APPLICATION SECURITY

Knowledge Base

Search Our Knowledge Base

AppSec Knowledgebase Categories

Home

AppSec Knowledgebase

Understanding Rootkits: Detect, Prevent, and Secure Your Systems

Reading Time: 3 min(s)

Understanding Rootkits: Detect, Prevent, and Secure Your Systems

Rootkit, Scanners, Detection and Removal Software

Amid the concealed dangers of the online world, rootkits emerge as particularly harmful and stealthy threats. These programs are designed to hide deep within your system, evading detection while granting unauthorized users total control. Learn the critical details of rootkits, including their definition, mechanisms, impacts, and the proactive steps needed to defend against them. Whether you’re an IT professional or a general user, understanding rootkits is a critical step in safeguarding your systems.

What Is a Rootkit?

A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words “root” and “kit.” Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, and viruses – that conceal their existence and actions from users and other system processes.

What Can a Rootkit Do?

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller can remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.

State of Software Security 2023

Read the Report

Rootkit Detection

It is difficult to detect rootkits. No commercial products are available that can find and remove all known and unknown rootkits. However, there are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning, and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.

Rootkit Protection

Many rootkits penetrate computer systems by piggybacking with software you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities.

This includes patches of your OS, applications and up-to-date virus definitions. Don’t accept files or open email file attachments from unknown sources. Be careful when installing software and carefully read the end-user license agreements.

Well-Known Rootkit Examples

  • Lane Davis and Steven Dake – wrote the earliest known rootkit in the early 1990s.
  • NTRootkit – one of the first malicious rootkits targeted at Windows OS.
  • HackerDefender – this early Trojan altered/augmented the OS at a very low level of function calls.
  • Machiavelli – the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
  • Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson’s AXE PBX.
  • Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing.
  • Stuxnet – the first known rootkit for industrial control systems
  • Flame – a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.

Secure Coding Handbook

Get the Handbook

See More Veracode Security Solutions

Questions About Software Security?

Schedule a Demo