Most users are familiar with common threats such as viruses, worms, spyware and even phishing scams. But, many computer users may think you’re talking about a gardening product to fertilize your flowers or kill the weeds if you mention a rootkit. So, what is a rootkit?
What Is a Rootkit?
At the core of the term “rootkit” are two words — “root” and “kit”. Root refers to the all-powerful, “Administrator” account on Unix and Linux systems, and kit refers to a set of programs or utilities that allow someone to maintain root-level access to a computer.
However, one other aspect of a rootkit, beyond maintaining root-level access, is that its presence should be undetectable.
Why Use a Rootkit?
It allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user’s computer usage.
Is a Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee’s / children’s computer systems. There are commercial products that are essentially rootkits which allow for such monitoring.
However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit itself is not really malware.
Detecting a Rootkit
Detecting a rootkit on your system is easier said than done. There are various ways to scan memory or file system areas or look for hooks into the system from rootkits, but not many of them are automated tools and those that are, often focus on detecting and removing a specific rootkit. Another method is just to look for bizarre or strange behavior on the computer system. If there are suspicious things going on, you might be compromised by a rootkit.
In the end, many security experts suggest a complete rebuild of a system compromised by a rootkit or suspected of being compromised by a rootkit. The reason is, even if you detect files or processes associated with the rootkit, it is difficult to be 100 percent sure that you have in fact removed every piece of the rootkit. Peace of mind can be found by completely erasing the system and starting over.
Protecting Your System and Its Data from Rootkits
As mentioned above regarding detecting rootkits, there is no application to guard against 100 percent of all rootkits. It was also mentioned above that rootkits, while they may be used for malicious purposes at times, are not necessarily malware.
Many malicious rootkits manage to infiltrate computer systems and install themselves by propagating with a malware threat such as a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is updated and running, and that you don’t accept files from or open email file attachments from unknown sources. You should also be careful when installing software and read carefully before agreeing to EULA’s (end user license agreements), because some may state overtly that a rootkit of some sort will be installed.