What Is a Rootkit?

Rootkit definition

Originally derived from the Unix and Linux operating systems, the word “root” referred to the administrative account on the system, while “kit” described the software that implements the tool. A rootkit now refers to a type of malicious software that gives continuous access to your device while remaining undetected. Rootkits open a door for other malware, like viruses and keyloggers, to infect your system.

Unlike many other types of malware, rootkits conceal their presence even while active, making them difficult to detect. Cybercriminals use rootkits to steal personal or financial information, install malware, and use your device to disperse spam.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn more

How does a rootkit work

Similar to other types of malware, rootkits infect your computer system through various tactics, including email phishing, corrupted files, or downloaded software from unsafe websites. Once installed on a device, cybercriminals use rootkits to control the device without its owner noticing. Additional malware can be installed, like keylogging software to track what you type and steal your username and passwords.

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.

How to find and remove a rootkit

Rootkits disguise their presence, even while active, making them difficult to detect and remove. Although there aren’t any security products that can find and delete all rootkits, there are ways to look for one on an infected device.

• Behavioral analysis is one of the most effective ways to find rootkits because of how well they conceal themselves. By looking for unusual behavior, like slow performance or unusual network traffic, you can spot a rootkit on your device.
• Signature scanning using antivirus software looks for signatures left by cyber criminals. You’ll need to use a separate, uninfected device to scan properly.
• Memory dump analysis looks at data from a memory dump to detect the past behavior of a rootkit. Although rootkits are challenging to spot as they’re wreaking havoc, you’ll typically be able to find a trace afterward.

How to prevent a rootkit attack

Because rootkits can be difficult to find and remove, preventing them from infecting your device is the best way to avoid security issues. General cyber hygiene best practices help prevent many types of malware, including rootkits.

• Avoid opening emails from unknown senders. Clicking on links or downloading files from unknown or suspicious email accounts opens the door to malware including rootkits.
• Update software regularly. Software updates typically include security patches that prevent viruses from reaching your device. Turning on automatic updates for all software applications makes your computer more secure.
• Install antivirus and malware software. Although most types of antivirus software won’t be able to detect rootkits, they can prevent them from infecting your device in the first place.

Like other types of malware, a rootkit causes serious damage by allowing cybercriminals to access your personal information and control your device. Taking note of unusual behavior on your device and maintaining good cyber hygiene will help protect you from becoming a victim of a security breach.