What Are Rootkits?

A rootkit is a piece of code that has the capability to hide other applications. Rootkits are both common and rare—some types of rootkits, such as firmware rootkits, are very rare, while others are far more prevalent. Though not as common and as dangerous as adware or ransomware, rootkits can still cause a lot of trouble.

Rootkits can come in the form of individual applications or as a group of apps. If users do not deal with the threat early on, rootkits can effectively hide the presence of malware, spyware and adware, causing even further damage. Rootkits can also infect a target device and open up a backdoor that hackers can then exploit remotely to gain unauthorized access to the device. Rootkits can perform similar functions for applications as well.

Online users also need to know that advanced rootkits are very hard to detect, even with the most advanced security tools. Moreover, rootkits don’t go away easily if the given target device has not taken proper precautions.

The best antivirus programs in the world may be able to control rootkits, but other than that, this type of cybersecurity threat can be menacing.

What Is the Definition of Rootkits?

Etymologically, the term rootkit comes from two words: root and kit. Users familiar with the Linux operating system may already be familiar with the term “root.” Root essentially provides Linux users privileged access. Windows users know root access by another term, which is “administrative privileges.”

The word “kit” is just a short form of “tool kit.” However, in the context of rootkits, the kit represents the application rootkits use to gain root or administrative access to the target device.

What Is the History of Rootkits?

Basic hacking techniques that alter the way a system works emerged in the 1980s. The earliest stages of rootkit development involved hackers advancing hacking techniques to harm computers through viruses and alter system resources, such as memory and disrupt tables, to keep malware safe from antivirus products.

The earliest versions of rootkits that mainly targeted the Linux system were essentially a collection of backdoored commands. Once executed, the commands blocked the target device’s system administrator from detecting any malicious activity, file, shell or process. But since the modern internet was still nascent at the time, implementing such primitive forms of rootkits required significant effort. Moreover, the earliest rootkits provided forensic data that could harm the hacker who programmed the rootkit. Early rootkits required very specific knowledge about what tools the target system administrator was using.

Note:

As with all things on the internet, rootkits evolved very quickly. Rootkits started to use Id_preload to exploit order of precedence in DLL (Dynamic Linking Libraries). This allowed hackers to use rootkits to alter the workings of syscall via hijacking techniques. As a result, hackers were again finding success in keeping malicious activities hidden from system administrators.

In recent times, hackers have managed to develop LKM rootkits or kernel module rootkits, which enable hackers to inject malicious kernel modules on the target device. Once that happens, hackers can control the target device and use that advantage to hide malicious activities, files, modules and processes.

However, the first cyber threat that could be considered a rootkit emerged in 1999 by the name of NTRootkit. Since the most popular operating system for desktop computers at the time was Windows NT, NTRootkit specifically targeted Windows NT users. The program was developed by Greg Hoglund, who worked as a security researcher and launched NTRootkit as a proof-of-concept. NTRootkit gave way to He4Hook, which could hide malicious files and became known as a kernel rootkit. He4Hook made way for Hacker Defender, which could hide files and operating system registry keys. Later, in the early-2000s, another rootkit known as Vanquish contained the ability to hide files, registry keys and even complete directories.

About 10 years later, in 2009, Mac computers were hit with their first rootkit. A year later, Stuxnet started to hit industrial computer systems—most notably, that of Sony Entertainment. Sony Entertainment is widely considered the front-runner of creating effective rootkits and deploying them successfully via targeted campaigns. Unlike hackers, though, Sony Entertainment did not create or launch rootkits to harm consumers.

Sony Entertainment created one of the earliest rootkits in 2005, dubbed Sony BMG Rootkit, aiming not to invade user privacy but to protect the company’s copyrights by blocking any process that tried to copy Sony-owned publications. Whenever computer users bought a Sony CD and played the CD on their computer, Sony installed a rootkit on that computer. The rootkit remained hidden in the background and monitored the user while accessing the Sony CD. The rootkit would jump into action as soon as the user tried to copy the contents of the Sony CD. Sony managed to keep the rootkit hidden for some time, but when the news finally broke, the company suffered reputational damage in the millions.

Another important figure in the history of rootkits is Joanna Rutkowska, who was initially from Poland and worked as a researcher. In 2006, Rutkowska gave a talk on a new kind of rootkit called BluePill at a Black Hat hacker conference.

Then, in 2008, a trojan virus named Sinoval stole user credentials from infected devices with help from a rootkit module called Mebroot. The trojan used the rootkit to stay hidden while carrying out malicious activities.

Perhaps the most recent megacorporation involved in distributing rootkits is Lenovo. Lenovo machines came with rootkits installed for many years. Only in 2015 was the company caught in the act. Again, Lenovo didn’t necessarily have malicious intentions when installing rootkits on its machines. The main objective of using rootkits was to download specific software applications automatically and without the user’s permission.

How Are Rootkits Used?

Rootkits can be used in many different ways, including malicious and non-malicious uses. The most prominent purpose of rootkits is to infect a target device, steal personal information from the device and then communicate data back to the hacker’s headquarters operation. On the other hand, users can put rootkits to good use and protect their systems. Still, the main purpose remains: to access a system in order to steal sensitive information.

Most of the time, hackers are able to bypass authentication systems and install a backdoor into the target network or device. Then, the hackers can access the target device via the backdoor at a later date.

Hackers and software companies are not the only entities using rootkits for various purposes. The end-user can also use a rootkit to perform activities that disable the Microsoft Production Activation feature found protecting most Microsoft products.

Another purpose of using rootkits is to cheat in multiplayer online games and keep the tools that enable cheating hidden from anti-cheat mechanisms.

With a few tweaks, rootkits can hide any number of files (which may or may not be illegal) present on a given device. Hackers can leverage this and store malicious files on the user’s device without the user knowing anything about it.

Rootkits are also useful to hide spyware, adware and keyloggers. Modern rootkits are strong enough to modify the way antivirus products work, thus making such software redundant. Rootkits can disable antivirus features that flag rootkits and hide various predetermined operating system services and processes.

Sometimes, hackers are looking to use a system as the origin of another attack. In such cases, hackers would use a rootkit to compromise a device and then use the compromised device to launch an attack on the target device. This gives hackers a lot of cover against possible detection. Moreover, once hackers have stealthily compromised several devices via rootkits and otherwise, the compromised devices could potentially become a part of a botnet to launch a DDoS attack.

An image featuring stop copyright concept

Not all uses of rootkits involve hackers gaining unauthorized access to a target device. Corporations can use rootkits to stop copyright violations by enforcing digital rights management (DRM) tools. Once some intellectual property has DRM protection, it’s more difficult for hackers to copy, alter or distribute the protected content. This has become very important as the internet has expanded into every industry since many products, such as movies, video games and applications, are available online. Without DRM, hackers would simply purchase one copy of a given product (sometimes not even that) and then distribute the product via torrent websites.

Rootkits can come in handy for law enforcement agencies and cybersecurity experts when there is a requirement to bait cybercriminals or detect hacker groups.

Since rootkits are very adept at detecting system activity and recording information on that activity, cybersecurity professionals can use rootkits to improve software security.

What Are the Types of Rootkits?

The types of rootkits are given below.

Hardware or Firmware Rootkit
Bootloader Rootkit
Memory Rootkit
Application Rootkit
Kernel Mode Rootkits
Virtual Rootkits

1. Hardware or Firmware Rootkit

An image featuring hardware rootkit concept

The hardware or firmware rootkit, as the name implies, infects the target’s device BIOS system or hard drive in addition to the software found on the motherboard’s memory chip. Hardware or firmware rootkits can also target disks and routers. Once a hardware or firmware rootkit has infected a given device, the rootkit grants hackers unauthorized access to the device. Hackers can then monitor any data the user may write on the available disk.

Note:

Firmware rootkits are different from other types of rootkits because such rootkits can boot along with the infected device, making it tremendously difficult for antivirus products to detect and remove the firmware rootkit. The damages a firmware rootkit can cause are loss of privacy/data, malware infection, system shutdown and potential financial loss.

To remove a firmware rootkit, the user should reinstall the operating system and all applications. If that is not possible, the user should use a dedicated rootkit removal tool. But since firmware rootkits are difficult to get rid of, most rootkit removal tools won’t work. In that case, installing a new operating system is the only viable way forward.

If the firmware or hardware rootkit is particularly advanced, the rootkit may have infected the BIOS heavily. To remove such a rootkit, there are few options aside from repairing the BIOS. Sometimes even repairing won’t help, and in that case, the victim has to purchase a new machine.

For mobile platforms, users should back up all data and then perform a reset/restore action.

2. Bootloader Rootkit

A bootloader rootkit, sometimes known as BootKit, can boot simultaneously with the operating system of the infected device. Bootloader Rookits’ main features are Master Boot Record (MBR) infection and Volume Boot Record (VBR) infection. In simpler terms, bootloader rootkits are able to attach to boot records so that even if the user views the standard file system, the rootkit would not appear there. Once that happens, the rootkit removal tool and/or antivirus software would have no chance of detecting the bootloader rootkit malware.

Note:

The bootloader rootkit is different from other rootkits because the target device is infected at the most basic level, which complicates the process of removing such rootkits. The main damage bootloader rootkit causes is the corruption of boot records. Failing to take the necessary precautions before attempting to remove the bootloader rootkit may result in loss of data and other damage to the infected device.

To effectively remove the bootloader rootkit, the user may clean the infected device’s MBR. There are lots of boot repair tools available online. Wiping the MBR is also a must because sometimes, just repairing MBR does not get rid of the bootloader rootkit. Creating a new partition and installing the operating system from an authentically created live CD is usually enough to remove the bootloader rootkit. For extra confirmation, the user can format the partitions as well.

3. Memory Rootkit

An image featuring a memory rootkit concept

A memory rootkit infects a target device by hiding in the RAM. As a result, infected devices can experience a significant reduction in RAM memory performance. That’s how memory rootkits are different from other rootkits.

Like kernel rootkits, memory rootkits can launch malicious processes hidden from the system administrator, hence consuming computing resources for nefarious purposes.

Apart from reduced resource availability, the damage memory rootkits can cause depend on the hacker’s objectives and the malicious processes launched in the background.

Pro Tip:

Because memory rootkits hide in RAM, any code injection resulting from memory rootkits is temporary. So, to remove memory kits, all the user has to do is restart the system.

Of course, if the hacker has used a particularly advanced memory rootkit, the user may need to use a dedicated rootkit scanner to get rid of the memory rootkit.

4. Application Rootkit

An image featuring application rootkit concept

Application rootkits are the most easily understood, as such types of rootkits try to modify the files already present on the target device. Application rootkits can also change the behavior of certain applications.

The main feature of application rootkits is application targeting. An application rootkit targets commonly found applications on Windows machines, such as Paint, Notepad and Microsoft Office. Once a hacker contaminates a target device, each time the user launches the infected application, hackers gain the ability to access the device.

Note:

Application rootkits can be very damaging as the user typically is unable to detect any rootkits since the affected applications still run normally. Damages include loss of privacy, altered application behavior, exposure of sensitive data and reduced performance.

To remove application rootkits from the infected device, the user can try any reputable antivirus program. Modern antivirus software does not just work for viruses but also rootkits. Since application rootkits work at the application level, an antivirus product should pick up the threat and wipe the rootkit clean. Users may also use a dedicated rootkit remover to get the job done.

5. Kernel Mode Rootkits

An image featuring an operating system concept

Kernel mode rootkits modify the kernel of an operating system by either injecting new code into the kernel or replacing the existing code. Kernel mode rootkits use device drivers to push the altered code when infecting Windows devices. On the Linux platform, kernel mode rootkits exploit loadable kernel modules.

Kernel mode rootkits can cause significant damage by making the system unstable by introducing bugs in the present code. Such rootkits can access the user’s computer at will, which impacts privacy and the security of sensitive information. The main purpose of using rootkits is to compromise the target device and steal personal information.

Since kernel mode rootkits gain root-equivalent operating system privileges, antivirus programs have a tough time detecting kernel mode rootkits. This also allows kernel mode rootkits to alter important operating system tasks and intercept normal processes. However, if the hacker gets greedy and introduces several bugs in the rootkit to reduce system performance to the maximum level, that can leave breadcrumbs for rootkit removal tools and even antivirus programs.

An image featuring an rootkit scanner concept

To remove kernel mode rootkits, users can try any reputable rootkit scanner. The best rootkit scanners are able to detect rootkits in the kernel. Removing the kernel rootkit is very difficult and requires advanced technical expertise. Generally speaking, the user will have to shut down the operating system infected with the kernel mode rootkit and then use another operating system to modify the infected file system.

Auditing system files and then repairing rooted components requires significant effort and resources. Hence, the most efficient way to remove kernel mode rootkits (or any given rootkit for that matter) is to simply reinstall the operating system.

6. Virtual Rootkits

An image featuring a virtual machine concept

Virtual rootkits can compromise the target device by loading right underneath the device’s operating system. As the name suggests, virtual rootkits create virtual machines that load before the actual operating system. This primary feature allows hackers to compromise the target device in full. Once in control, hackers steal user information and launch other malicious processes.

Virtual rootkits are very damaging by working at a higher level than the compromised device’s operating system. Hence, antivirus programs and rootkit removal kits have a hard time detecting virtual rootkits.

Pro Tip:

As always, the best way to remove virtual rootkits is to install the operating system again and reinstall all the applications.

What Are Some Examples of Rootkits?

An image featuring credit card swiping concept

An important case of rootkit infection is the 2008 incident where hackers from Pakistan and China managed to use firmware rootkits to compromise hundreds of credit card swipers. These compromised credit card swiping machines went straight to Western Europe and allowed hackers to monitor and record the credit card information of anyone who used the compromised devices to make a payment.

Once the potential victim swiped, the information went straight to a server in Pakistan. Using the stolen information, hackers managed to steal around $14 million by first cloning the compromised credit cards and then emptying the victims’ accounts.

Another case from 2012 involved security researchers discovering a rootkit called Flame, which malicious actors used to spy on targets based in the Middle East. The Flame rootkit could monitor all network traffic and control the infected device’s operating system as well. At one point, malicious actors used over 80 servers to illegally access information on compromised devices.

Similar examples include Zeus, a rootkit designed to steal financial information, and hackerDefender, which modified operating systems.

1. Stuxnet

An image featuring a red skull with text Stuxnet

Stuxnet was a computer worm born from the collaborative efforts of Israel and the United States. Though technically considered a computer worm, Stuxnet had three major components. One of those components was a rootkit that hid all the malicious activities performed by other Stuxnet components. The main feature of Stuxnet was its singular focus on industrial control devices or PLCs that Israel and the U.S. used to damage Iran’s nuclear program.

The primary difference between Stuxnet and other rootkits at the time was that Stuxnet could cause real-world damage. Since Stuxnet could infect PLCs and other ICS, any industry that used modern automation techniques was at risk.

Stuxnet was mainly spread via a malicious USB drive. The damage Stuxnet caused included centrifuge valve manipulation. Stuxnet essentially allowed malicious actors to damage various settings in Iran’s enrichment facility equipment, which ended up damaging the entire nuclear facility.

Pro Tip:

To remove Stuxnet from an infected device, the user should use a dedicated rootkit removal application. The tool will scan the infected device completely and then allow users to delete Stuxnet if a sample is found. Since each anti-rootkit or antivirus program has a unique way of detecting and deleting rootkits like Stuxnet, consult the currently installed antivirus products’ support guides to learn how to proceed forward.

2. Flame

Flame was another rootkit that infected computers running on the Windows operating system and recorded network traffic, audio content and keyboard strokes. Flame could also take screenshots.

The difference between Flame and other normal rootkits was that Flame was extraordinarily modular. Hackers could add any number of modules to make the rootkit carry out different malicious activities. Flame created backdoors in the target devices and could also propagate independently via the present network.

The primary way Flame contaminates a network or target device is via a malicious USB thumb drive. However, Flame can also use other vulnerabilities such as shared printer spool and file-sharing permissions. However, Flame doesn’t actually start spreading without instructions from hackers.

An image featuring a compromised device concept

How much damage can Flame cause is variable. Once Flame gains access to a target device, it all depends on the hacker’s aim and objectives. More modules would mean more ways Flame can cause damage to the compromised device. Some security researchers believe Flame may go from a rootkit that enables cyber espionage to cybersabotage. In theory, though, Flame can cause massive damage to hundreds of devices by using up to 80 command and control servers.

Pro Tip:

To detect and delete Flame, users can use any quality antivirus application. Users are also advised to update and upgrade all available security tools on the infected device. Users can also go the manual route, but that takes a lot of effort, time and education.

3. Necurs

Necurs is a botnet that uses specialized rootkits to infect devices and take control of computer systems, all while hiding the infection. Necurs’ main feature is the ability to stay hidden and keep things moving so the owner of the infected device is unable to take the required action in time. This key feature has allowed Necurs to become the biggest botnet active in cyberspace today.

The difference between Necurs and other rootkits is that Necurs can bring other malicious techniques to increase damage output. Hackers have used Necurs to spread ransomware to thousands of vulnerable machines. Necurs also spreads financial malware upon infecting a target device.

The main way Necurs creates a botnet is with zombie computers. These are already-compromised devices that can serve the botnet to carry out malicious activities. Once Necurs infects a device via the Necurs rootkit, the device becomes part of the botnet. At that point, hackers are free to use the compromised device as desired.

An image featuring compromised devices concept

Necurs botnet has caused sizable damage as hackers have used the rootkit to launch DDoS attacks, phishing campaigns and spam. In total, Necurs has infected over 6 million devices so far and has caused millions of dollars in damage to companies and individuals.

Since Necurs provides protection to malware to further compromise the target device, security products may find Necurs hard to remove. That said, many reputable anti-malware and antivirus security products now offer protection against Necurs and have the ability to completely remove the rootkit from the infected device. So, all users have to do to remove Necurs from an infected device is install a good antivirus product, update the software to the latest version and run a scan. Once the Necurs rootkit is found, users should delete those items and then restart the machine.

Pro Tip:

Users who want to remove Necurs manually will have to go offline first and then use a live USB to boot and remove any malware while the rootkit hasn’t had a chance to load with help from an anti-rootkit tool.

4. ZeroAccess

An image featuring infecting vulnerable devices with malware concept

ZeroAccess is a kernel mode rootkit that can infect vulnerable devices with malware. ZeroAccess is different from other types of rootkits because this rootkit doesn’t necessarily affect the normal behavior of the operating system on the infected device. Instead, ZeroAccess downloads malware on the infected device and then launches the malware to transform the vulnerable target device into a member of a botnet. Hackers can then launch a variety of different cyberattacks using the botnet, similar to how Necurs works.

The difference between ZeroAccess and many other rootkits is that ZeroAccess can turn off antivirus products after compromising a target device. ZeroAccess does this by shutting down antivirus processes and services and altering the access control list. That allows ZeroAccess to inflict significant damage, depending on the end objectives. Since ZeroAccess can download malware on the compromised target device as well, the rootkit can hijack search engine results and user traffic to show custom advertisements and carry out redirections to phishing sites.

An image featuring an infected device concept

ZeroAccess has infected close to 2 million vulnerable devices and caused massive loss of privacy and computing resources. ZeroAccess has also been shown to mine cryptocurrency via the compromised devices.

The easiest way to delete ZeroAccess is to download a reputable rootkit removal tool and then run the tool to scan the infected disks. Good anti-rootkit tools are able to repair the infected files in a best-case scenario. Otherwise, there’s always the option of deleting infected files. Once the rootkit removal tool is finished deleting infected files, the user should restart the machine and update all security tools, including the antivirus product, on the infected system.

5. TDSS

An image featuring a text that says TDSS representing malicious rootkit concept

TDSS is a malicious rootkit that specializes in stealing personal data. By way of function, the TDSS rootkit works similar to a trojan. The main feature of TDSS is the rootkit’s unique design, which allows TDSS to quickly infect the target device, download malware and then run that malware. Another feature is TDSS’s persistence. This rootkit is notoriously hard to detect and remove, even for the best anti-malware tools.

TDSS is different from other rootkits in the evolution from a simple rootkit to a multi-component malicious rootkit that has a rootkit complement, a .DLL file and a dropper. All of these components help TDSS become a type of rootkit that can escape security tools with ease and stay hidden while downloading malware on the target device.

Depending on the version, TDSS is able to infect the boot sector. Because of that, TDSS can load malicious scripts before the operating system fully loads. This makes the job of removing TDSS from an infected device fairly difficult, though the task is not impossible.

TDSS’s persistence features are the reason why this rootkit has high damage potential. TDSS can not only infect MBR but also write itself in distant corners of the attached HDD, where security tools can’t detect it. Hackers use TDSS to download other malware on the infected system, change DNS results, bypass security tools, carry out click fraud and show users malicious ads.

Depending on the attached malware, TDSS can be used to carry out many other types of cyberattacks. For example, the latest version of TDSS can alter registry entries of the operating system and disable system services. When that happens, the user cannot use the majority of basic system functions.

Pro Tip:

The easiest way to delete TDSS is to install a reputable antivirus product on the infected system, update the program, run a scan, quarantine the infected items and restart the device.

An image featuring device manager concept

A manual approach would involve the user going to the Device Manager on a Windows device and turning off all Non PnP drivers present on the list. Then, the user should delete those entries. Many anti-rootkit tools can remove TDSS trojan core files, but users can independently delete TDSS core files, which are .dlls and .sys in either system32/driver and/or system32/. The user should remove any item that looks suspicious.

Finally, the ://autorun.inf and ://RECYCLER/*.com files must be removed from the drive (for example, C or D) where TDSS was found. Then, the infected device should be restarted.

What Are the Statistics about Rootkits?

Some notable statistics about rootkits are given below.

According to Bullguard, rootkits make up around 8% of all malware-reported infections. Among the most common types of rootkits are Alureon and Cutwail, followed by Rustock, making up 50%, 20%, and 10% of all rootkit infections.
Rootkit attacks affect millions of consumers and businesses each year as hackers use rootkits as a part of a larger malware or botnet attack. The number of rootkit attacks is likely to increase in the future as more businesses try going digital. By some estimates, more than 50%of companies worldwide have altered their business models to include remote work and a boosted digital presence, thus creating more opportunities for hackers to use rootkits to compromise target devices and launch broader malware attacks.
Varonis states that, along with spear-phishing and DDoS attacks, rootkit attacks are among the most common types of cyberattacks.
The damage caused to companies and individuals amounts to millions of dollars per year. A successful rootkit attack can grant an average hacking group around $17,000.

Which Devices Can Rootkits Infect?

The devices rootkits can infect are given below.

Desktop Computers: Desktop computers running on the Windows operating system can get infected with rootkits. The effects of rootkits can include deletion of files, stolen information, malware installation, spyware, remote command execution and remote access.
iPhones: Apple devices such as iPhones and iPads can also get infected with rootkits, but the chances of that happening are lower compared to Windows machines and Android smartphones. Once an iOS device is infected, hackers gain access to certain functions that allow extra malware to be downloaded/installed over the internet. Rootkits are great at hiding malicious applications from administrators and end-users. Depending on the type of malware the rootkit installs on the iOS device—and the objectives of the hacking team behind the rootkit attack—iPhone users may see slower performance, change in the normal behavior of certain applications, and even customized ads via web browsers like Safari and Chrome.
macOS: Apple macOS devices are also not immune from rootkit attacks, which often exploit malicious USB drives or the network the target device has connected to. The effects of rootkits on macOS devices are the same as Windows or iOS devices. More specifically, the effects will depend on how many other types of malware the hacker has attached with the rootkit attack or what kind of malware the rootkit attack can download from the internet to install on the target device. Generally, though, rootkits will make macOS devices slower and buggy. Most rootkits can modify the behavior of the target device’s apps and operating system. Rootkits may also lead to stolen/lost data and exposure to other types of malware threats, such as ransomware and phishing attacks.
Android: The Android operating system is vulnerable to rootkits. In fact, Android is more vulnerable to rootkits than the iOS operating system because of how permissions work on Android. Once a device running on the Android operating system gets infected, hackers can perform a range of malicious activities, each of which would result in a different symptom of a rootkit infection. Since the number of users carrying out financial transactions on Android systems is increasing, so is the potential damage of rootkits. Rootkits can steal financial information on Android systems more frequently than other devices due to lax Google Play Store policies that allow malicious apps to slip through the vetting process. Depending on the type of rootkit and the additional malware attached, hackers may record all keyboard activity on the infected Android device, thereby accessing all communications made on the device. Another effect of rootkits on Android is the collection of personal and sensitive information. Once gaining access to such data, hackers can easily carry out identity theft operations.
- FireStick: Users of FireStick devices can also experience these rootkit effects since FireStick uses a proprietary version of vanilla Android that carries the same vulnerabilities.
Router: Certain rootkits, such as hardware or firmware rootkits, are able to infect routers as well. The effects of rootkits infecting routers include loss of privacy as hackers can monitor all data that leaves the infected device and the responses the device gets from various websites. Moreover, with a sophisticated hardware rootkit, hackers may also record all user keystrokes for a long period of time, which may provide personal and financial information.

Are Rootkits Illegal?

An image featuring rootkit illegality concept

Rootkits may or may not be illegal depending on who uses rootkits and for what purpose. Hackers use rootkits to infect targeted devices and then either steal personal information from the infected device or make the device part of a botnet. Botnets can be used to launch DDoS attacks and cause damage. Both of the aforementioned activities are illicit and thus illegal in many countries.

However, legitimate companies like Sony have also used rootkits in the past to stop people from pirating content. Some law enforcement agencies have sought to legalize rootkits so copyright holder groups can stop piracy more effectively.

In the end, it all comes down to use. Just because law enforcement agencies or a giant corporation uses rootkits to conceal any symptoms of a compromised device does not mean using rootkits is legal. The end result is what matters the most: If a rootkit is stealing data, spying on a user or organization, or launching DDoS attacks via the compromised device, then there is a good chance the rootkit is illegal.

On the other hand, law enforcement agencies or copyright holding groups using rootkits to stop illegal activities may or may not be legal, depending on the interpretation of the judge/law.

Generally speaking, though, all countries have made it illegal to collect user data or gain access to a user’s computer without prior knowledge or consent.

What Are the Laws Regarding Rootkits?

While there are no laws specifically addressing rootkits, many other laws are designed to protect user privacy from any form of software that may collect data without consent.

The U.K.‘s Computer Misuse Act prohibits accessing someone’s computer without proper authorization and consent. Since all rootkits perform the basic function of gaining unauthorized access to the target device without the user’s permission, the act affects all rootkits.

Similarly, the U.S.’s Computer Fraud and Abuse Act prohibits entities from accessing a user’s computer either without proper authorization or enough authorization. Some states in the U.S. have passed laws regarding malware, spyware and adware, which also deal with rootkits.

The U.S. also has the Internet Spyware Prevention Act, which deals with developers that distribute spyware. Rootkits can be considered as spying on the target since hackers can monitor user data once a system is infected via the rootkit. Texas has its own 2005 Spyware law blocking companies from compromising devices and monitoring users’ activities.

The U.S. Consumer Protection Against Computer Spyware Act of 2005 is another law that protects users against online deception and illegal data collection. Violating the law can result in fines of up to $100,000 per violation.

Section 5(a) of the U.S. Federal Trade Commission Act, 15 USC 45(a) also protects consumers against companies trying to install software that creates security risks without their consent.

How to Protect Yourself from Rootkits

The methods to protect users against rootkits are given below.

An image featuring an antivirus program concept

Limit failed login attempts.
Use antivirus programs on every machine connected to the internet.
Keep the operating system and any software installed up-to-date.
Install security patches as soon as possible.
Read up on the latest forms of online scams and fraud schemes.
Use a password manager to create strong passwords for all accounts, including the operating system.
Avoid using an administrator account all the time.
Install ad-blockers while surfing the internet, especially on untrustworthy websites.
Advanced users can always install a jumper that protects the motherboard from rootkits that infect system BIOS.
Run regular scans.
Increase awareness about how rootkits work and how computers are infected.
Exercise all preventative measures against rootkits.
Stop reusing passwords.
Do not open an email attachment from untrustworthy or new sources.
Disable Office macros from unknown email messages.

What to Do If You Become a Rootkits Victim

The best actions to take in a rootkit attack are listed below.

Make a criminal complaint to concerned authorities and important personnel in the IT department.
Disconnect the infected device from the internet and the local network.
Run a scan if possible.
Check the results of the scan.
Restart the infected device.
Reinstall Windows.
Reinstall all applications.
If the rootkit is a hardware rootkit, the user may need to replace the hardware depending on the extent of the damage.
Mac users should update all applications.
Create a backup of all important files and folders.
Monitor infected device’s behavior.
Close any account that may have been affected by the rootkit.
Enable fraud alerts on any bank accounts or financial services involved.
Regularly check credit reports.

How to Remove Rootkits?

The steps on how to remove rootkits are given below.

An image featuring microsoft defender opened on laptop

For a basic-level start, use Microsoft Defender to run a scan and then check the results. Delete any problematic items found. If the device is unable to connect to the internet (because of the rootkit or because the user has disabled network access to stop the spread of the rootkit and other malware), then Windows Defender also offers an offline scan.
- To get started on that, the user should open up the Windows Defender Security Center by clicking the Windows logo icon in the bottom-left corner of the screen and using the search function to find the security center. Then, go to the “advanced scans” section, enable the Windows Defender offline scan feature and restart the infected device. This will allow the system to reboot in Windows PE mode and work on repairing and cleaning the infected device.
Since many rootkits can bypass Windows Defender, users should get a better third-party rootkit removal tool or an antivirus product. Top antivirus products can remove rootkits even from deep within the operating system, so make sure the antivirus product under consideration offers a boot-time scan, which is critical for removing advanced rootkits. Once the third-party antivirus product is installed, run a scan, study the results and delete as necessary. An even better approach is to back up all critical data, wipe the infected device and then install the operating system again, along with all required applications. This is especially important for hypervisor-level rootkit, firmware and boot rootkits. Formatting the entire hard drive is also very important to remove all remnants of rootkits.
Another method to remove a rootkit from an infected device is to get help from an online forum or a computer expert to determine if a rootkit is truly present on the device. If a rootkit infection is found, users should uninstall the operating system and reinstall all applications only from the relevant official websites. Users who have made a habit of making regular backups have a clear advantage here: A backup can be used to roll the infected operating system right back to when there was no rootkit infection. If the user utilizes the backup for a system restore, an antivirus product should still be used to look out for re-infections. Along with that, users should change all system passwords along with the passcode for the password manager.
BIOS, firmware and/or UEFI rootkits are a different breed of stubborn rootkits that only stay away when users religiously keep systems up-to-date as soon as any updates, patches and new versions are made available by the developers. Using the secure boot feature can provide more protection against such rootkits. Secure boot keeps computers away from rootkit infection by only running code that is trusted. Users who want to turn on this feature should go to the Start Menu and search for System Information. From the new window, scroll downwards to find the “Secure Boot State” option. The item’s value should be “ON” instead of “OFF.”
For IoT devices, the easiest way to remote rootkit is to update the firmware or reinstall the firmware again. Resetting IoT devices to factory default settings can also help. And as mentioned before, changing passwords of all possible infected accounts is mandatory. Also, keep all firmware files, Windows Live USB files and ISO files of various Linux systems somewhere on an external drive so that if a rootkit infection occurs, the user can install a new operating system quickly.

What Are the Best Rootkit Removal Tools?

The best rootkit removal tools are given below.

An image featuring rootkit removal tool concept

Avast – What is Avast?
Avira
Norton – What is Norton?
Kaspersky – What is Kaspersky?)
Bitdefender – What is Bitdefender?

What Are the Other Threats?

Other threats online users have to face are given below.

An image featuring multiple cyber threats concept

Social engineering
Malicious code
Exploits
Malicious websites
Adware
Exploit packs
Doxing
Trojans
Executable PE files
Scripts
APTs
Spoofing
Brute force attacks
Worms
Spyware
Botnet
SQL Injection cyber attacks
Phishing
Cyberbullying
Viruses
DDoS attacks
Malicious software