What Is a Rootkit?
A rootkit is a type of malware that has gained access to the most privileged levels of a compromised victim's computer operating system (OS). The term rootkit comes from the name given to the most privileged Linux and Unix user account, the "root" user. On Windows-based systems, this account is called the "administrator" account or "admin" account, and in fact, rootkits exist for all OS platforms.
Stealth is the tactic that rootkits are primarily known for. Because rootkits can execute code with the highest level privileges of a computer system, they can modify the OS's kernel such that the rootkit becomes virtually impossible to detect. Once the rootkit has modified the kernel, it can conceal its presence and operations from other root/admin users. Most rootkits also seek to maintain persistence on the victim host. To do this, they modify the kernel to ensure their malicious code can execute even after rebooting the computer.
Because each OS platform has a different architecture, the mechanisms used by various rootkits differ. However, the fundamental tactics remain the same: conceal all evidence of the system's compromise and maintain persistent control for the attacker to achieve secondary goals.
How Rootkits Works
The core of a computer's OS is known as a kernel. The kernel facilitates communication between the OS and hardware and performs the OS's most fundamental tasks. Modern x86 CPU architecture supports four privilege levels known as rings, the most privileged being ring 0, the kernel ring. The kernel ring privilege level is technically reserved for the system itself, but a root user can modify a kernel's files to change how the system level operates. This is how rootkits achieve a high degree of stealth. A rootkit can even hide its presence and processes from other root users.
Rootkits accomplish stealth by modifying the underlying OS to perform tasks such as:
- Intercepting any system function calls and modifying how they work
- Hiding its running processes and files so they are not displayed in terminal commands and applications that display running processes or files
- Preserving the timestamps of any modified files to make them appear as though they have not been modified
- Maintaining the original copies of OS system files to display when a user attempts to inspect them
- Scrubbing system logs to remove any entries related to its activity
- Disabling security products while making it appear as though they are working normally
- Hiding established network connections to other attacker-controlled systems
Post-infection, a rootkit's secondary objectives are similar to other forms of malware and may include:
- Installing additional stealer malware to steal passwords or authentication keys stored on the computer
- Exfiltrating sensitive information such as proprietary intellectual property or business information
- Encrypting files and demanding money for decryption keys in a ransomware attack
- Monitoring network activity to map the internal network environment
- Causing a system outage to disrupt business operations in a denial-of-service (DOS) attack
- Join other infected computer systems to act as a botnet
- Impact operational technology (OT) systems such as industrial control systems (ICS) or SCADA control systems
How Rootkits Infect Systems
A rootkit can initially infect a computer system like any other form of malware, including attack vectors such as social engineering and phishing attacks, trojanized software applications, vulnerabilities in exposed services, or via a malicious insider. To accomplish its ultimate goal of stealth, a rootkit must also attain the highest-level privileges on the system.
Some initial attack vectors result in attackers attaining only user-level privileges, dramatically restricting their execution permissions on the infected system. In these cases, attackers seeking to install a rootkit will further exploit the system to escalate their privileges. If an attacker can attain root-level privileges, they can modify how the computer's OS functions at the most fundamental level to conceal the rootkit's presence, gain persistence on the system even after it is rebooted, and pursue secondary attack objectives.