Written by Anthony Freda
Updated on June 24, 2024

What is a rootkit?

A rootkit is an application that hides deep within your file system and gives someone else full access to your computer without you knowing. Rootkits hide in the lowest layers of the operating system, making them almost undetectable by common anti-malware scans.

This article contains :

    Where did the name and definition of “rootkit” come from? In Unix and Linux operating systems, the account with full privileges and unrestricted access (similar to the administrator account in Windows) is called the root. So, a kit that grants privileged access to a computer or mobile device is a rootkit. It lets someone control your device remotely without your knowledge.

    Rootkits allow hackers to get remote access to your computer, which they can use to take over your system and extract as much information as possible. Through a rootkit, a hacker can steal personal data and financial information, install malware, or connect your computer to a botnet to circulate spam or participate in DDoS (distributed denial-of-service) attacks.

    Is a rootkit a virus?

    A rootkit isn’t a virus, because a virus spreads copies of itself to cause damage to a system. A rootkit doesn’t replicate itself — it may steal your information and take control without ever intending to do damage.

    While a rootkit isn’t a virus, you can still rely on an antivirus app to help detect and block them. Install AVG AntiVirus FREE as your first line of defense against malicious rootkits and many other kinds of malicious threats.

    Is a rootkit malware?

    Yes, a rootkit is a type of malware (short for “malicious software”) that’s specifically designed to maintain privileged administrative access to a system. Rootkits are often used to carry out other malicious activities, such as stealing data, damaging your computer, demanding ransoms, or using up your resources.

    Other examples of malware include viruses, trojans, spyware, worms, and ransomware. Like these types of malware, rootkits often need to be removed manually.

    Where do rootkits come from and how do they propagate?

    Rootkits come from malicious files that you inadvertently download when you click on an infected file. These files contain hidden instructions that make changes to your computer. An infected file can modify your kernel — the deepest part of your operating system — and plant a rootkit there.

    How a rootkit infects your computer

    A rootkit usually infiltrates your OS as part of a combined threat that contains three distinct pieces of malicious code: a dropper, a loader, and the rootkit. Together, these components give a remote attacker access to your PC without your knowledge.

    Here’s a detailed look at how a rootkit makes it onto your computer:

    1. You click an infected link.
      The infected link may be in a strange email or on an infected website. Even if you don’t save the file, it gets stored in your temporary files and launches the dropper.

    2. A malicious script is embedded in the file.
      The dropper executes the malicious code that bypasses your security defenses.

    3. The script exploits your machine.
      The dropper activates the loader, then deletes itself. The loader works to insert the rootkit into the system — usually via buffer overflow, an execution method that involves overloading your computer with instructions so they go “out of bounds,” then making instructions overflow to specific locations.

    4. The script inserts malicious code in sensitive areas.
      A bit of the overflowed data “lands” in the critical areas of the operating system — the buffer overflow confuses the computer, causing it to change values in spots where it shouldn’t. This creates a back door for the final rootkit payload.

    5. The malicious code successfully grants remote access.
      The rootkit code runs administrator-level actions without going through the usual security checks, changing permissions and granting access to a remote user.

    An illustration showing how a hacker infects your computer with a dropper, a loader, and ultimately a rootkit.A hacker infects your computer with a dropper, a loader, and ultimately a rootkit.

    How a rootkit spreads

    Here are a few ways that rootkits commonly spread:

    • Suspicious links in phishing emails

    • A trojan or other piece of discreet malware

    • Corrupt software downloaded from an unofficial site

    • Malicious software piggybacking on legitimate downloads

    • Pirated media, such as movies, PDFs, ebooks, and more

    • Browser plugins or add-ons that are advertised to add features

    If you practice good digital hygiene when downloading and installing software or opening attachments, then a rootkit shouldn’t make it onto your computer. As usually, one of the best defenses you can have is common sense.

    How to detect rootkits

    Running a boot-time scan, such as the one in AVG’s rootkit scanner tool is an effective way to detect rootkits. These scans check for rootkits and other malware before the operating system fully loads. You may want to scan for a rootkit infection if you notice unusual system changes or unexplained increases in network traffic.

    Rootkits can sometimes evade detection, particularly by remaining invisible to basic, built-in anti-malware tools. This is because rootkits are designed to change the fundamental security functions built into your computer software.

    In this case, a memory dump analysis may also be needed. A memory dump is a snapshot of all the data your computer is currently using, and analyzing it can reveal behavior that shouldn’t be there, including signs of a rootkit.

    Rootkits are really good at hiding. So, sometimes you have to look for signs and then decide on a memory dump analysis accordingly.

    Here are some signs that you have a rootkit:

    • Frequent Windows error messages or blue screens of death

    • Constant prompts to reboot your PC

    • Unusual web browser behavior such as Google link redirection

    • Unrecognized bookmarks

    • Slow computer performance

    • Device freezes or strange behavior from your mouse or keyboard

    • Web page or network activity malfunctions due to excessive network traffic

    • Random Windows Settings changes without your permission

    Before you suspect rootkits and run unnecessary analyses, you should rule out a failing hard disk, a cluttered file system, or another malware infection. If you still run into issues, you may have a rootkit after all.

    How to remove a rootkit

    A specialized tool is usually needed to remove a rootkit. Since a rootkit compromises the OS itself, you shouldn’t rely on built-in security features to get the job done. You’ll need third-party security software with the ability to penetrate where the rootkit has taken hold.

    Antivirus software is based on “signatures,” known patterns of behavior that indicate malware. These are constantly being updated as new virus intelligence comes to light, so we recommend regular scans. Note that a rootkit scan usually takes longer than a regular malware scan and you won’t be able to use your computer while the scan is taking place.

    Here’s how to remove a rootkit from your PC:

    1. Install a trusted antivirus, such as AVG Antivirus FREE, which includes a rootkit scanner and removal tool.

    2. Run a boot-time scan to check for rootkits before the Windows operating system can load.

    3. Follow the on-screen instructions to start the rootkit removal process.

    If the antivirus can’t remove the rootkit completely, you can re-format your hard drive. This means deleting everything on the hard drive, so consider this a last resort, and make sure you back everything up beforehand. In very rare cases, a rootkit can stay in the BIOS no matter what you do. Consult an expert in this case.

    Types of rootkits

    Rootkit types differ based on how much system access they have, which system areas they affect, and how well they hide from detection. Here’s an overview of the common types of rootkits and how they differ from one another:

    Kernel mode rootkits

    Kernel mode rootkits operate at the core of an OS (kernel level) and cause frequent system crashes. This is often how Microsoft support personnel determine that a victim’s device has been infected with a rootkit.

    An attacker first exploits a user’s system by loading malware into the kernel, which then intercepts system calls or adds its own data, filtering any data returned by the malware that might trigger detection. Kernel-based malware can be used to cover tracks and conceal threats both within the kernel and in user-mode components alike.

    User-mode rootkits

    User-mode rootkits either start as a program in the normal manner during system startup, or get injected into the system through a dropper. They provide similar functionalities as kernel-mode rootkits, such as masking and disabling access to files, but operate at the user level. User mode rootkits are not as stealthy as kernel mode, but due to their simplicity of implementation, they’re more widespread.

    User-mode rootkits are popular in financial malware. Carberp, one of the most copied strains of financial malware due to its source code leaking online, was developed to steal banking credentials and sensitive data from victims. Be careful of spam emails claiming to be payment reminders or invoices.

    Hybrid rootkits

    Hybrid rootkits combine user-mode and kernel-mode characteristics. This approach is one of the most popular rootkits among hackers because of its high rate of success in penetrating computers.

    Bootloader rootkits

    Bootloader rootkits target the building blocks of your computer by infecting the master boot record, a fundamental part that instructs your computer how to load the OS.

    Firmware rootkits

    Firmware rootkits are a sophisticated type of malware that can hide in firmware — like a microprocessor or a router — when the computer is shut down. Then, when the computer restarts, the rootkit reinstalls itself.

    Virtual machine-based rootkits

    Virtual machine-based rootkits transport an operating system into a virtual environment so that the rootkit, along with the virtual environment, cannot be discovered at all or is extremely difficult to detect. A virtual machine-based rootkit (VMBR) loads itself underneath the existing OS, then runs the OS as a virtual machine. This way, a VMBR goes undetected unless special tools are used to look for it.

    Application rootkits

    An application rootkit modifies regular files and only activates when a certain application is run. As far as you’re aware, the app is still running normally. In the background, the rootkit has gained device permissions, allowing another person to do whatever they want on your computer.

    Memory rootkits

    Memory rootkits exist in the RAM, which is cleared every time you restart the computer. As such, these rootkits are only effective for a short time. However, they are just as good at hiding and just as capable of wreaking havoc. They can be used to suck up your resources and spread malware as part of a botnet.

    Rootkit examples

    Here are some common rootkit attack examples, from the birth of rootkit malware to today:

    • The first rootkit (1990): The first documented case of a rootkit was written by Stevens Dake and Lane Davis on behalf of Sun Microsystems for SunOS Unix OS.

    • Greek Watergate (2004–2005): A rootkit that infected Ericsson AXE telephone exchanges on the Greek Vodafone network, and was targeted at wiretapping the phones of Greek government officials and high-ranking civil servants.

    • Sony BGM copy protection rootkit (2005): Sony BMG secretly installed rootkits on millions of CDs to prevent buyers from burning copies of CDs and to inform the company about what these customers were up to. It also unintentionally opened the floodgates for other malware to infiltrate Windows PCs unseen.

    • Zeus (2007): Zeus is a credential-stealing Trojan horse — a rootkit that steals banking information by using man-in-the-browser keystroke-logging and form-grabbing.

    • NTRootkit (2008): One of the first malicious rootkits for Windows, there are different versions of NTRootkit that do different things. One type captures keystrokes, which helps hackers steal usernames and passwords to access sensitive services.

    • Machiavelli (2009): Machiavelli was the first rootkit to target Mac OS X, and it created hidden system calls and kernel threads.

    • Stuxnet (2010): Stuxnet was the first known rootkit targeting an industrial control system.

    • Flame (2012): Flame computer malware attacks Windows OS computers and can record keyboard activity, screenshots, audio, network traffic, and more.

    • LoJax (2018): LoJax is a firmware rootkit that can remain on a system even through a Windows reinstall and hard drive format.

    • Scranos (2019): This rootkit targets your personal information by extracting payment methods from your browser. Scranos also uses your computer’s resources to farm clicks, artificially generating view counts on YouTube videos as a way to earn money.

    • CosmicStrand (2022): This firmware rootkit is so hard to detect that cybersecurity experts aren’t sure how it made it onto computers in the first place. There may even be versions of CosmicStrand that haven’t been found yet. It has mainly been used against high-profile targets, not the average computer user.

    • BlackLotus (2022): First emerging in 2022, BlackLotus was able to get past fully-patched versions of Windows 11 and its Secure Boot feature.

    rootkit-02-ENA timeline of some of the most well-known rootkit attacks.

    How to protect yourself against rootkits

    You can help protect yourself against rootkits with strong antivirus software and by following website safety principles. Internet common sense is something you develop over time — until then, here are a few rules of thumb that can help you protect yourself against rootkits and other malicious threats:

    • Don’t open email attachments from unknown senders.

    • Don’t download unknown files or click suspicious links.

    • Ensure your system software is properly patched against known vulnerabilities by installing software updates when they become available.

    • Download and install new software carefully, making sure it's legitimate and that there are no red flags in the EULA (end-user license agreement).

    • Use external drives and thumb drives with caution, and don’t insert unknown drives.

    • Scan your system regularly to check for malware.

    • Only download apps and software from trusted sources, official websites, and licensed app stores.

    • Watch out for unusual changes in performance.

    Help block rootkits with AVG AntiVirus Free

    The strategies to help avoid rootkits are also sensible habits that will help you protect your digital life. You can mount an even stronger defense against rootkits by installing a robust antivirus like AVG AntiVirus FREE.

    AVG AntiVirus FREE scans for malware throughout on your system, from your browser to the roots of your operating system. What’s more, it’ll help you find and remove some of the most insidious and deeply embedded malware on your device — and of course it will provide powerful protection to help you avoid a rootkit infection in the first place.

    Block malware and prevent threats with AVG AntiVirus for Android

    Free install

    Get real-time threat protection for your iPhone with AVG Mobile Security

    Free install
    Anthony Freda