A rootkit is a collection of software designed to perform some very powerful and unique tasks on a target system. This software is designed to alter system files and utilities on a victim’s system with the intention of changing the way a system behaves. Additionally, a rootkit quite commonly has the capability to hide itself from detection, which makes the device quite dangerous. Normal operating of any computing system relies on trusting the basic OS utilities running on the computer. If a rootkit compromises any of these utilities, you cannot trust the OS any longer and must view the whole computer as compromised.

A rootkit is beneficial to an attacker for a number of reasons, but the biggest benefit is the scope of access the attacker can gain. With a rootkit installed on a system, attackers gain root, or administrator, access to a system, which means that they now have the highest level of access possible on the target system. Once attackers have a rootkit installed, they effectively own the system and can get it to do whatever they want. In fact, a rootkit can be embedded into a system so deeply and with such high levels of access that even the system administrator will be unable to detect its presence. Having root access to a system allows an attacker to do any of the following:

• Install a virus at any point—If the virus requires root-level access to modify system files or alter and corrupt data or files, a rootkit can provide the means to do so.

• Place a Trojan on a system—Much like viruses, a Trojan may require root-level access, so a rootkit will provide the level of access needed to run these types of malware.

• Launch a ransomware attack—A rootkit could easily allow ransomware to be installed and launched. Most users and administrators would not even know the malware was present until the ransom message pops up.

• Install spyware to track activity—Spyware typically needs to be well placed and well hidden. A rootkit can provide a way to hide spyware, such as a keystroke logger, so it is undetectable even to those looking for it.

• Hide the attack—A rootkit possesses the ability to alter the behavior of a system any way an attacker wants, so it can be used to hide evidence of an attack. A rootkit can be used to hide files and processes from view by altering system commands to prevent the display or detection of the attack.

• Maintain access over the long term—If a rootkit can stay undetected, it is easy for an attacker to maintain access to the system. For an attacker, the challenge is to construct a rootkit to prevent detection by the owner of the system.

• Monitor network traffic—A rootkit can install a network sniffer on a system to gain inside information about the activities on a network.

• Block the logging of selected events—To prevent detection, a rootkit can alter the system to prevent the logging of activities related to a rootkit.

• Redirect output—A rootkit can be configured to redirect output of commands and other activities to another system.

There are several different types of rootkits in use by attackers today. Each type has different capabilities and uses. Although not exhaustive, here is a basic list of rootkit types:

• Application level—These rootkits operate in user mode and generally target APIs and libraries.

• Kernel mode—Although more difficult to write and successfully install, kernel mode rootkits can replace both OS kernel components and device drivers. Operating in kernel mode, these rootkits have unrestricted access to a computer’s resources.

• Bootkit—A specific type of kernel mode rootkit that infects or replaces boot records or sectors. These rootkits are loaded and active before the OS loads and can be used to bypass certain OS controls.

• Hypervisor/VM escape—A virtual machine escape rootkit operates at the hypervisor level and can intercept requests and alter responses to the hosted OS. In a virtual environment, this type of rootkit is similar to a physical hardware/firmware rootkit. These types of rootkits can also compromise the separation between virtual machines running on a host.

• Hardware/firmware—Any rootkit malware that is burned into a computer’s or device’s hardware or firmware. Most rootkits of this type are found in devices or computer system components, such as cards or storage devices. Firmware and hardware rootkits are extremely difficult to detect and eradicate because they live at such a low level.

Above all, a rootkit is an application and, as such, can be run with a tool such as PsExec and run remotely on a target system. Of course, running a rootkit is one thing; obtaining one is quite another. Currently, many ways exist to get a rootkit, whether from a website or through a development tool designed to help nonprogrammers create basic rootkits.