What is a rootkit and how to remove it

March 28, 2013

Rootkits have been around for nearly 20 years now, allowing attackers to get access to and steal data from users’ machines without being detected for long periods of time. The term is loosely applied to a subset of malware tools that are designed specifically to stay hidden on infected computers and enable the attacker to remotely control the PC. To help users understand what a rootkit is and how one operates, we have put together an explainer on this kind of malware and what to do if one infects your computer.


Rootkit Definition

Rootkit is a term applied to a type of malware that is designed to infect a target PC and allow an attacker to install a set of tools that grant him persistent remote access to the computer. The malware typically will be hidden deep within the operating system and will be designed to evade detection by anti-malware applications and other security tools. The rootkit may contain any number of malicious tools, such as a keystroke logger, a password stealer, a module for stealing credit card or online banking information, a bot for DDoS attacks or functionality that can disable security software. Rootkits typically act as a backdoor that gives the attacker the ability to connect remotely to the infected machine whenever he chooses and remove or install specific components. Some examples of Windows-based rootkits in active use today include TDSS, ZeroAccess, Alureon and  Necurs.

Rootkit Variants

The two main types of rootkits are user-mode rootkits and kernel-mode rootkits. User-mode rootkits are designed to run in the same part of the computer’s operating system as applications. They execute their malicious behavior by hijacking application processes running on the machine or by overwriting the memory that an application uses. This the more common of the two types. Kernel-mode rootkits run at the lowest level of the PC’s operating system and give the attacker the most powerful set of privileges on the computer. After the installation of a kernel-mode rootkit, and attacker would have complete control of the compromised computer and would have the ability to take any action on it he chose. Kernel-mode rootkits typically are more complex than user-mode rootkits and are therefore less common. This kind of rootkit also is more difficult to detect and remove.

Rootkit is a term applied to a type of malware that is designed to infect a target PC and allow an attacker to install a set of tools that grant him persistent remote access to the computer.

There are a few less-common rootkit variants as well, such as bootkits, which are designed to modify the computer’s boot loader, the low-level software that runs before the operating system loads. In recent years, a new class of mobile rootkits have emerged to attack smartphones, specifically Android devices. These rootkits often are associated with a malicious application downloaded from a third-party app store or forum.

Method of Infection

Rootkits are installed through a variety of methods, but the most common infection vector is through the use of a vulnerability in the operating system or an application running on the computer. Attackers target known and unknown vulnerabilities in the OS and applications and use exploit code to get a privileged position on the target machine. They then install the rootkit and set up components that allow remote access to the computer. The exploit code for a specific vulnerability may be hosted on a legitimate Web site that has been compromised. Another infection vector is via infected USB drives. Attackers may leave USB drives with rootkits hidden on them in places where they’re likely to be found and picked up by victims, such as office buildings, coffee shops and conference centers. In some cases, the rootkit installation may still rely on security vulnerabilities, but in others, the malware may install as part of a seemingly legitimate application or file on the USB drive.


Detecting the presence of a rootkit on a computer can be difficult, as this kind of malware is designed to stay hidden and do its business in the background. There are utilities designed to look for known and unknown types of rootkits through various methods, including using signatures or a behavioral approach that tries to detect a rootkit by looking for known behavior patterns. Removing a rootkit is a complex process and typically requires the use of specialized tools, such as the TDSSKiller utility from Kaspersky Lab that can detect and remove the TDSS rootkit. In some cases, it may be necessary for the victim to reinstall the operating system if the computer is too damaged.