Rootkit
Malware designed to grant privileged access while concealing its own existence.
Kernel Mode
The most privileged level of OS execution, where rootkits can intercept and manipulate core system functions.
Privilege Escalation
Gaining higher-level access rights than originally granted — a prerequisite for installing most rootkits.
Persistence
The ability to survive reboots, user logoffs, and even OS reinstallation.

What rootkits actually do

The name "rootkit" originates from Unix/Linux systems, where "root" is the superuser account with full system access. A rootkit provides that root-level access to an attacker while hiding it from everyone else. The hiding is what distinguishes rootkits from other malware — they actively subvert the tools used to detect them.

A rootkit can hide: files and directories, running processes, network connections, registry keys, and even its own memory allocations. When an antivirus scans for suspicious files, the rootkit intercepts the scan and returns falsified results. When a system administrator lists running processes, the rootkit's processes are absent from the list.

Types of rootkits

Rootkits are classified by where they embed themselves, from easiest to remove (user-mode) to nearly impossible (firmware):

  1. 1
    User-mode rootkits — Operate in the application layer (Ring 3). They hook API calls made by user-space programs to intercept and modify results. Easiest to detect since they don't have kernel access, but effective against standard antivirus tools that rely on the same APIs.
  2. 2
    Kernel-mode rootkits — Run at the OS kernel level (Ring 0), the same privilege level as the operating system itself. They can modify kernel data structures directly — removing their own process from the process list at the memory level. Very difficult to detect without specialised tools that bypass the compromised OS.
  3. 3
    Bootkits (bootloader rootkits) — Infect the Master Boot Record (MBR) or Volume Boot Record, loading before the operating system itself. The OS loads into an already-compromised environment. Surviving an OS reinstall is possible since the bootloader is infected, not the OS partition.
  4. 4
    Hypervisor rootkits (virtual machine rootkits) — Place the legitimate OS inside a virtual machine that the rootkit controls. The legitimate OS runs normally but is unaware it has been virtualised, giving the rootkit complete visibility and control. Extremely rare and sophisticated.
  5. 5
    Firmware rootkits — Embed into hardware firmware (BIOS/UEFI, hard drive firmware, network card firmware). Survive OS reinstallation, disk wiping, and even hardware replacement of non-firmware components. The only remediation is reflashing the firmware — if that's even possible.

How rootkits conceal themselves

The stealth mechanisms of rootkits are what make them so dangerous. Kernel-mode rootkits use several techniques to become invisible:

  • DKOM (Direct Kernel Object Manipulation): Modifying kernel data structures directly in memory — for example, unlinking a process entry from the process list without using any OS API that could be monitored.
  • SSDT hooking: Replacing entries in the System Service Descriptor Table to redirect OS calls through the rootkit's own handler, which can filter results before returning them to the calling application.
  • IAT/EAT hooking: Modifying import/export address tables in user-space processes to intercept function calls before they reach the real OS libraries.
  • File system filter drivers: Installing a legitimate-looking driver that intercepts file system operations and hides specific files and directories at the driver level.
You cannot trust any software on an infected system. Once a kernel-mode rootkit is installed, every tool you run — antivirus, process viewer, file browser — is potentially feeding you falsified information. The only way to reliably assess a compromised system is to boot from trusted external media and examine the disk offline.

Famous rootkits

Sony BMG (2005)
A legitimate music CD installed a user-mode rootkit on Windows PCs to enforce DRM. It hid any file starting with "$sys$" — including from malware. Installed on ~22 million CDs; triggered a massive legal and PR crisis.
Stuxnet (2010)
The Stuxnet worm included a sophisticated rootkit component that hid its files and the malicious PLC code changes it made to Siemens industrial control systems in Iran's nuclear facilities.
LoJax (2018)
Attributed to Russian APT group Fancy Bear — the first publicly confirmed UEFI firmware rootkit used in a real attack. Survives OS reinstallation and disk replacement. Removed only by reflashing the motherboard firmware.

Detecting and removing rootkits

Detection requires stepping outside the compromised environment:

  • Integrity checking: Tools like Tripwire establish cryptographic baselines of system files. If a file changes unexpectedly, the change is detected even if the rootkit hides it from the OS.
  • Cross-view detection: Comparing results from multiple information sources — if the kernel process list differs from what network connections suggest, a rootkit may be hiding processes.
  • Offline scanning: Boot from a trusted live CD/USB and scan the system disk. The rootkit cannot intercept scans that run outside its operating environment.
  • Firmware/UEFI scanning: Specialised tools (e.g., CHIPSEC) can read and verify firmware integrity against known-good baselines.

Removal of deep rootkits — especially kernel, bootkit, and firmware variants — often requires a full system rebuild rather than removal. The infected machine cannot be trusted even after apparent removal.

Study advanced malware in CEH v13

CEH v13 covers rootkits, bootkits, and advanced persistent threats across dedicated malware analysis modules with real lab environments.

Explore CEH v13