Rootkits are a class of malicious software (malware) which obscures the presence of an attacker on a compromised system. Rootkits often use the lowest levels of an operating system to obscure the presence of spyware, viruses or Trojans, and give the attacker some degree of control over the system through the interplay of different programs. Attackers enter the system through bugs and security gaps and can hide their presence with a rootkit without the user of the system noticing it. The rootkit, however, is only the part of the attack that serves as camouflage. It is not intended to prevent the actions of the legitimate user, but rather to ensure that the hacker’s attack is not detected, regardless of whether the attacker performs logins, processes changes, or copies files. Rootkits are also called camouflage viruses or Trojan horses.

General information

The term rootkit refers to a collection of tools and applications that allow access to a computer or network at the level of an administrator. Root refers to the admin account of Unix- and Linux-based operating systems, while kit denotes the components that implement it on the system.[1] Since Unix and Linux operating systems were based on a modular concept, individual components and commands were used for attacks in the 1990s. Unix commands like Ps (process status) and Password (password change) give the attacker, for example, an overview of all running processes and allow a password change if they have been modified accordingly. These classic rootkits are also referred to as application rootkits because they are based on the Unix and Linux program libraries and always focus on individual applications or system components.

In this way, an attacker selectively intervenes in the system and uses these elements in the system architecture for an exploit because the attack takes place on the lower layers of a system and the attacker impersonates the admin, rootkits remain mostly undetected, unless they can be tracked by specialized software. There are now rootkits for many different stationary and mobile operating systems, including Android and iOS. But not all rootkits are characterized by the intention of compromising a system and obscuring this infiltration. Within the scope of digital rights management, for example, there were cases where manufacturers used different rootkits to hide copy protection and copyright mechanisms from the user and to implement DRM mechanisms in the system. Official stress and security tests of computers, software, and networks can be implemented just as well with rootkits. However, the goal here is to find any security gaps and not their malicious exploitation.

How it works

Rootkits usually consist of several components, which carry out specific tasks and are adapted to the respective operating system. The following is a possible sequence:

  • A Trojan software gains access to a system to install the rootkit there. A cracker tries to get regular access to a system through spoofing, malware, or spyware and then secure the admin rights for the system. Rootkits can also be inserted into a system via e-mail attachments, traditional software, and site visits (drive by download).
  • A sniffer is used to tap into the network traffic and the system-critical access data gets selected. Tools such as keyloggers can also capture the keystrokes and mouse movements before inputs such as PIN or passwords get encrypted by the system.
  • With the access data gained that way, the cracker can create a backdoor and modify system files so that he remains undetected. He will have remote access to the operating system.  API calls and operating system functions get converted and reversed by the cracker for camouflage purposes, for example.
  • Depending on the purpose of the attack, the infiltrated computer can now be used for further actions. For example, for spamming, pharming, large-scale DDoS attacks or for storing sensitive data.

Types of rootkits

Rootkits are generally distinguished by which areas of a system they affect and how well they can hide.

  • Application rootkits: Application rootkits have access to system programs due to modified program files. Such rootkits can be identified relatively easily and are hardly ever used today.
  • Cache rootkits: Cache rootkits are only effective in the system memory. When the system is restarted, the memory and thus the rootkit is deleted.
  • User mode rootkits: These rootkits do not need access to the lower levels of the system. Instead, they run a .dll file that manipulates traffic through calling API functions. This is also referred to as DLL Hijacking or DLL Injection.
  • Kernel mode rootkits: Kernel rootkits replace code components of the system with manipulated files. The kernel is the inner core of the operating system with access to the hardware. Therefore, these rootkits are distinguished by rings (ring 0, ring 1, 2, 3), which refer to the various levels of the system. At the lowest level, profound changes in the system are possible. Kernel rootkits are also described as loadable kernel modules (LKMs) because such modifications are often realized by reloading the kernel modules.
  • Virtual machine based rootkits: Virtual machines simulate the presence of a physical processor. Most modern computers use virtual machines and processors for optimization in terms of multitasking and performance. Virtual machine based rootkits transport an operating system into a virtual environment so that the rootkit, along with the virtual environment, cannot be discovered at all or is difficult to detect.

Relevance to search engine optimization

In most cases, it is difficult to identify rootkits. Antivirus software, firewalls, and various detection tools can detect harmful software. But rootkits, as such, hide in the system and try to pretend to the user that they are part of the system. For this reason, detection tools (intrusion detection systems, IDS) have to be specially designed to track rootkits. This also means that the system can be cleaned only after uninstalling a rootkit. Rootkit detection tools are provided by many manufacturers. An incomplete selection:

  • Windows tool for removing malicious software
  • Rootkit Hunter for Mac
  • CHKrootKIT
  • Gmer

These scanners and analysis solutions can identify rootkits, but they do not always clean the infected system. The most effective remedy against rootkits is therefore a reinstallation of the operating system in safe mode. Under certain circumstances even the BIOS has to be cleaned up.

In addition, security experts recommend a degree of skepticism on the part of users, as well as current software. Email attachments, phishing attempts, and websites should not be clicked without a critical look at the authenticity of the offer and any protection and operating programs should be up-to-date. This is the only way to avoid bugs and security gaps which are utilized by rootkits to get into the system.


  1. Rootkit: What is a Rootkit? Accessed on 08/16/2016

Web Links


Related Articles