Antivirus Guide

What Is a Rootkit?

A rootkit is a tool that hackers use to gain remote control to your devices. Our security experts unpack rootkits and show how to stay safe from them.

All of our content is written by humans, not robots. Learn More
By
&
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated May 15, 2024
By Aliza Vigderman & Gabe Turner on May 15, 2024

In the malware kingdom, there are many creatures that roam the land. There’s spyware, which is tough to check for. These gnarly critters compromise your digital security by allowing others to spy on you in some way. There’s also adware, computer worms, and ransomware attacks. For this article, we’ll be focusing on another type of malware called rootkit.

What is a rootkit? Put simply, rootkits are a type of malware that can give a bad actor control of your computer without your consent or knowledge.

Rootkits first came of age in attacks on Unix systems. The goal was to gain the maximum amount of privileges to execute commands at the root level, explaining the “root” of the name. The first Windows rootkit, NTRootkit, emerged in 1999. In later years, rootkits also began to be used on MacOS.

Today we’ll unpack what exactly a rootkit is, where you might encounter it, how it can impact you and your personal digital security, and how to protect yourself against it. We know that security is important to you, and as security experts we want you to walk away from this read having a full understanding of how to deal with this unique type of malware.

How Rootkits Work

A rootkit is an umbrella term describing the program or collection of malicious tools that a hacker uses to gain remote access to and control of a device like a computer. This opens the system up to viruses, ransomware, and other malware. One of the more dangerous aspects of rootkits is that they fly under the radar. They can even neutralize antivirus software.

Where do Hackers get rootkits?

Rootkits are typically bought and sold on the dark web. This is an underground virtual network that can’t be found via Google or other normal search engines. Within these spaces, a person can sell everything from Social Security numbers to Amazon Prime passwords, and can be reasonably assured they’ll stay under the radar. That’s why we use one of the best identity theft protection services with dark web monitoring to protect our information from being sold on black markets.

Did You Know: Rootkits don’t come cheap. On the dark web, a hacker can expect to pay between $45,000 to $100,000 for a [citaiton id=”1″]rootkit.[/citation]

Types of Rootkits

This type of malware comes in different forms. Here are some common types of rootkits, so you can be prepared if you come across them:

  1. Kernel rootkits: This type of rootkit is able to have the same privileges as an operating system at the kernel level. Kernels are essentially the core of a computer’s operating system, which means kernel rootkits give huge amounts of control over your personal computer.
  2. Application rootkits: In this type of rootkit, regular files get modified, allowing hackers to access your machine every time you run the application with those infected files. Typically, these rootkits cause a specific app to behave abnormally, which is an indicator of an application rootkit.
  3. Memory rootkits: As the name suggests, this type of rootkit gets cozy in your computer’s RAM, bogging your machine down and affecting the performance of your system. Usually, you can just restart your computer to deal with this type of rootkit.
  4. Bootloader rootkits: Also like its name implies, this type of rootkit gets going as soon as your computer boots up, ferrying malware onto your computer just as the operating system is getting going. Since Windows 8 released with Secure Boot, this type of rootkit has lost most of its punch.2

Some Hints That You Have a Rootkit Problem

Kind of like an insidious bug that lies dormant, signs that rootkits are infecting your system aren’t always overt. But as security experts, we’ve put together a few tried and true questions you should ask to see if a rootkit is influencing your system.

  • Is a certain application running slow, while others are running fine? This may be a sign that the bogged-down application is affected by an application rootkit.
  • Are you dealing with unexplained system crashes? This could be because a rootkit has affected your system’s bootloader, hard drive, or applications.
  • Is your antivirus software crashing or not working normally? This could be because a rootkit has taken hold.

>> See Also: What Is a Keylogger?

Famous Rootkit Attacks

With the amount of control that rootkit attacks provide to the perpetrator, it’s no surprise that there are tons of famous rootkit attacks. So, let’s dive into three of the most famous ones.

Pro Tip: Do you own a business and want to make sure it doesn’t end up on a list of famous rootkit attacks? Make sure to invest in the best business antivirus protection software to keep your company protected.

The DirtyMoe Rootkit

One of the more famous rootkit attacks happened in the first half of 2021, when cybercriminals attempted to spread the DirtyMoe rootkit and infected more than 100,000 computers, per cybersecurity firm Avast.3

SONY BMG Scandal

Then there’s the SONY BMG copy protection scandal of 2005. The company secretly installed specific software on millions of CDs in order to prevent piracy and track what certain buyers were up to. But this opened up the door for other malware to be introduced to Windows PCs.4

>> Learn More: Best Antivirus Protection Software for Windows PCs

Machiavelli Rootkit Attack

The Machiavelli rootkit attack is notable because it was the first rootkit attack on the Mac OS X operating systems back in 2009. The attack involved hidden kernel threads, which were used to influence the core systems of the computer. This is another example of why you should never assume the built-in antivirus on your Mac completely protects you from malware. So, Mac users, you’ll also need to remain vigilant and have a good antivirus program beyond the built-in one. Take a look at our guide to the Best Antivirus for Macs in 2024.

How to Protect Yourself Against Rootkit Attacks

We always emphasize keeping your system clean and clear of any and all malware, and this is especially important when it comes to rootkit attacks, which can really do a number on your system. The key is to be proactive by regularly and consistently using this advice.

Here are a few things you can do to protect yourself from rootkit attacks:

  1. Install a good antivirus software: When it comes to rootkits, it’s essential that you use a good antivirus program and keep it up-to-date. You should be regularly scanning your system. This will keep you protected from rootkit attacks.
Kaspersky Antivirus App Home Screen
Kaspersky Antivirus App Home Screen
  1. Be careful of phishing: Phishing is a lot more sophisticated these days, and those unwanted emails that land in your inbox often look like they’re from legitimate companies or someone you know or trust. So here’s our rule for recognizing phishing attempts: Check, double check, and even triple check that the message is coming from someone you know and trust. This also applies to text messages.

FYI: Nowadays, phishing has expanded beyond emails and phone calls. Modern phishing uses text messages as well. It’s called “Smishing.” Check out our guide to phishing text messages for tips on recognizing these scams.

  1. Get a good firewall: Firewalls work to scan devices for threats, but also do so across the entire network. Our favorite firewall software usually comes with antivirus software, so you can kill two birds with one stone.
  2. Have a VPN: Virtual Private Networks (VPNs) hide your device’s IP address and keep your web activity encrypted. This makes your devices less vulnerable to hacking. We even made a roundup of our top-rated VPNs to make it easier for you to find one that gives you the protection you need.
  3. Keep your software up-to-date: This is one we’d like to emphasize. Keeping your antivirus software up-to-date is great. But all of your applications should be updated regularly, too. It’s important to have your applications running with the best security fixes and measures.
NordVPN connected to United Arab Emirates
NordVPN connected to United Arab Emirates

A Recap on Rootkits

Rootkits have come a long way since they first appeared on Linux. The first rootkit for Windows appeared near the turn of the 21st century. A type of malware, rootkits can give a bad actor control of your computer without your consent or knowledge. They’re also intimidating because they can disable your antivirus software.

The key to avoiding rootkits is to be proactive, regularly scan your system using antivirus software, and keep all of your applications updated with the latest security features.

Rootkit Frequently Asked Questions

Before we part ways, here are some of the most frequently asked questions we’ve been getting about rootkits, and some of our answers:

  • What is a rootkit?

    A rootkit is a type of malware that can give a hacker access to your computer without your consent or knowledge. Rootkits can even affect antivirus software.

  • What can I do to stay safe?

    Make sure your antivirus software is up-to-date, avoid falling victim to phishing scams, and use a good firewall.

  • When was the first rootkit created?

    Rootkits emerged in the 1990s and were originally created to compromise Linux operating systems. Rootkits for Windows and macOS emerged later.

  • What types of rootkits are there?

    There are a number, including memory rootkits, kernel rootkits, and bootloader rootkits. Each manifests in a different way on your computer.

Citations
  1. CyberNews. (2021). Threat actors use costly rootkits to attack governments and research institutes.
    cybernews.com/news/threat-actors-use-costly-rootkits-to-attack-governments-and-research-institutes/#google_vignette

  2. HP. (2013). UEFI pre-boot guidelines and Microsoft® Windows® 8 UEFI Secure Bootfor HP Business PCs.
    h10032.www1.hp.com/ctg/Manual/c03857419.pdf

  3. Security Affairs. (2021). DIRTYMOE BOTNET INFECTED 100,000+ WINDOWS SYSTEMS IN H1 2021.
    securityaffairs.com/119230/malware/dirtymoe-botnet-growing.html

  4. The Register. (2021). Revealed: Remember the Sony rootkit rumpus? It was almost oh so much worse.
    theregister.com/2021/12/10/autorunning_away/