcome. We started SoftwareLab in 2014 to help you find the best software at the best price.
We are proud and humbled to have helped millions of readers since then, and we hope you will find our work helpful. If we can improve our service to you, please let us know here.
Are you protected?
No matter how serious they are, all rootkit infections start with the installation of malicious software. Don’t put your computer and your data at risk.