Close-up of a woman scanning threat actors

Concealed & Dangerous: Unveil the Truth About Rootkits

 By Charles Joseph | Cybersecurity Advocate
 Last update: November 25, 2023

The idea of an attacker taking full control over your computer is a terrifying one.

They could steal your files, monitor your web browsing, use your system resources for their own purposes, or even erase everything on your computer.

And with the rise of rootkits, this scary scenario is becoming a reality for more and more people.

What Is a Rootkit?

A rootkit is one of the most dastardly subtypes of malware or malicious software.

Its name is a portmanteau of “root” — the term for the most critical, restricted parts of your operating system — and “kit” — the term for a suite of software.

And it certainly lives up to that name: it gives its creator remote access to your entire computer, including the parts most users never interact with… and the parts that, if tampered with, can do the most damage.

In other words, a rootkit is a type of sneaky software, usually malicious, designed to give unauthorized access to a computer or areas of its software.

Once installed, it permits the attacker to maintain command over the system without the user’s knowledge, hiding its existence or the existence of other harmful processes. Rootkits have the ability to interfere with software and data, including security features and system updates.

Root Access Defined

A root access

Normally, your computer’s root is locked down, accessible only to administrators or superusers. Ordinary user accounts can’t view or modify root files, a restriction that protects these crucial components from bad actors.

With root access, a user can use any resource, modify any file, and issue any command they please. All files, even the lowest-level system files and those that interact directly with the computer’s hardware are fully visible and editable.

Most people don’t need this level of control over their machines, so root access is typically reserved for system administrators, software developers, and other highly technical users.

But the prospect of having limitless access to every last bit of a device is like a siren song to cyber criminals. With remote root permissions, anything is possible — and with a rootkit, getting those permissions without your knowledge or consent is all too easy.

How Rootkits Spread

Rootkits spread much like any other type of malware, often taking advantage of vulnerabilities in human behavior, security holes in software and networks, or both.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

Social Engineering

Many rootkits spread via phishing or other social engineering attacks. Attackers manipulate your emotions to get you to download harmful files or perform other actions that allow the rootkit onto your computer.

They often use emails filled with harrowing legal threats, urgent financial claims, or exciting promises of riches and rewards. You’re told to download the file attached to the email, and in your heightened emotional state, you do so.

But the file isn’t the invoice, personal letter, or prize paperwork it claims to be. It’s actually a rootkit in disguise, and when you download the file, you initiate its installation.

Security Vulnerabilities


Thousands of new software and hardware vulnerabilities are discovered every day. Even the tiniest hole in the most innocuous program can be used by an attacker to wriggle into your device and plant a rootkit.

Though these vulnerabilities are usually patched once they’re made public, they could exist for days, weeks, or even years before they’re fixed. And until you install those patches, they don’t help you one bit.

Attackers actively search for these vulnerabilities, scanning networks for potential victims and silently loading them up with rootkits.

Infected Files and Websites

Other attackers take a more hands-off approach, leaving it up to you to download and install their malware. But they know how to hide their rootkits in such a way that it’s hard for you to resist.

They may attach a rootkit to a tempting download — a “free” version of Photoshop, perhaps, or a high-quality copy of a newly released movie.

Or they may infiltrate an illegal streaming site, masking the rootkit behind a “required” video plugin for your browser.

What Rootkits Can Do

Once a rootkit has found its way onto your computer, the possibilities for the attacker are nearly limitless.

Evade Detection and Install Other Malware

Generally, the primary purpose of a rootkit is to make it easier for other varieties of malware to work.

Rootkits contain components that render antivirus programs ineffective, blocking them from seeing or removing malware. Once the antivirus is disabled, the rootkit can then begin downloading and running other malware without the risk of detection.

And the rootkit has built-in protection for itself, too: antivirus software can’t scan the parts of the computer where the rootkit lurks. Even if it could, the rootkit is so adept at cloaking itself that any actions it performs look just like normal system behavior, rendering it virtually unstoppable.

This makes the rootkit a critical part of many malware attacks. It’s there to open the door for other malware, prevent it from being removed, and amplify its effects.

As we’re about to see, some of these effects can be truly horrific.

Monitor Your Activity and Keystrokes


Root access lets an attacker see absolutely everything you do on your computer. It’s possible for them to monitor your browsing history, look at your personal files or even watch your screen in real time.

Active input from the attacker isn’t required, either. Rootkits allow keyloggers and other malware to automatically send log files back to the attacker every day, including passwords and credit card numbers.

All of this happens invisibly, deep within your system, so you’re never any the wiser about it.

Turn Your Computer Into a Bot

Attackers often try to install rootkits on as many computers as possible, then connect them all into a “botnet”: an army of hijacked machines that can do the attacker’s bidding.

Botnets are used for DDoS attacks — targeted sieges that bombard a specific website with traffic, overwhelming it and causing it to go offline.

Rootkit botnets can also be used for bitcoin mining, consuming your system’s resources to generate cryptocurrency for the attacker. They may also be used as spam machines, stealing your contacts and sending them sketchy emails, often spreading the rootkit further via attachments.

Impersonate You and Steal Your Identity

With a rootkit, an attacker can use your computer remotely, making it look to everyone else as if you’re the one performing their actions.

This lets them turn you into their fall guy for their illicit activities: ordering drugs on the dark web, sending threatening messages to others, viewing illegal materials, and countless other things you don’t want to be associated with.

Some attackers go even further, trawling your hard drive for personal files like tax documents, bank statements, and private message logs. With these sensitive files in hand, the attacker can assume your identity, wreaking havoc that extends far beyond the digital realm into your personal safety and security.

Key Rootkit Takeaways

  • Rootkits are malicious programs that give an attacker remote access to and control over files, commands, and privileges that are normally highly restricted.
  • Rootkits may spread via infected downloads or attachments, or they may enter your computer via a software or network vulnerability.
  • A rootkit installs itself so deeply in your system that it can’t be detected by antivirus programs.
  • Rootkits cloak other malware, allowing attackers to steal your files, monitor your activities, and use your computer for illegal purposes.
  • Keylogging rootkits record keystrokes to gather sensitive data like passwords and credit card details.
  • Bootkits infect the master boot record to take over a system before it’s fully booted up, exemplified by the TDL-4 rootkit.
  • Backdoor rootkits create a hidden access point into a system, enabling continuous unauthorized access for an attacker.
  • Identifying and removing rootkits is difficult, reinforcing the importance of secure, up-to-date systems and reliable security solutions.

History of Rootkits

The earliest-known rootkit was created in 1990 by Lane Davis and Steven Dake. Targeting the Sun Microsystems SunOS UNIX platform, it was not created for malicious purposes but rather to test the limitations of the OS.

Nine years later, the first malicious rootkit was created: NTRootkit. Though intended as a cybersecurity training tool, it made its way onto Windows NT computers in the wild, where it logged keystrokes, stole passwords, and hid files.

In the early 2000s, hackers grew bolder with their use of rootkits. The 2004-2005 “Greek Watergate” attackers made use of a rootkit on the Vodafone Greece network, allowing them to wiretap over 100 members of the Greek government.

Before long, rootkits were being used in full-on cyberwarfare: the US and Israel’s Stuxnet rootkit, spotted in 2010, targeted Iranian nuclear facilities. And the Flame rootkit, which steals data from Middle Eastern governments, schools, and figureheads, is also believed to be a US government creation.

Rootkits by the Numbers

  • Rootkits comprise 8% of all malware in circulation
  • 77% of rootkit attacks are related to espionage, with 44% directed at government agencies
  • Hackers typically sell rootkits for between $45,000 and $100,000 on the dark web
  • 69% of rootkits are spread via phishing, while 62% exploit software vulnerabilities, and 31% rely on drive-by website vulnerabilities

Rootkit Examples

1. Keylogging Rootkit

A keylogging rootkit is a devious piece of software designed to detect and record each keystroke made on a user’s device. This data, consisting of everything you type, including personal messages, passwords, and credit card information, is gathered without the user’s knowledge.

The collected information is then promptly sent back to the cyber attacker. The attacker can use this data for identity theft, financial fraud, or other malicious activities. Because of its surreptitious nature, a keylogging rootkit can remain undetected for a significant amount of time, causing extensive damage before it is discovered and removed.

2. Bootkits

Bootkits are an advanced type of rootkit that specifically target the master boot record (MBR) of a computer. They function by taking control of a system even before the operating system fully boots up. This allows the malicious software to load itself onto the system disguised as a necessary part of the boot sequence.

A well-known example of a bootkit is the TDL-4. This influential rootkit had the ability to hide itself from typical detection methods. Plus, it could create a hidden storage area on the hard drive to store other malicious software also concealed from security processes. This made identifying and removing the rootkit an extremely difficult task.

3. Backdoor Rootkit

Backdoor rootkits are a type of software that, once installed on a device, opens a ‘backdoor’ for attackers. This backdoor serves as a hidden passage, allowing the attacker to gain unrestricted and continual access to the user’s system. They can potentially manipulate the device’s functionality, install additional malicious software, or even control the entire system, all possibly without the user’s knowledge.

An infamous example of a backdoor rootkit was the ‘Nemesis’ malware. Specializing in stealing financial data from large corporations, it made headlines for its ability to hide and persist in a system, even surviving complete operating system reinstalls. By insinuating itself at a deep level in the system’s infrastructure, it created long-term risks for infected devices.

Famous Rootkit Attacks

A rootkit attack

The Sony BMG Rootkit

In 2005, the Sony BMG record company sold CDs with DRM protection, intended to stop people from pirating music. The CDs included a program called XCP-Aurora, purportedly a music player application, that had to be installed to play the CD on a computer.

However, they also included a hidden rootkit that altered the system registry, preventing all other media players and CD rippers from accessing the tracks.

The rootkit itself also created a new vulnerability that malware developers immediately began exploiting. Sony released a patch to uninstall the rootkit, but that patch, too, created serious vulnerabilities, resulting in a CD recall and several multi-million dollar class-action lawsuits.

The ZeroAccess Rootkit

First spotted in 2011, the ZeroAccess rootkit is so insidious that it’s still in circulation despite multiple industry-wide attempts to neutralize it. Over 9 million computers have been infected by ZeroAccess, which assimilates victims into a botnet and disables their firewalls.

The botnet has two purposes: bitcoin mining and ad-click fraud, both of which have been extremely lucrative for the rootkit’s creators. It’s estimated that ZeroAccess bitcoin mining earns the attackers up to $2.7 million per year, while ad-click fraud may net them a profit of over $100,000 a day.

Rootkits as Fast as Possible (Video)

Related Questions

1. What might be an indication that a rootkit has infected my system?

Your system might be slower, running out of space, or have inexplicably changed settings. Also, factors like your antivirus software crashing can signal a rootkit’s presence.

2. How can I protect myself from rootkits?

Stay safe online, be wary of phishing attempts, keep your software updated, and use reliable security software, which can help guard against rootkits. The fewer security vulnerabilities your computer has, the tougher it is for a rootkit to infiltrate.

3. Can a rootkit survive a factory reset?

Some sophisticated rootkits, especially those infecting the firmware or BIOS, can survive a factory reset or even a full operating system reinstallation.

4. Are rootkits only a concern for computers?

No, rootkits exist for mobile devices, too. Therefore, it’s crucial to keep all your devices up-to-date and protected.

5. Are all rootkits malicious?

While technically, not all rootkits are malicious, most are associated with malware due to their intrusive capacity to monitor and control a system without authorization.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional