anavem.
Back to Glossary
R

Rootkits

Rootkits are stealthy malicious tools designed to hide malware, maintain privileged access, and evade detection by modifying operating system or firmware components.

What are rootkits?

Rootkits are a class of malicious software whose primary purpose is concealment. They enable attackers to hide the presence of malware, backdoors, or unauthorized access by altering low-level components of a system.

Unlike typical malware, rootkits focus less on direct damage and more on long-term stealth and control, often operating with elevated privileges.

Why rootkits matter

Rootkits are particularly dangerous because they:

  • Obscure malicious processes, files, and registry entries
  • Bypass or disable security controls
  • Allow attackers to maintain persistent, privileged access
  • Complicate forensic analysis and incident response
  • Can survive reboots and, in some cases, OS reinstallation

A compromised system with a rootkit cannot be trusted until fully rebuilt.

Common types of rootkits

Rootkits are classified by the level at which they operate:

1) User-mode rootkits

  • Operate at application level
  • Hook APIs to hide files, processes, or network connections
  • Easier to detect but still effective against basic defenses

2) Kernel-mode rootkits

  • Run with kernel-level privileges
  • Modify core OS components or drivers
  • Extremely difficult to detect without specialized tools

3) Bootkits

  • Infect the bootloader or early boot process
  • Execute before the operating system loads
  • Can bypass many endpoint protections

4) Firmware rootkits

  • Persist in BIOS/UEFI, network cards, or storage firmware
  • Survive OS reinstallations and disk replacement
  • Represent a worst-case persistence scenario

5) Hypervisor-level rootkits

  • Operate below the OS using virtualization
  • Control the system invisibly from a lower layer

How rootkits are installed

Rootkits are typically deployed after:

  • Privilege escalation to administrator or root level
  • Exploitation of kernel vulnerabilities
  • Installation of malicious drivers
  • Supply chain attacks affecting firmware or signed components

They are rarely the initial attack vector and usually follow a successful foothold.

Rootkits vs backdoors vs malware

These concepts are related but distinct:

  • Malware: umbrella term for malicious software
  • Backdoor: hidden access mechanism
  • Rootkit: stealth layer that hides malware and backdoors

In practice, attackers often combine all three.

Indicators of rootkit presence

Rootkits aim to remain invisible, but possible indicators include:

  • Inconsistent system behavior or crashes
  • Security tools unexpectedly disabled or blind
  • Discrepancies between OS-level and raw disk/network views
  • Unsigned or suspicious kernel drivers
  • Abnormal boot behavior

Detection often requires offline scanning or trusted boot environments.

How to defend against rootkits

Effective mitigation strategies include:

  • Secure Boot and hardware-backed boot integrity
  • Kernel-mode code signing enforcement
  • Regular patching of OS and firmware
  • EDR/XDR solutions with kernel visibility
  • Firmware integrity checks and attestation
  • Rebuilding systems from trusted media after confirmed infection

In many cases, full system reimaging is the only safe remediation.

Common misconceptions

  • "Antivirus will always detect rootkits"
  • "Reinstalling the OS removes all rootkits"
  • "Rootkits are only used in nation-state attacks"
  • "Cloud workloads cannot be affected by rootkit-like persistence"