The term rootkit is a portmanteau of “root,” referring (1) to the administrative account on Unix and Linux systems and (2) a “kit” or collection of software tools that provide administrator-level access. Typically, a rootkit is designated as a type of malware, but technically, rootkits are only a process used to deploy malware onto a target system.

Generally, a rootkit’s payload enables access to a system or piece of software that is normally restricted, and it does so while concealing itself or other malware from detection. However, rootkits are not always malicious, and some actually provide intended utility functions. Examples of non-hostile rootkits with utility functionality include emulation and security software, digital rights protection software, and anti-cheating software used in online video games.

Malicious rootkits, on the other hand, are extremely versatile. Depending on how and where they gain access to a system, as well as the malware they’re bundled with, rootkits may be able to manipulate and control system functions in a variety of ways. For example, some rootkits can monitor and record keystrokes, while others may steal sensitive information such as usernames, passwords, and banking credentials. Other rootkits, moreover, can even alter sensitive security settings at the kernel level, and control infected systems remotely.

How Rootkit(s) Work

Rootkits rely on a method called “modification”, and usually reserved for computer administrators to make changes in user accounts and security permissions. There are also a few different kinds of rootkits, and they can be classified by their location in the hierarchy of protected domains on a system.

User mode rootkits (sometimes referred to as application rootkits) rank lowest among rootkit threats. These rootkits typically run as a program during a system boot or are injected into a system once it has booted. They then operate by intercepting and altering the normal behavior of APIs.

Firmware or hardware rootkits target hardware, including hard drives, network routers, and system BIOSes. This classification of rootkits can steal saved data, or intercept it as it’s transmitted through a router.

Bootloader rootkits (sometimes called bookkits) run when a system starts. These rootkits execute when the operating system is loaded, and often replace the original bootloader on infected systems. These bootkits, moreover, often remain active in a system’s memory, even after the system restarts.

Memory Rootkits attempt to hide within a system’s RAM. Typically, these rootkits disappear when a system is restarted.

Kernel mode rootkits rank the highest on the hierarchy of rootkit threats, and are the most dangerous type of rootkit. Once deployed, they can gain unfettered access to modify data structures and make direct additions to the core of an operating system, making any malware payloads they deposit extremely difficult to detect.