Contact Us Today 01642 716680

Rootkit

Definition: A rootkit is a collection of malicious software tools that provide unauthorised root-level access to a computer or network, often while cloaking its existence and activities from users and system administrators.

A rootkit represents a significant threat as it can provide attackers with ongoing, privileged access to a system without detection. A rootkit is designed to hide the fact that an operating system has been compromised by concealing malicious software, making detection and removal particularly difficult. They can intercept and modify system calls, alter system files and processes, and hide their presence by manipulating the operating system’s functions.

Rootkits often enable the attacker to execute files, access logs, monitor user activity, and open backdoors to the system. They can be installed through phishing attacks, exploiting system vulnerabilities, or by an attacker who has already gained access to a system by some other means. Once installed, a rootkit can intercept hardware “calls” to the disk, and it can alter the return values of system calls to make it appear that the system is operating normally when it is, in fact, under attack.

Due to the stealthy nature of rootkits, they are often not detectable by standard antivirus software. More sophisticated methods, like behavioral-based detection, integrity scanning, signature scanning, and difference scanning (comparing against known good system files), are required to detect and remove rootkits. Furthermore, in some severe cases, the only reliable way to remove a rootkit is to reformat the system’s drives and reinstall the operating system.

The term “rootkit” originates from combining the word “root,” which is the traditional name for the privileged account on Unix and Unix-like operating systems, with the word “kit,” which refers to the software components that implement the tool.

Key Characteristics:

  • Grants unauthorised root-level access to the attacker
  • Hides its existence and malicious activities from users and system administrators
  • Difficult to detect and remove
  • Can modify system functions and intercept system calls

Examples:

  • Real-World Example: The Sony BMG copy protection rootkit scandal of 2005, where Sony BMG music CDs surreptitiously installed rootkit software on users’ computers to prevent illegal copying but also exposed users to serious security risks.
  • Hypothetical Scenario: An attacker employs a rootkit that infects a company’s server, hiding itself from system monitoring tools while allowing the attacker to exfiltrate sensitive data over a period of months without being detected.

Related Terms:

  • Backdoor: A method used by rootkits to gain access and control over a computer system or network.
  • Antivirus Software: Security applications that typically fail to detect rootkits due to the latter’s stealthy behaviour.
  • Privileged Access: The level of access rootkits aim for to execute their malicious intent.
  • System Call: The programmatic way in which a computer program requests a service from the kernel of the operating system, which can be intercepted by rootkits.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

      Looking for reliable Penetration Testing? Use the contact form below and request a quote today.