A rootkit (also spelled root-kit) is
|“||[a] set of tools used by an attacker after gaining root-level access to a host to conceal the attacker's activities on the host and permit the attacker to maintain root-level access to the host through covert means.||”|
|“||a type of malware that is designed to take control of a computer system, without authorization by the system's owners and legitimate managers.||”|
|“||[a] piece of software that can be installed and hidden on the victim computer without the user's knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of vulnerability on the victim machine. Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor user actions, modify programs, or perform other functions on the targeted computer without being detected.||”|
|“||enables privileged access to a computer while hiding its presence from the administrator by subverting standard operating system functionality.||”|
|“||[m]alware installed on a compromised computer that allows a cyber operator to maintain privileged access to that computer and to conceal the cyber operator's activities there from other users of that or another computer.||”|
How it works
Rootkits can be as simple as crude replacements of administrative software that is commonly used to monitor running processes on a computer, or as complex as sophisticated kernel-level patches that enforce invisibility of protected malicious code, even to detectors with access to kernel-level data structures.
The role of the rootkit is to conceal evidence of a compromise of a computer system from the user, the operating system and other applications (e.g., anti-virus or anti-spyware products) designed to detect the presence of the malicious files that have been installed on the computer by the malware. In most cases, once a rootkit is installed, anti-virus and anti-spyware products will not work. However, a rootkit is not required to effectively conceal the presence of the malware. Many types of malware disable, or have mechanisms for bypassing security measures installed on a computer without using a rootkit.
On some operating systems, such as versions of Unix and Linux, rootkits modify or replace dozens or hundreds of files (including system binaries). On other operating systems, such as Windows, rootkits may modify or replace files or may reside in memory only and modify the use of the OS's built-in system calls. Many changes made by a rootkit hide evidence of the rootkit's existence and the changes it has made to the system, making it very difficult to determine that a rootkit is present on a system and identify what the rootkit changed. For example, a rootkit might suppress directory and process listing entries related to its own files. Rootkits are often used to install other types of attacker tools, such as backdoors and keystroke loggers, on a system. Examples of rootkits include LRK5, Knark, Adore, and Hacker Defender.
It has often been proposed that computers can be protected from malware by running them in a virtual machine. In an inversion of this scheme, it is also possible for a rootkit to virtualize the operating system and applications of a host computer, rendering detection of crimeware, which runs outside of the virtual machine, extremely difficult from within the virtual machine. This attack can be aided by modern processor features supporting virtualization.
- NIST Special Publication 800-61, rev. 1.
- Beyond Voice: Mapping the Mobile Marketplace, at 38.
- Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, at 117.
- Best Practices to Address Online and Mobile Threats, at 8.
- Tallinn Manual, at 214.
- The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond, at 15.