In cybersecurity, the term rootkit refers to one of the most insidious and hard-to-detect threats. It's a set of malicious software tools designed to gain and maintain privileged access to a computer system, while hiding from both the user and security tools.

As the name suggests, "root" refers to the user with maximum privileges on Unix/Linux systems, while "kit" refers to the package of tools that make up the infection. A rootkit, then, is a set of tools that lets an attacker operate as an administrator, often without leaving obvious traces.

How a rootkit works

A rootkit can be installed in various ways: through an exploit, phishing, a software vulnerability, or as the payload of other malware. Once active, it works to hide its own presence and that of other malicious components, such as trojans, keyloggers or backdoors.

It can alter log files, hide processes, change the operating system's behavior, and even disable antivirus software. In some cases it can intercept system calls and manipulate how files are displayed, making its activity practically invisible.

Types of rootkits

There are several categories of rootkits, classified by their level of access and the type of system compromised:

  • User-level rootkits: operate as normal applications, but hide files and processes. Easier to detect.

  • Kernel-level rootkits: act at the core of the operating system, modifying kernel behavior. Much harder to detect and remove.

  • Firmware rootkits: infect the firmware of hardware devices (BIOS, UEFI, network cards), surviving even a full disk format.

  • Hypervisor rootkits: install below the operating system, simulating a virtual environment. Extremely sophisticated and rare.

  • Bootkit rootkits: activate at system startup, before the operating system loads.

Why they're dangerous

Rootkits are designed to last over time. Their ability to hide and to operate with elevated privileges makes them ideal tools for persistent attacks (APTs), data theft, industrial espionage, or sabotage. They can be used to remotely control a system, install other malware, or collect sensitive information.

How to detect and remove them

Signs of a rootkit infection can be hard to spot: unexplained slowdowns, anomalous system behavior, unauthorized changes. Until some time ago there were dedicated tools like GMER or MBAR (Malware Bytes Anti-Rootkit); today anti-rootkit capabilities are built into most major antivirus products, but a scan with a traditional tool is often not enough. Because of their nature, some rootkits can only be found through in-depth manual analysis. In Microsoft Windows, under "Virus & threat protection", Microsoft Defender Antivirus offers an offline scan that can help find viruses hiding in particularly effective ways.

Microsoft Windows 11 - Microsoft Defender offline scan tool.

How to defend against them

Prevention is key:

  • Keep your operating system and software up to date.

  • Use reliable antivirus and anti-rootkit tools.

  • Don't open suspicious attachments or links.

  • Disable unnecessary features (e.g. USB boot).

  • Run regular backups and keep offline copies.

Rootkits are a silent but devastating threat. Understanding how they work is the first step to avoiding them.