What are Rootkits?

Threat Type: Rootkits

Category: Malware-Based Threat

Cyber Threat Indicators

A rootkit is a stealthy type of malicious software designed to provide continuous, privileged access to a computer system while actively hiding its presence from the user and security programs.

The name comes from the Unix/Linux term "root" (the highest-privileged administrative account) and "kit" (the collection of software tools). Rootkits do not initiate an attack; instead, they are used after an initial compromise to establish long-term, undetectable control.

Core Characteristics

The primary functions of a rootkit are stealth and persistence, achieved through manipulation of the host operating system.

Stealth (Concealment): This is the defining feature. Rootkits operate by modifying core operating system (OS) components to intercept and alter system calls. For example, when an antivirus program or the task manager asks the OS for a list of running processes or files, the rootkit intercepts the request and provides a manipulated list that omits its own malicious files and activities.

Privileged Access: Rootkits typically operate at the highest privilege levels, such as the kernel level (Ring 0). This gives the attacker almost total control over the system, allowing them to disable security software, bypass authentication, and access sensitive data.

Persistence: They are designed to survive system reboots. This is achieved by embedding themselves in critical areas like the Master Boot Record (MBR), the boot sector, or even the device's firmware (like the BIOS/UEFI), ensuring they load before the operating system or security software can detect them.

Enabling Secondary Payloads: A rootkit's main purpose is to be an invisible container or loader. Once installed, it sets up a backdoor and often deploys other malware like keyloggers, ransomware, or bots for use in a botnet.

Common Examples and Tactics

Rootkits are often classified based on where they embed themselves in a system

Kernel-Mode: The core of the OS (the kernel). Highest (Ring 0) Extremely high. Can change the OS code/logic itself. Very difficult to detect.

Bootkit: The Master Boot Record (MBR) or UEFI firmware. Before OS loads Extremely persistent. Loads at the very start of the boot process, bypassing most pre-boot checks.

User-Mode: Standard application libraries and APIs (e.g., DLLs). User (Ring 3) Lower; runs alongside applications. Easier to detect and remove than kernel-mode.

Firmware/Hardware: Hardware components like the BIOS/UEFI, routers, or hard drive firmware. Outside the OS Highly persistent and difficult to detect, as these areas are rarely scanned.

Common Deployment Tactics

Attackers typically use a multi-stage process:

Initial Access the attacker gains a foothold, usually through methods like:

• Phishing: Tricking a user into downloading an infected attachment.

• Exploiting Vulnerabilities: Using a zero-day (unknown vulnerability) or unpatched flaw in software.

• Malicious Downloads: Bundling the rootkit installer with cracked software or pirated media.

Privilege Escalation: The initial compromise may only grant standard user access. The attacker then uses a separate exploit to gain administrative or "root" privileges.

Rootkit Installation: The attacker installs the rootkit, which then buries itself deep in the system (e.g., as a fake system driver or by patching the kernel).

Payload Execution & Control: The rootkit hides the attacker's presence, allowing them to quietly run additional malicious software (the payload) for long-term activities like espionage, data exfiltration, or launching Distributed Denial-of-Service (DDoS) attacks.

---

VIIEGO the human security agency for human security research and consulting in identity manipulation and fraud prevention to decode human behavior and secure your identity.

www.viiego.com | Protect What's Yours.