{"id":2069,"date":"2013-06-13T10:27:38","date_gmt":"2013-06-13T14:27:38","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=2069"},"modified":"2025-07-18T11:44:40","modified_gmt":"2025-07-18T15:44:40","slug":"fight-rootkits","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/fight-rootkits\/2069\/","title":{"rendered":"How to Fight Rootkits"},"content":{"rendered":"<p>Security professionals and enthusiasts are aware of <a href=\"eugene.kaspersky.com:2011:11:16:rooting-out-rootkits\" target=\"_blank\" rel=\"noopener\">rootkits<\/a>, but general audiences typically don\u2019t know about this kind of malware, which is specifically designed to hide itself and its activity in an infected system. This threat is well worth public awareness as there\u2019s a high chance of you possibly meeting this malware in the future. Cybercriminals are constantly developing new methods to steal your data and actively sell these methods to each other.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2013\/06\/06050548\/rootkit_title.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-2070\" alt=\"rootkit_title\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2013\/06\/06050548\/rootkit_title.jpg\" width=\"640\" height=\"420\"><\/a><\/p>\n<p>The ability to hide itself allows this type of malware to live on the victim\u2019s system for months and sometimes even years, letting a hacker use the computer for any purpose. Even if a computer doesn\u2019t contain any valuable information, which is unlikely, it could still be used for <a href=\"http:\/\/www.securelist.com\/en\/blog\/208194210\/\" target=\"_blank\" rel=\"noopener nofollow\">producing digital currency (bitcoins)<\/a>, sending spam and participating in a DDoS attacks. Rootkit functionality allows hackers to hide malicious activity not only from built-in OS monitoring tools, but from antivirus and firewall sensors as well. That\u2019s why we suggest checking your antivirus and internet security system for the existence of an anti-rootkit function and its efficiency.<\/p>\n<div class=\"pullquote\">The ability to hide itself allows this type of malware to live on the victim\u2019s system for months and sometimes even years, letting a hacker use the computer for any purpose.<\/div>\n<p>What makes a <a href=\"https:\/\/www.kaspersky.com\/blog\/rootkit\/\" target=\"_blank\" rel=\"noopener nofollow\">rootkit<\/a> invisible? It\u2019s not that complicated to explain: malware tries to integrate its code deep into an operating system and intercept all standard requests for file reading, obtaining the running process list, etc.\u00a0 A rootkit processes such requests and removes any mention of files, processes and other traces related to its activity.\u00a0 Other techniques are utilized as well \u2013 e.g. a rootkit can inject some code into a legitimate process and use that process memory to do its dirty work.\u00a0 That allows a rootkit to remain invisible to less <a href=\"https:\/\/www.kaspersky.com\/kaspersky_internet_security\" target=\"_blank\" rel=\"noopener nofollow\">advanced antivirus solutions<\/a>, which work on a high level of OS requests and don\u2019t try to dive deeper into the OS or other low-level hardware structures. If an antivirus managed to detect a rootkit, the malware could try to deactivate the protection and delete some critical antivirus components. Some of the more crafty rootkits even use live-bait fishing technology \u2013 creating a special file to be detected by an antivirus. As soon as the antivirus software accesses that file, the rootkit has tried to shut the antivirus down and prevent it from future execution.<\/p>\n<p>How can you stop this mess? First of all, to detect any suspicious activity, your antivirus must <b>monitor critical system files on a low level<\/b>, thus catching malware trying to modify the hard drive. It\u2019s possible to find new rootkit that are still unknown to your antivirus just by comparing computer activity as seen on the OS level with results of low-level monitoring. Secondly, it\u2019s crucial to have sufficient <b>antivirus self-protection<\/b> so malware cannot deactivate your product. And last, but not least, an antivirus has to remove 100% of rootkit components, even those injected into critical files of the OS. It\u2019s impossible to solve this problem just by deleting files \u2013 this renders the OS nonfunctional, so your antivirus would remove those files without affecting the original functionality.<\/p>\n<p>So make sure your protection meets these requirements before saying \u201cI know, what a rootkit is and I am sure that my <a href=\"https:\/\/www.kaspersky.com\/kaspersky_internet_security\" target=\"_blank\" rel=\"noopener nofollow\">antivirus solution efficiently protects<\/a> me from this threat.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security professionals and enthusiasts are aware of rootkits, but general audiences typically don\u2019t know about this kind of malware, which is specifically designed to hide itself and its activity in<\/p>\n","protected":false},"author":345,"featured_media":2071,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[189,36,344],"class_list":{"0":"post-2069","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-data-security","9":"tag-malware-2","10":"tag-online-protection"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/fight-rootkits\/2069\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/fight-rootkits\/2069\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/data-security\/","name":"data security"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/345"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2069"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2069\/revisions"}],"predecessor-version":[{"id":32802,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2069\/revisions\/32802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/2071"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}