What is a Rootkit?

A rootkit is a collection of malicious software tools that gives attackers administrator-level access to an endpoint. In addition, most rootkits are designed to hide themselves so that they are difficult to detect.

Rootkits are so-called because they are software “kits” that allow attackers to operate as if they were the root user on an infected system. On Linux and other Unix-like operating systems, root is the name of the account that has full access rights. (To be clear, rootkits aren’t only a risk for Linux; they can also affect Windows, macOS, and virtually any other type of operating system, even if the admin- or superuser-level accounts on the system are not called root.)

Keep moving forward for a guide to rootkits, how they work, different types of rootkits, and how to prevent rootkit attacks.

How do Rootkits work?

As we explain below in the section on rootkit techniques, there are various means by which attackers can install rootkits on a system, and rootkits may operate in several different parts of the system.

However, all rootkits work in the same basic way, using the following process:

• Attackers gain access to a system (by, for example, exploiting a software vulnerability) in a way that allows them to install malware.
• The malware circumvents standard access controls to give attackers the ability to perform the same activities as the root or administrator user.
• The rootkit software obscures its presence by modifying binaries and processes so that they do not appear malicious.

Once this process is complete, attackers can use the rootkits to perform actions like exfiltrating sensitive data from the infected endpoint, taking control of applications and using the endpoint to run illicit software, like cryptominers.

Rootkits vs. Trojans and Backdoors

Rootkits are a kind of malware, but there are other types of malware – such as the malware associated with trojans and backdoors – that are distinct from rootkits.

Rootkits are different from trojans because trojans are any type of software that gives attackers access to at least part of a system. In most cases, the level of access that trojans provide to attackers is limited; a trojan might allow attackers to view sensitive data, for instance, but not run commands as the administrative user. In contrast, rootkits provide complete, administrator-level access.

Along similar lines, rootkits are different from backdoors because a backdoor is any malware that enables unauthorized access to a system, not necessarily the administrator-level access provided by a rootkit.

It’s worth noting that there is ambiguity surrounding the terms trojan and backdoor; they are both generic terms that could refer to a wide range of malware types and attack techniques. Arguably, rootkits could be described as a type of trojan as well as a type of backdoor, but there are many other types of trojans and backdoors.

Rootkit techniques

Rootkits can be broken into categories based on how they operate.

Kernel-Mode Rootkits

Kernel-level rootkits operate in what’s known as kernel space. That means they run as programs controlled directly by the kernel, and they have the same level of access to the operating system as kernel processes. Since the kernel is the core program inside an operating system that controls all other operations, running in kernel mode means that rootkits can easily access any other resources on the system.

User-Mode Rootkits

User-mode rootkits run in userspace or userland, which is the same part of the operating system where standard applications are hosted. Instead of taking control of the system from the level of the kernel, user-mode rootkits typically exploit other types of vulnerabilities in the operating system (such as weaknesses within access control systems) that allow them to gain administrator-level access even though they are not actually running with kernel-level privileges.

Bootkits

A bootkit is a rootkit that is installed in the boot record of an endpoint. When the system boots, the rootkit is loaded. That means that the rootkit has control over all aspects of the system from close to the very start of each system session.

An advantage of this approach for attackers is that loading the rootkit during boot makes it easy to hide the rootkit, because software that is designed to detect rootkits may not be operational until after the system has fully booted, so it can’t detect bootkits that are loaded earlier. Bootkits also usually hide in boot records rather than on standard file system partitions, which also makes them harder to detect in some cases.

Hypervisor-Based Rootkits

Hypervisor-based rootkits operate within hypervisors, which is software that starts and manages virtual machines. From the hypervisor, rootkits can control operations and access resources inside virtual machines.

This type of rootkit only works with virtual machines, not bare-metal servers. But since many workloads today are virtualized, hypervisor-based rootkits have become a major risk.

Rootkit Attack prevention and mitigation

Once a rootkit has infected a system, it can begin causing harm immediately, and it may be difficult to detect until significant damage has occurred. That’s why it’s important to try to prevent attackers from installing rootkits in the first place, and to take steps to mitigate the impact of rootkits in the event they are installed.

The most important step toward rootkit prevention is ensuring that software is up-to-date and scanning it for vulnerabilities. Because attackers often exploit vulnerabilities in operating systems or applications to install rootkits, keeping systems free of vulnerabilities will prevent most rootkit attacks.

Blocking unnecessary network ports can also help to prevent rootkits by making it harder for attackers to find and exploit vulnerabilities over the network. So can following the principle of least privilege when configuring user accounts, since attackers could take advantage of excess privileges in user accounts they control to install rootkit software.

As for mitigating rootkits, segmenting resources from each other is a useful technique because it minimizes the extent of the resources that rootkit attackers can access in the event that they take control of a system. You can enforce segmentation at the network level, which reduces the risk that a rootkit attack against one endpoint can spread to other endpoints. In addition, dividing physical servers into virtual machines and using each virtual machine for a different workload helps to provide workload segmentation and reduce the risk that a rootkit installed on one virtual machine can impact workloads hosted on other virtual machines. (That said, a hypervisor-based rootkit might be able to infect all virtual machines under this scenario.)

Rootkit Detection and Response

In addition to taking steps to prevent rootkit installation and mitigate the scope of rootkit attacks, organizations should ensure they are actively searching for rootkits that may be lurking on their systems. Although rootkits are designed to evade detection, some techniques are available for identifying rootkits:

• File integrity monitoring: Changes to files could indicate a rootkit attack, especially if the changes involve binaries (such as those that run low-level operating system programs or boot record data) that would not normally change. By monitoring files continuously for unusual changes, you may be able to detect rootkit attacks.
• Process monitoring: Unusual process activity, such as unexpected process forking or renaming, could also be indicative of a rootkit attack.
• Performance changes: In some cases, rootkits might lead to performance changes on a system, such as longer booting times or slower response rates. If you notice changes like these and you can’t attribute them to other sources, you might have a rootkit.
• Memory inspection: Analyzing data stored in system memory can reveal some rootkits, especially if the rootkits store data in ways that are linked to rootkit activity.

Tools like Sysdig Inspect, an open source solution for scanning systems for security risks and unusual changes, can help to automate the process of detecting rootkits, among other types of risks.

Removing and Recovering from Rootkits

If you detect a rootkit, your first step should be to remove it. Since it may be difficult to detect all components of a rootkit, the best way to remove rootkits is to wipe the infected system entirely and either rebuild it from scratch or (if you have backups) restore it to a prior state that you determine to be rootkit-free. However, it may be possible in some cases to remove rootkits by simply deleting the binaries that they use to operate, assuming you have high confidence in where those binaries are.

You should also, of course, make sure you know how the rootkit was installed in the first place and that you address the vulnerabilities that enabled the rootkit attack. Otherwise, attackers might just reinstall the rootkit after you remove it.

Finally, analyze files, user accounts, applications, and other resources on a previously infected system to look for changes that the rootkit might have made. You want to make sure that no data was deleted or modified, for instance, and that attackers didn’t use the rootkit to install other malware that is not part of the rootkit itself and may linger on your system after the rootkit has been removed.

Conclusion

Given the extensive access that they provide to attackers, rootkits are one of the most dangerous types of attacks that can occur on modern systems. They are also constantly evolving as attackers devise new ways of deploying and hiding rootkit software.

Fortunately, it’s possible to erect strong defenses against rootkits by ensuring that systems and the software running on them are free from vulnerabilities. Techniques like segmentation can also reduce the risk of rootkit attacks, and comprehensive system scans can detect many types of rootkits so that you can contain the damage once a breach has already occurred.