Awful Things You Need to Know About Rootkits

Hacker in front of his computer

For as long as cyber criminals have been cooking up malicious software to do stuff like stealing your precious data, the security industry has been thinking up creative names for their little schemes. Trojans, worms, ransomware, adware; you get the idea.

One of the most sinister forms of malware prevalent today is the dreaded rootkit, and a little to the layman, this sounds like some kind of dental procedure. An actual rootkit on your PC can be far more unpleasant. But what exactly are they? Why are they more dangerous than other types of computer infections? Great questions.

Like with the other threats to your system, the name rootkit reveals a lot. It's derived from the concept of root access in the operating system UNIX which allows a user broad permissions to change files and settings. And while the means by which different rootkits access to usually off-limits parts of the computer differ, all rootkits serve the same general function: to conceal either their own or another piece of malware presence.

Rootkits desire to carry out their nefarious deeds on your system without you ever knowing. And it's because of this concealed behavior that rootkits are often very difficult to remove. And many users in the mid-2000s found out that when they realized Sony had shipped music CDs with rootkits designed for, you guessed it, copy protection. These rootkits hid the DRM software which limited what users could do with their optical drives and also caused serious system slowdowns and introduced a ton of security flaws that other malware authors used in their attacks. And then when Sony finally released a removal toolб after news of the rootkit went viral, all it did was cause even more issues.

So how do rootkits hide themselves? While some rootkits just inject themselves into your programs, somewhat like traditional computer viruses, more dangerous forms run as part of your operating system's kernel. Kernel is the core part of your OS that allows your programs to communicate with your hardware through things like device drivers. Since drivers usually run in kernel mode, many rootkits disguise themselves as drivers, which is why you should only download drivers from trusted sources like the manufacturer's websites, regardless of how desperately you want to get your fancy new graphics card working.

What makes kernel mode rootkits so insidious is that they essentially appear to be a part of the OS itself, meaning you can't really trust your antivirus program to detect it, or anything else your system says about itself in that case.

If that weren't awful enough, other kinds of rootkits even go beyond infecting your OS kernel. They do things like contaminating your hard drive's boot sector in order to break the encryption, or getting into your system's firmware such as your motherboard or GPU BIOS. If that happens, not even completely reformatting your PC will help.

Well, that all sounds pretty darn horrible. If I don't really know I have rootkits, how do I get rid of them? That, admittedly, is a challenge. Larger organizations have tried strategies like logging suspicious access requests through a firewall or dumping everything in a system's memory to look for malicious code. However, these aren't the sorts of things a home user can easily do. Modern motherboards with UEFI BIOS have some features to block rootkits, such as secure boot, but this solution has been criticized for keeping a user from doing legitimate things like installing multiple operating systems.

So while some simpler rootkits can be detected and removed by your favorite anti-malware program, the best counter strategy is to just be super careful about what you click and download.