AVG Signal Blog Security Threats Everything You Need to Know About Rootkits and How to Protect Yourself

Written by AVG Signal Team
Published on January 30, 2020

What is a Rootkit?

A rootkit is an application (or set of applications) that conceals its presence, or the presence of another application, such as adware or spyware, on a device. Rootkits hide by using some of the lower layers of the operating system, including API function redirection or undocumented OS functions, which makes them almost undetectable by common anti-malware software.

This article contains :

    Where does the term “rootkit” come from? In Unix and Linux operating systems (OS), the system admin, an all-powerful account with full privileges and unrestricted access (similar to the administrator account in Windows), is referred to as the “root”. The applications that allow unauthorized root/admin-level access to the device and restricted areas are known as the “kit”.

    Put the two together and you get “rootkit”: a program that gives someone (with legitimate or malicious intent) privileged access to a computer or mobile device. This person can now control the device remotely without the owner’s knowledge or consent.

    Unfortunately, rootkits are often designed to create unauthorized access to computers, allowing cybercriminals to steal personal data and financial information, install malware, or use computers as part of a botnet to circulate spam and participate in DDoS (distributed denial-of-service) attacks.

    Imagine a burglar who wants to break in and steal from your home. They dress in black to blend into the darkness and move quietly to remain undetected. But unlike the thief who takes something and then leaves, a rootkit sticks around in your computer, robbing it of data or manipulating what’s inside over time.

    Is a rootkit a virus?

    A rootkit is not a virus, per se. A computer virus is a program or piece of code designed to damage your computer by corrupting system files, wasting resources, destroying data, or just being a nuisance. A key distinction of viruses is that they use your computer’s resources to replicate themselves and spread across files or to other computers without the user’s consent.

    Unlike viruses, rootkits are not necessarily harmful. What’s dangerous is the various forms of malware a rootkit can deliver, which can then manipulate a computer’s OS and provide remote users with admin access. This makes them popular tools among cybercriminals, and it’s why rootkits now have such a bad rep.

    Installing AVG AntiVirus FREE is your best first line of defense against malicious rootkits and many other kinds of threats. Scan your devices to detect and remove rootkits from the source, and stay protected from any future malware with AVG — all for free.

    Is a rootkit malware?

    A rootkit is closely associated with malware (short for “malicious software”), a program designed to infiltrate and steal data, damage devices, demand ransom, and do various other illegal activities. Malware encompasses viruses, Trojans, spyware, worms, ransomware, and numerous other types of software.

    Modern rootkits act as a cover for the harmful effects of malware.

    How to recognize a rootkit

    By design, rootkits are difficult to detect. They’re good at camouflage, which makes rootkit detection very tedious. Even commercially available products and seemingly benign third-party apps can have rootkit-based functionality. A rootkit can disguise activities and information from an OS, preventing its bad behavior from being exposed.

    Rootkit’s my name, hiding’s the game.

    How? Once a rootkit is installed, it typically boots at the same time as the computer’s OS, or after the boot process begins. There are other rootkits that can boot up before the target operating system, making them even more difficult to detect.

    Blue Screen of Death is a telltale sign that a malicious rootkit might be embedded in your computer.Image Source: https://en.wikipedia.org

    Signs of rootkit malware?

    Here are some telltale signs of a malicious rootkit at play – told as film and TV show titles:

    • Kiss of (Blue Screen) Death: Windows error messages or blue screens with white text, while your computer constantly needs to reboot. 

    • Stranger Things: unusual web browser behavior such as Google link redirection and unrecognized bookmarks.

    • Failure to Launch: slow computer performance, or when the device freezes or fails to respond to any kind of input from the mouse or keyboard.

    • The Social Network: web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.

    • Out of Sight: settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.

    How to remove a rootkit

    Finding and removing rootkits isn’t an exact science, since they can be installed in many ways. Even when you wipe a machine, a rootkit can still survive in some cases. The good news: an antivirus tool with a rootkit scanner like AVG’s will go a long way toward keeping malware away. Our anti-rootkit technology, included in AVG AntiVirus FREE, detects, prevents, and removes rootkits and other forms of malicious software. 

    Where do rootkits come from and how do they propagate?

    There are a few common ways cybercriminals can get a rootkit on your computer. One is exploiting a vulnerability (a weakness in software or an OS that hasn’t been updated) and forcing the rootkit onto the computer. Another way is through malicious links, which can be sent by email, social networking, or as part of a phishing scam. Malware can also be bundled with other files, such as infected PDFs, pirated media, or apps obtained from suspicious third-party stores.

    A common way to distribute malicious rootkits is thru documents (PDF) attached to emails or instant messages, or by sending an infected link.

    So when they say to never trust a stranger, they mean that you should never open links or documents from anyone you don’t know over email or any messaging app. Never install a “special plugin” (pretending to be legitimate) to correctly view a webpage or launch a file either.

    Unlike viruses and worms, rootkits don’t spread or multiply on their own. Usually, rootkits are just one component of what is called a blended or combined threat, which consists of three snippets of code: a dropper, loader, and rootkit.

    Here’s how it works:

    Activating a dropper typically entails human intervention, such as clicking a malicious link, which in turn launches a loader program. The dropper then deletes itself while the loader causes a buffer overflow (meaning it stores more data in a temporary storage area than it can hold). This loads the rootkit into the computer’s memory, creating a backdoor that allows bad actors (cybercriminals, not Nicolas Cage) to modify system files so they can remain undetected by the user and basic antivirus software.

    Now they have remote access to the OS and can use the infiltrated computer for spamming, pharming, large-scale DDoS attacks, or for stealing sensitive data.

    Types of rootkits

    Rootkits can be persistent or non-persistent. The former means that a rootkit is capable of activating itself every time the computer boots up. The latter refers to a rootkit that resides in the memory and ceases to exist when the computer reboots.

    Rootkits can be identified by which areas of a system they affect and how well they can hide.

    Kernal mode rootkits

    Kernel mode rootkits operate at the core of an OS (kernel level) and cause frequent system crashes. This is often how Microsoft support personnel determine that a victim’s device has been infected with a rootkit.

    An attacker first exploits a user’s system by loading malware into the kernel, which then intercepts system calls or adds its own data, filtering any data returned by the malware that might trigger detection. Kernel-based malware can be used to cover tracks and conceal threats both within the kernel and in user-mode components alike. Sneaky!

    User Mode rootkits

    User mode rootkits either start as a program in the normal manner during system startup, or get injected into the system through a dropper. They provide similar functionalities as kernel mode rootkits, such as masking and disabling access to files, but operate at the user level. User mode rootkits are not as stealthy as kernel mode, but due to their simplicity of implementation, they’re much more widespread.

    User mode rootkits are popular in financial malware. Carberp, one of the most-copied strains of financial malware, was developed to steal banking credentials and sensitive data from victims. So be careful of spam emails claiming to be payment reminders or invoices!

    Hybrid rootkits

    Hybrid rootkits combine user-mode and kernel-mode characteristics. This approach is one of the most popular rootkits among hackers because of its high rate of success in penetrating computers.

    Bootloader rootkits

    Bootloader rootkits target the building blocks of your computer by infecting the Master Boot Record, a fundamental part that instructs your computer how to load the OS.

    Firmware rootkits

    Firmware rootkits can hide in firmware — like a microprocessor or a router — when the computer is shut down. Then, when the computer restarts, the rootkit reinstalls itself.

    Virtual machine-based rootkits

    Virtual machine-based rootkits transport an operating system into a virtual environment so that the rootkit, along with the virtual environment, cannot be discovered at all or is extremely difficult to detect. A virtual machine-based rootkit (VMBR) loads itself underneath the existing OS, then runs the OS as a virtual machine. This way, a VMBR could go undetected unless special tools are used to look for it. Round and round it goes.

    Sony BMG’s infamous rootkit became a cultural phenomenon as a punchline in comic strips like Foxtrot.Image Source: https://hyperbear.blogspot.com

    Infamous rootkits in history

    • The first documented case of a rootkit was written by Stevens Dake and Lane Davis in 1990 on behalf of Sun Microsystems for SunOS Unix OS.

    • In 2005, when CDs were still a thing, Sony BMG Music Entertainment secretly installed rootkits on millions of music discs to keep buyers from burning copies of CDs via their computers, and to inform the company about what these customers were up to. The rootkit, which was undetectable by antivirus and anti-spyware, opened the floodgates for other malware to infiltrate Windows PCs unseen. It became a cultural phenomenon as a punchline in comic strips like Foxtrot and a custom t-shirt logo.

    • NTRootkit (2008) One of the first malicious rootkits for Windows NT. Different versions do different things. One captures keystrokes which allows hackers to find out data like usernames and passwords for accessing certain services.

    • Machiavelli (2009) First rootkit targeting Mac OS X. It creates hidden system calls and kernel threads.

    • Greek Watergate (2004-2005). A rootkit developed for Ericsson AXE telephone exchanges on the Greek Vodafone network, targeted at wiretapping the phones of members of the Greek government.

    • Zeus (2007) Zeus is a credential-stealing Trojan horse — a rootkit that steals banking information by using man-in-the-browser keystroke-logging and form-grabbing.

    • Stuxnet (2010) The first known rootkit targeting an industrial control system.

    • Flame (2012) This computer malware attacks Windows OS computers and can record keyboard activity, screenshots, audio, network traffic, and more.

    Here’s a crazy story: Winning $16.5 million can cause quite a stir, right? It’s another thing when the security chief of Multi-State Lottery Association fixed the lottery. Eddie Tipton confessed to creating a simple program (a rootkit) called Quantum Vision Random Number Generator — partly copied from an internet source — that led to countless fraudulent lotto winnings claimed by him, his friends, family, and even strangers he met. It was as simple as inserting a thumb drive into the room where lotto numbers are drawn. It took a decade and a computer science-savvy detective to catch the thief.

    How to protect yourself against rootkits

    Although rootkits are sneaky and insidious, there are still ways to prevent them. Many of the strategies to avoid rootkits are also sensible computing habits that will protect you against all kinds of threats:

    • Don’t open email attachments from unknown senders 

    • Don’t download unknown files

    • Ensure your system is properly patched against known vulnerabilities

    • Install software with vigilance, making sure it is legitimate and that there are no red flags in the EULA (end user license agreement)

    • Use external drives and thumb drives with caution

    In addition to the common sense tips above, you can mount an even stronger defense against rootkits by installing a robust antivirus. Though some antivirus software isn’t strong enough to detect them, AVG AntiVirus FREE will find and remove even the most insidious and deeply embedded malicious rootkits — for the low, low price of free.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    AVG Signal Team