What is a rootkit?
A rootkit is usually (though not always) a type of malware designed to give control of a device or its software to someone else, like a hacker. A rootkit can mask its presence from the device’s owner, even while it’s actively running. It can be difficult—if not impossible—to repair a device, whether a computer, phone, or tablet, once a malicious rootkit is installed.
The word rootkit is a combination of the terms “root” (synonymous with administrator or system administrator) and “kit” (jargon for a set of software tools). Thus, rootkit means a set of software tools that provides remote administrator access. Once a rootkit installer gains administrator access, the person (or group or bot) who installed it can do anything they want within the device. This includes accessing files, installing or altering programs, or even attacking other systems. The rootkit creates a “backdoor” that remains open for ongoing use by its installer.
What are rootkits used for?
Occasionally, rootkits are installed for legitimate purposes, especially in today’s reality of remote work. A system rootkit can give an organization’s IT staff access to remote computers as an easy way to provide support for updating programs, troubleshooting issues, etc. A rootkit can also be a security feature, if it allows IT staff to remotely access a lost or stolen device, and erase any sensitive data before it falls into the wrong hands.
Most rootkits, however, are malware. They can be used in many ways, including to:
- Steal data from secured storage
- Install ransomware
- Place a keylogger, and thus steal login credentials or other sensitive data
- Turn a computer into a bot for a botnet
- Disable other software like antivirus and anti-malware programs
With rootkit access, a hacker can install more malware later. Rootkits can be designed to infiltrate at various levels, each with their own point of infection and differing capabilities for a hacker:
- An application rootkit infects the software files of applications, and provides the hacker access to your computer whenever you’re using the infected program
- A kernel-mode rootkit targets the core of your operating system, giving the hacker access to all your files, and even the ability to alter the functionality of your device
- A firmware or hardware rootkit gets into your hard drive, making it particularly good for installing keyloggers, and difficult to detect
- Other varieties of rootkits include a bootloader, memory, and virtual
How does a rootkit get onto my computer?
Typically, a rootkit gets onto a computer through a social engineering ploy that tricks an individual into installing or “updating” software. Rootkit programming may also be deployed when someone opens an infected attachment, or installs a third-party browser extension or unsafe phone app.
Some rootkit packages take advantage of security vulnerabilities. They can also be spread among devices sharing a network. For example, a hacker can take advantage of the lower levels of security often found on internet of things (IoT) devices. The hacker could hack into smart devices, install the rootkit malware, then let the rootkit spread itself to other, more secure devices (like computers on the same network as the infected smart device).
How to tell if a rootkit is on a device
Antivirus software may or may not detect a rootkit installation, in part because a rootkit gives the hacker the ability to deactivate antivirus tools (and their corresponding detection mechanisms). The success of antivirus software depends on a number of factors, including the infection level and sophistication of the rootkit, and the quality of the antivirus software. Where possible, look for antivirus software that specifically includes rootkit detection.
Since antivirus software can’t be relied upon to find all rootkits, the best way to detect possible infection is through simple observation. You may notice your system becoming unresponsive or crashing more often, or generally having slower performance. You might realize your antivirus software hasn’t run in awhile, that your internet connection is erratic, or that your user interface settings have been changed. Any of these symptoms can indicate that programs you didn’t initiate are running and using resources (memory, bandwidth); in these cases, a rootkit may be the cause.
Removing a rootkit
Rootkits can be hard to get rid of, some types more than others. Some removal methods include:
- An application rootkit is sometimes still detectable by antivirus software, and can be removed by reinstalling a clean version of the infected software
- A memory rootkit can be removed by rebooting the device, which clears the device’s memory
- Kernel-mode rootkits (which reside at the level of the device operating system itself) can only be removed by reinstalling the OS
- A firmware rootkit can even mean replacing hardware
What can I do to protect against rootkits?
Because it can be so difficult to remove a rootkit, it’s very important to keep rootkits out of your devices. There are several things you can do to protect yourself, including:
- Use an antivirus software that includes a rootkit scan.
- Keep all software (including your antivirus) updated, which can help prevent malware like rootkits from being installed in the first place. This is especially important for your operating system, which will often let you know when it needs to be updated.
- Avoid phishing and other scams; if you click a link, check that the website address is correct (e.g. “example.com” and not “exampel.com”), and that your browser address bar has “https://” or a lock icon. The Brave browser automatically upgrades connections to the more secure HTTPS.
- Enable Safe Browsing in your Web browser. All major browsers, including Brave, support this feature, which can warn you if you’re about to visit a known phishing site where malware might lurk.
- On mobile devices, only install apps from the official app store. On desktop or laptop devices, only install apps and extensions from the official store, or from reputable companies.
- Update default passwords that come with smart devices. A device with the factory default password is easy to hack into and install malware like rootkits.
- If you think a smart device is performing poorly and may be infected, run a factory reset.
Ready for a better Internet?
Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.Get Brave