If you thought viruses and worms were scary, wait until you learn about malware that’s able to hide other malware. Just as you can work together with your security software in protecting your computer, pieces of malicious software can join forces, too, to carry out their nefarious purposes as rootkits.

What Is a Rootkit, and What Does It Do?

A rootkit is a type of software that allows a user to gain access (authorized or otherwise) to a computer and control its system resources. It basically acts as a backdoor that allows other software, often malicious, to enter the system. Whereas viruses and worms are known for their destructive properties and fast self-propagation methods, respectively, a rootkit is characterized by its advanced cloaking techniques to conceal its presence (along with other software) from the user and antivirus software.

The term “rootkit” stems from two words melded together: “root,” which refers to accounts with the highest privileges on a Linux or other Unix-like computer (just like administrator accounts on Windows), and “kit,” which implies a collection of tools.

Rootkits are not directly harmful, but they allow remote users to do whatever they please on affected computers. System administrators can use rootkits for legitimate purposes, such as monitoring employees, protecting intellectual properties and preventing accidents made by human error. Unfortunately, rootkits allow cyber criminals to steal personal and financial information, install malware and use computers as part of a botnet that circulates spam and participates in distributed denial-of-service (DDoS) attacks.

What Are Some Types and Examples of Rootkits?

One notable example is the malware called Hearse. Infecting computers since 2006, it is designed to steal usernames and passwords. Its rootkit component adds backdoor files that grant a remote user access to the computer. Its Trojan component waits for users to go online and enter log-in details to a website. It then sends the account information it has gathered to a server in Russia.

The techniques Hearse use to hide itself is similar to those of the notorious Sony BMG rootkit software, which is composed of the Extended Copy Protection rootkit and MediaMax CD-3. Exposed in late 2005, the software was intended to help Sony BMG (now known as Sony Music Entertainment) implement copy protection measures for its music CDs to prevent users from burning copies. However, the software garnered a bad reputation for its surreptitious installation behavior, being difficult to uninstall, and ability to report the user’s listening habits to the music company. Worse, it also introduced security holes that allowed unrelated malware to infect the computer. Sony was obligated to provide users a tool that would remove the rootkit software from their computers.

In 2015, the world’s largest personal computer manufacturer Lenovo was caught using rootkit-like software, known as the Lenovo Service Engine (LSE), to install bloatware on computers it sold. Attempts to uninstall the bloatware were futile since LSE would reinstall them on the next boot-up. Similar to the Sony fiasco, the LSE also made affected computers vulnerable to hacking. It forced Lenovo to roll out a tool to disable its functionality.

Rootkits can be persistent or non-persistent. The former means that a rootkit is capable of activating itself every time the computer boots up. The latter refers to a rootkit that resides in the memory and ceases to exist when the computer reboots. Rootkits can also be classified according to their mode of operation: user mode and kernel mode. User-mode rootkits intercept calls from the system API (application programming interface) and the kernel, and it replaces executables and system libraries with malicious counterparts. Kernel-mode rootkits hook themselves in the kernel (the nucleus of the operating system) and may modify components within the kernel. They’re harder to detect than user-mode rootkits.

How Does a Rootkit Infect Your Computer?

A rootkit may disguise itself as a genuine application (or an update of one) to fool the user into installing it. And as shown in the examples above, developers can inject malicious code into their software, which allows rootkits to come preinstalled on purchased computers. Vulnerabilities in web browsers may also allow online servers to get past the computer’s defenses and install a rootkit without the user’s awareness.

How Do You Detect and Remove Rootkits?

Rootkits, especially the kernel-mode variants, are quite hard to detect and remove. A computer may not even show symptoms that are indicative of a rootkit infection. And when it does, you won’t probably notice the signs and abnormalities because of their subtle, fleeting nature. These include random freezes, failure to respond to keyboard or mouse input, unauthorized changes to the Windows settings, and inexplicable increase in network traffic. Pay particular attention to that last behavior, because a rootkit may be hiding processes that are using your Internet connection to send spam or launch DDoS attack from your computer.

If you do suspect that your computer has a rootkit, you can try special detection and removal tools from multiple security vendors:

Should you succeed in removing the rootkit, run a full system scan using your main antivirus solution for any remaining threats that the rootkit may have allowed to enter your computer.

However, given the fact that a rootkit can allow a hacker to do anything he pleases, numerous changes may have been made to the computer. Failing to revert even just one of these changes could mean the rootkit still remains in the system and the hacker can easily regain control of the computer. In cases like these, the only solution is to reinstall the operating system from scratch. Should you choose this route, use the original media you used to install your operating system.

When dealing with rootkits, consider getting an advice from professional tech support.

How Can You Avoid Rootkits?

A rootkit installed in your computer poses a serious risk to your digital security. You should prevent its entry in the first place at all costs. Find and install a robust security software with excellent real-time protection. Replace the built-in firewall of your computer with a more comprehensive, third-party solution to stop unauthorized users from gaining control of your computer. Ensure that your antivirus, firewall, other applications and even the operating system itself have their latest updates installed. Follow the principle of least privilege by using a standard or limited account (instead of an administrator-level account) for your everyday computing activity.