What is a Rootkit?

A rootkit is a software program that allows an attacker to gain control of your computer system while at the same time remain undetected. The term rootkit is derived from ""root"" which refers to superuser administrative access and ""kit"", which is the actual program or mechanism that perform tasks.

There are many types of rootkits that are programmed to perform various differing actions. Some variations have the capacity to capture and transmit sensitive data, such as, PINs, account passwords, and credit card numbers. Another troubling aspect is that many rootkits have been designed to replace or overwrite important parts of operating system software, which may then be used to hide processes or programs that the attacker installs.

A rootkit is designed to seize control of an operating system at its core, usually by exploiting kernel-level vulnerabilities. It is common for a rootkit to attempt to erase the system event logging of the operating system in order to erase any evidence of their activities.

Many times rootkits act as Trojan Horses and masquerade as a useful program. Acting in this capacity an attacker attempts to trick the target into installing and running the malicious software on their computer system. A rootkit may install a ""back door"" within the target system by replacing the login mechanism with a similarly acting but malicious sub-program that accepts a secret login combination, thereby allowing an attacker access to the host system, typically as the root user.

Rootkits have been discovered on numerous operating systems including:

Windows

 Mac OS

 Linux

 Solaris

A true rootkit cannot escalate an attacker's privileges before it runs on a system. Therefore, the first thing an attacker must do is install a penetration mechanism to enter the target system. Second, the actual rootkit payload must be installed by a user with admin privileges. This administrator is typically the attacker using a privilege escalation exploit or an unwitting user that has been duped.

A system with a successfully installed rootkit is said to be ""rooted"". Rootkits are hard to detect with common antivirus programs therefore scanning with specialized software is necessary to uncover them. Their are free rootkit scanners available such as Microsoft's RootkitRevealer.

Unfortunately, the results of these scans can be a bit cryptic and require a lot of research and posting to forums to understand whether a rootkit is present. Many times the safest route is to reformat your drive and reinstall your software to a safe state if you think that you have been rooted.

Rootkits are quite powerful. And since they must be installed by an attacker with root-level access it is worthwhile to have safeguards in place to prevent the attacker from getting root in the first place. Some precautions include:

Using difficult to guess passwords

 Applying security patches

 Closing unused ports.

These security measures are very helpful in preventing attackers from gaining root and installing rootkits however you are still not 100% safe. An attacker may still be able to find some unknown hole in your system and gain root.

Perhaps the best way to defend against rootkits is to use program integrity checkers. These integrity-checking tools create a cryptographically protected digital fingerprint of your critical files. You can then compare a trusted baseline version of your system against any suspect later versions and analyze what has changed.