by Tony Bradley, CISSP-ISSAP
Updated August 31, 2017
Most users are familiar with common threats such as viruses, worms, spyware and even phishing scams. But, many computer users may
think you’re talking about a gardening product to fertilize your flowers or kill the weeds if you mention a rootkit. So, what is a rootkit?
What Is A Rootkit?
At the core of the term “rootkit” are two words- “root” and “kit”. Root refers to the all-powerful, “Administrator” account on Unix and
Linux systems, and kit refers to a set of programs or utilities that allow someone to maintain root-level access to a computer.
However, one other aspect of a rootkit, beyond maintaining root-level access, is that the presence of the rootkit should be undetectable.
Why Use A Rootkit?
A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer
system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on
the target machine, as well as accessing log files or monitoring activity to covertly spy on the user’s computer usage.
Is A Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote
command and control and/or the ability to monitor activity on their employee’s / children’s computer systems. Products such as eBlaster or
Spector Pro are essentially rootkits which allow for such monitoring.
However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and
monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit
itself is not really malware.
Detecting A Rootkit
Detecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelf product to magically find and remove all of the
rootkits of the world like there is for viruses or spyware.
There are various ways to scan memory or file system areas or look for hooks into the system from rootkits, but not many of them are automated
tools and those that are, often focus on detecting and removing a specific rootkit. Another method is just to look for bizarre or strange behavior on
the computer system. If there are suspicious things going on, you might be compromised by a rootkit. Of course, you might also just need to
clean up your system using tips from a book like Degunking Windows.
In the end, many security experts suggest a complete rebuild of a system compromised by a rootkit or suspected of being compromised by a rootkit.
The reason is, even if you detect files or processes associated with the rootkit, it is difficult to be 100% sure that you have in fact removed every
piece of the rootkit. Peace of mind can be found by completely erasing the system and starting over.
Protecting Your System And Its Data From Rootkits
As mentioned above regarding detecting rootkits, there is no packaged application to guard against rootkits.
It was also mentioned above that rootkits, while they may be used for malicious purposes at times, are not necessarily malware.
Many malicious rootkits manage to infiltrate computer systems and install themselves by propagating with a malware threat such as a virus.
You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is updated
and running, and that you don’t accept files from or open email file attachments from unknown sources. You should also be careful when
installing software and read carefully before agreeing to EULA’s (end user license agreements), because some may state overtly that a
rootkit of some sort will be installed.
Editor’s Note: This article was updated on September 30th, 2016 by Andy O’Donnell