What does rootkit mean?

07 February 2019

Rootkits are a particularly pernicious family of malware. They are considered one of the most serious types of malware, as they give hackers high-level access to computers and networks, enabling them to steal data, spy or control systems remotely, while deliberately hiding their presence.

The rootkit’s purpose is to gain “root” access to a computer. By logging in as the root user, an attacker is free to perform almost any operation, undetected. The “kit” refers to software files that effectively implement the attack.

There are different types of rootkits, but generally speaking they target a computer’s core operating system, including the virtual machine monitor, the kernel, or even firmware. Because they operate at the same level as the operating system, a rootkit will typically give unrestricted access. 

Rootkits are typically installed by exploiting system vulnerabilities or security breaches. They can also be introduced through a Trojan, hidden inside file attachments distributed via email or downloaded from a website. Once installed, the rootkit gives an attacker backdoor access, enabling them to steal data, inject malware or change system configurations.

Sign up to our latest news & insights

Why does it matter?

A rootkit is usually difficult to detect because it can deactivate anti-malware software, as well as hide traces of unauthorised access by modifying drivers or kernel modules. Once detected, rootkits are hard to remove - the only option may be to completely rebuild the compromised system.

Most operating systems and programmes seek to prevent unauthorised access via rootkits so it should be difficult to use a rootkit to gain access to modern systems. However, security researchers recently discovered the first known instance of a rootkit that targets the Windows Unified Extensible Firmware Interface (UEFI) boot system.

Research firm ESET says the rootkit, known as Lojax, is being used by Russian hackers Fancy Bear to carry out cyber-attacks. It is typically delivered via spear phishing emails. When opened, it runs code that hijacks a vulnerable driver, installing the rootkit in flash memory.

Lojax uses malware tools that can read and overwrite parts of the UEFI firmware’s flash memory. The malware embeds itself within the motherboard firmware of infected computers, enabling hackers to spy on the user and evade detection by the operating system or any antivirus tools. According to ESET, Lojax is capable of surviving the re-installation of the Windows operating system or even hard drive replacement.

Interestingly, the developers of Lojax borrowed code from legitimate commercial software. Lojax is a modified version of Absolute Software’s Lojack anti-theft software (also known as Computrace), which helps owners locate stolen laptops.

Download Cyber Decoder

For further information please contact Sarah Stephens, Head of Cyber on +44 (0)20 3394 0486