Search Learning Center for


AppSec, Threats 10.1k views

What is Rootkit

A rootkit is a software program, typically malicious, that provides privileged, root-level (i.e., administrative) access to a computer while concealing its presence on that machine. Simply put, it is a nasty type of malware that can severely impact your PC’s performance and also put your personal data at risk.

Once installed, a rootkit typically boots at the same time as the computer’s operating system, or after the boot process begins. There are, however, rootkits that can boot up before the target operating system, making them very difficult to detect.

Potential consequences of a rootkit include:

  1. Concealed malware – Rootkits allow attackers to install additional malware on infected computers. They hide malicious programs from users and any anti-virus software installed on a computer.
  2. Information theft – Malicious software installed with the aid of rootkits can be used to steal user passwords, credit card information, or other sensitive data without being detected.
  3. File deletion – Rootkits can delete operating system code or other files on a system.
  4. Eavesdropping – Hackers can use rootkits to eavesdrop on users and intercept their personal information.
  5. File execution – After subverting anti-malware software on a system, rootkits allow perpetrators to remotely execute other files on target computers.
  6. Remote access – Rootkits can alter system configuration settings, such as opening up backdoor TCP ports in firewall settings, or altering startup scripts. This grants attackers remote access, allowing them, for example, to use the computer in a botnet.

See how Imperva Web Application Firewall can help you with rootkit injection attacks.

Rootkit injection

There are a number of ways that a rootkit can stealthily be installed on your system. These include:


Users can unknowingly install rootkits that have been bundled with apparently trustworthy software. When the administrator gives permission to install the software, the rootkit also silently installs on the computer.

In 2005, Sony secretly bundled a rootkit with its Extended Copy Protection software, which came with millions of Sony CDs. The rootkit modified host operating systems and tried to prevent users from making copies of CDs. However, hackers were able to exploit vulnerabilities in Sony’s rootkit to gain malicious access to the affected systems.

Blended threat

A rootkit cannot infect target computers on its own. In order to spread a rootkit, attackers form a blended threat to exploit several different vulnerabilities and infiltrate a system. This is achieved by combining the rootkit with two other components—a dropper, and a loader.

Dropper – A dropper is a program or a file used to install a rootkit on a target computer. Droppers can be distributed in a number of ways, including through social engineering or a brute force attack, in which a perpetrator uses a program to repeatedly guess a system’s root username and password.

Loader – A loader is malicious code that launches after a user initiates the dropper program, either by opening or executing a file. The loader exploits vulnerabilities to ensure the rootkit loads together with the target system. For example, a kernel-level rootkit might use a loader that exploits a Linux vulnerability to replace operating system code with a rewritten Loadable Kernel Module.

Example of a two-stage kernel rootkit injection

Example of a two-stage kernel rootkit injection

Rootkit types

There are a number of types of rootkits that can be installed on a target system. Some examples include:

  1. User-mode or application rootkit – These are installed in a shared library and operate at the application layer, where they can modify application and API behavior. User-mode rootkits are relatively easy to detect because they operate at the same layer as anti-virus programs.
  2. Kernel-mode – These rootkits are implemented within an operating system’s kernel module, where they can control all system processes. In addition to being difficult to detect, kernel-mode rootkits can also impact the stability of the target system.
  3. Bootkits – These rootkits gain control of a target system by infecting its master boot record (MBR). Bootkits allow a malicious program to execute before the target operating system loads.
  4. Firmware rootkits – These rootkits gain access to the software that runs devices, such as routers, network cards, hard drives or system BIOS.
  5. Rootkit hypervisors – These rootkits exploit hardware virtualization features to gain control of a machine. This is done by bypassing the kernel and running the target operating system in a virtual machine. Hypervisors are almost impossible to detect and clean because they operate at a higher level than the operating system, and can intercept all hardware calls made by the target operating system.

Anti-rootkit measures

Protecting your systems from rootkits is a two-pronged process involving scanning for existing malware and preventing the installation of new programs.

Rootkit scanners

Scanners are programs designed to parse a system in order to weed out active rootkits.

While scanners can help detect and remove application-layer rootkits, they’re typically ineffective against those operating at the kernel, boot or firmware level. Scanners that can search for malicious code at the kernel level can only run when the rootkit is inactive. This means that a system has to be booted in safe mode with system processes stopped in order to be effective.

It’s because of these limitation that security experts recommend using several scanners and rootkit removers, as no individual tool can guarantee that a system is completely clean.

To fully secure your system from rootkits operating at the boot, firmware or hypervisor level, the only remedy is to backup data, then wipe the device and perform a clean install.

Preemptive blocking

Rootkit prevention is based on the idea that a rootkit can be delivered onto your system via both individual users and web facing assets (i.e., websites).

The first preventative measure is user education for everyone in your organization. This should involve instructions on how to detect malicious links and email attachments, as well as rules against downloading or opening files from unknown sources.

Users should also be trained to identify and avoid phishing attempts, in which malicious messages, websites or files surreptitiously appear to come from legitimate sources. This is especially important for users with administrative privileges.

Additional measures preventing rootkits include:

  1. Keeping software updated and patching known vulnerabilities in applications and operating systems.
  2. Running anti-virus and occasionally running anti-rootkit tools on sensitive machines.
  3. Behavioral-based detection, which analyzes system behavior to discover suspicious patterns of API calls or CPU usage, which may indicate a rootkit.
  4. Close examination of network logs from packet analyzers, firewalls, or other network tools to identify rootkits communicating with a remote control center.

Imperva Rootkit detection and removal

Imperva provides a number of solutions to block rootkit installation, as well as to detect existing rootkits that might have been installed prior to onboarding our services.

Web application firewall (WAF)

Imperva WAF acts as a gateway for incoming traffic to web applications and websites, using behavioral analysis to block rootkit injection attempts.

Backdoor protect

Imperva Backdoor Protect is a shell detection service that closely tracks incoming requests, helping to pinpoint and quarantine backdoor files so they can be safely removed.

Login protect

Login Protect is a two-factor authentication service. It prevents perpetrators from using stolen login credentials to obtain server access and install rootkits. With Login Protect, passwords alone no longer suffice for gaining administrative access to a system.