What is Rootkit?

Questions and answers about online security.

Rootkit is basically used to describe the process or mechanisms by which malware including viruses, Trojans and spyware attempt to hide themselves or their presence from antivirus tools, antispyware tools and/or system management tools.


The term Rootkit has been derived from the combination of two different words. First is "Root" which means that all powerful user (root) in the Unix and Linux world or administrator in the windows world.


Second is "kit" which means a set or pack of utilities that are used to perform some action on the computer. So effectively, rootkits are malicious pieces of software containing administrator or root level utilities that may have lethal consequences if installed on a system.


Rootkits are very hard to detect. But never the less, they can be removed through the use of sophisticated free or commercial anti-rootkit tools available in the market.


The method of infection follows that of the standard infection. An attacker would first exploit a known vulnerability on the system and then through that exploitation install rootkit at the administrator or root level.


Once done the rootkit functions can be invoked and could be made hidden from the user as well as the system management utilities which otherwise might stop the rootkit.


There are quite a few technologies that have come up to detect and eliminate rootkits. Some of these methods are behavior based methods, difference scanning, signature scanning, memory analysis, etc.