We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Threats

Rootkit: what they are, how to detect them, and how to remove them 

Protect your system from unauthorized access and hidden threats 

They are installed in the firmware of a device

28 March 2025

Table of contents

  • What are rootkits and how do they work
  • How rootkits spread 
  • How to detect a rootkit 
  • How to remove a rootkit from your system 

Rootkits represent one of the most insidious cyber threats, capable of granting criminal hackers remote control of a PC or smartphone without the user’s knowledge. They are software tools designed to gain administrator privileges on a system, enabling the execution of illicit activities, from intercepting data to installing more dangerous malware.

Due to their stealthy nature, rootkits are difficult to detect and often go undetected by common antivirus software. In this guide we will explore in detail what they are, how they spread, what signs may indicate their presence, and what strategies to take to eliminate them and protect your systems.

What are rootkits and how do they work 

Rootkits are an advanced type of malware designed to grant an attacker hidden control over an information system. The term rootkit comes from the combination of root (the highest-privileged user in Unix/Linux systems) and kit (a set of tools). 

Once installed, a rootkit can be used for multiple malicious purposes, including: 

  • Performing hidden operations
    A hacker can spy on user activity, intercept passwords, and record keystrokes. 
  • Hiding other malware
    Rootkits are often designed to conceal the presence of viruses, trojans, or spyware. 
  • Disabling security tools
    Many rootkits can disable antivirus, firewalls, and other protection software. 
  • Creating secret access points
    They can install backdoors, allowing remote access to cybercriminals without the victim’s knowledge. 
  • Modifying the operating system
    Advanced rootkits alter system files and processes, making them extremely difficult to remove. 

Once installed, a rootkit operates silently, avoiding detection and maintaining long-term control over the compromised infrastructure. This makes it particularly dangerous, as the victim may not notice its presence for months or even years.

Types of rootkits 

Rootkits are classified based on how deeply they integrate into the system. The deeper their control, the harder they are to detect and remove. 

1. User-mode rootkits 

These rootkits operate at the software level, modifying processes and system files without altering the core of the operating system. They are easier to detect than kernel-mode rootkits, but still pose a significant threat. 

Example
HackerDefender, a well-known Windows rootkit, hides files, processes, and registry keys. 

2. Kernel-mode rootkits 

This category is much more dangerous because rootkits operate directly in the operating system kernel, gaining high administrative privileges. Being running at such a deep level, they can alter system behavior and hide themselves extremely effectively.

Example
Rustock, a rootkit designed to turn infected PCs into spam-distributing botnets. 

3. Firmware rootkits 

These rootkits install themselves directly in the firmware of a device, such as BIOS, UEFI, network cards, or routers. They survive disk formatting and can reactivate even after reinstalling the operating system. 

Example
LoJax, the first publicly known UEFI rootkit, was designed to infect Windows firmware. 

4. Virtual rootkits 

These rootkits create a hidden virtual environment where the victim’s operating system runs without their awareness. This method makes detection even harder, as the rootkit operates outside the primary OS. 

Example
SubVirt, developed in Microsoft and University of Michigan labs, demonstrated the potential of virtual rootkits. 

5. Mobile rootkits 

Even smartphones are not immune to rootkits. Android and iOS devices can be compromised by malware that hides in the system and allows hackers to intercept calls, messages, and sensitive data.

Example
DroidKungFu, an Android rootkit that exploits system vulnerabilities to gain root access and control the device. 

How rootkits avoid detection 

Rootkits are designed to evade detection and employ various techniques to remain hidden: 

  • Modifying system processes
    They hide their own files and processes from Task Manager or monitoring tools. 
  • Altering the registry
    They modify registry keys to prevent their removal. 
  • Intercepting system calls
    They manipulate OS responses to disguise their presence. 
  • Disabling security tools
    Many rootkits shut down or disable antivirus and firewall programs. 

These features make rootkits extremely difficult to identify, requiring specialized tools for detection and removal. 

The evolution of rootkits: from early versions to modern threats 

Rootkits are not a recent threat. Their history dates back to the 1990s, when the first tools were developed to gain unauthorized access to Unix systems. 

  • 1990s
    Early rootkits were relatively simple and were used to modify system files and gain remote access to Unix computers. 
  • 2000s
    Rootkits began appearing on Windows, with threats like HackerDefender and Sony BMG Rootkit, which secretly embedded DRM software in music CDs. 
  • 2010-2020s
    The emergence of firmware rootkits made them more sophisticated and harder to remove, such as LoJax and MoonBounce
  • Future
    With advancements in Artificial Intelligence, rootkits may become even more elusive, adapting to new security measures in real time. 

How rootkits spread 

Rootkits can infiltrate computer systems through multiple attack vectors, often exploiting existing vulnerabilities or using social engineering to trick users into unknowingly installing them.

Since their primary goal is to stay hidden and operate stealthily, their distribution techniques are designed for maximum persistence and minimal detectability

1. Malicious software downloads and drive-by downloads 

One of the most common ways rootkits spread is through the unintentional installation of infected software. This can happen through: 

  • Counterfeit programs
    Rootkits are embedded in seemingly legitimate software, often distributed through unofficial websites. 
  • Pirated software and cracks
    Many illegal software versions contain malware, including rootkits, granting attackers continuous access to the victim’s device. 
  • Fake software updates
    Some rootkits disguise themselves as security or system updates to trick users into installing them. 
  • Drive-by downloads
    Simply visiting a compromised website can trigger an automatic rootkit download and execution without the user’s knowledge. 

Example
In 2005, Sony BMG was involved in a major scandal when it was discovered that some of its music CDs secretly installed a rootkit on Windows PCs, making them vulnerable to external attacks. 

2. Malicious email attachments and phishing 

Phishing remains one of the most effective methods for spreading malware, including rootkits. Hackers send fraudulent emails that trick victims into: 

  • Opening infected attachments
    Word, PDF, or ZIP files containing malicious code that installs the rootkit. 
  • Clicking on malicious links
    URLs redirect users to compromised websites that automatically download the rootkit. 
  • Enabling infected macros
    Some rootkits activate through VBA macros embedded in Office documents, deceiving users into granting administrative permissions. 

Example
The Zacinlo rootkit, spread through phishing campaigns, was hidden inside legitimate-looking software and only activated after a system reboot, making it extremely difficult to detect. 

3. Infected USB devices and external storage media 

Rootkits can also spread via USB flash drives, external hard drives, and memory cards. This method is particularly effective in corporate environments, where employees may unknowingly connect compromised devices to their workstations. 

  • AutoRun.inf exploitation
    Some rootkits leverage Windows AutoRun features to install themselves automatically. 
  • BadUSB attacks
    Hackers modify USB firmware, making it act like a keyboard or another input device, executing malicious commands without user consent. 
  • Disguised files
    A rootkit may be embedded in seemingly harmless files, such as images or PDF documents, which execute malware upon opening. 

Example
Stuxnet, a notorious computer worm, used a combination of Windows exploits and infected USB drives to spread across industrial systems, notably targeting Iranian nuclear facilities. 

4. Operating system and software vulnerabilities 

Many rootkits exploit security flaws in operating systems and software to install themselves without requiring user interaction. This method is particularly dangerous because it allows silent malware installation, often without the user noticing. 

Commonly exploited vulnerabilities: 

  • Bugs in the operating system kernel
    Some rootkits operate at the kernel level, exploiting system vulnerabilities to obtain administrator privileges
  • Peripheral device drivers
    Printers, network cards, and other peripherals may contain flaws that allow remote code execution. 
  • Unpatched security gaps
    Outdated software and operating systems are prime targets for hackers leveraging known exploits to install rootkits. 

Example
The Necurs rootkit exploited a Windows vulnerability to embed itself in the kernel, allowing it to persist even after a system reboot. 

5. Browser and plugin exploits 

Many rootkits spread by exploiting vulnerabilities in web browsers and their plugins, such as Flash, Java, or PDF Reader. These attacks typically occur through: 

  • Compromised websites
    Hackers inject malicious code into webpages to exploit browser flaws and install rootkits. 
  • Automatic exploit downloads
    Certain websites leverage browser vulnerabilities to silently download and install malware. 
  • Malicious online ads (Malvertising)
    Infected banner ads can redirect users to rootkit distribution sites. 

Example
The FinFisher rootkit, known for being used in surveillance operations, spread by exploiting browser vulnerabilities to infect victim devices. 

6. Compromised software updates 

Hackers can infiltrate the update servers of legitimate software providers, distributing rootkits within official updates. This technique is particularly deceptive, as victims install the rootkit unknowingly, trusting the software vendor. 

Example
In 2017, the CCleaner incident saw a popular PC cleaning software update compromised with a rootkit, affecting over 2 million devices worldwide. 

Complete reinstallation of the operating system

How to detect a rootkit 

Rootkits are among the most insidious cyber security threats. They are designed to stay hidden and operate stealthily, making them extremely difficult to detect. Because they can manipulate processes, system files, and security tools, they often evade standard antivirus scans

However, advanced methods can help identify them, including symptom analysis, specialized tools, and forensic detection techniques. 

1. Signs that may indicate a rootkit infection 

Before resorting to advanced detection tools, it is useful to pay attention to unusual system behavior, which may suggest a rootkit infection. Some common symptoms include:

Sudden slowdowns and performance drops 

An infected PC or smartphone may become noticeably slower for no apparent reason, as the rootkit consumes system resources to run hidden processes. 

Example
A rootkit may intercept network connections, secretly transmitting data to a remote hacker, slowing down internet speed. 

Unexplained system malfunctions 

  • The computer reboots or shuts down unexpectedly;
  • System files or settings change without user intervention;
  • The mouse or keyboard behaves strangely or responds irregularly. 

Example
Some rootkits disable antivirus and firewall software, preventing users from reactivating them. 

Unknown processes or suspicious activity 

If Task Manager (Windows) or Activity Monitor (macOS) displays unusual or unknown processes, it could be a sign of an active rootkit

Example
Some rootkits imitate system process names to avoid suspicion (e.g., svch0st.exe instead of svchost.exe). 

Altered or deleted system logs 

Advanced rootkits can delete or modify system logs to erase traces of their activity. If log files become inaccessible or corrupted, it could indicate an infection. 

Example
If Windows Event Viewer logs or Linux system logs show gaps in recorded activity or have been erased, this is a red flag. 

Network connection issues 

  • Frequent internet disconnections;
  • Unusually high network traffic without an apparent reason;
  • Active connections to unknown servers or suspicious IP addresses. 

Example
A rootkit can turn an infected PC into part of a botnet, sending spam or participating in DDoS attacks without the user’s knowledge. 

2. Advanced tools to detect rootkits 

Since rootkits are designed to evade standard antivirus detection, specialized anti-rootkit scanners are required. These tools analyze system files, memory, and the kernel to detect hidden malware. 

Tools for Windows 

  • GMER
    One of the most effective tools for detecting kernel-mode rootkits. Scans running processes and detects anomalies in the system registry. 
  • Malwarebytes anti-rootkit
    Efficient at eliminating user-mode and kernel-mode rootkits
  • Microsoft Defender Offline
    Performs an in-depth scan before Windows starts, detecting rootkits hidden within system files. 

Tools for Linux 

  • Chkrootkit
    Scans system files and running processes to detect known rootkits. 
  • Rkhunter (Rootkit Hunter)
    Advanced scanner that analyzes libraries, binaries, and system settings for anomalies. 
  • Lynis
    Security auditing tool that can detect suspicious rootkit-related activities. 

Tools for macOS 

  • KnockKnock
    Identifies persistent applications that could be rootkits. 
  • ESET Rootkit Detector
    Detects suspicious modifications in macOS system files. 

Tip: To improve the effectiveness of rootkit detection, run these tools in Safe Mode, which prevents rootkits from actively hiding themselves. 

3. Advanced rootkit detection techniques 

In addition to using dedicated software, cybersecurity professionals use advanced techniques to identify highly sophisticated rootkits. 

Compare online and offline scans 

Since many rootkits modify the system’s display of running processes, an effective strategy is to compare scan results from different environments: 

  • From a running system
    Using tools like Task Manager or Process Explorer. 
  • From an external or offline system
    Booting the PC from a Live CD/USB Linux (e.g., Ubuntu) and comparing system files. 

If some processes only appear when the system is running normally, it could indicate a hidden rootkit

Analyzing system log files 

Examining system logs can reveal manipulation attempts by a rootkit. On Windows, it is useful to check:

  • Event Viewer
    Look for suspicious errors or unauthorized access attempts. 
  • PowerShell command: 
    (Get-EventLog -LogName System) to analyze the system logs  

On Linux, logs are located in /var/log/. Use this command to check for rootkit-related activity: 

bash 

grep -i "rootkit" /var/log/syslog

Warning: If log files are missing or inaccessible, a rootkit may be actively erasing its tracks. 

Monitoring network activity 

Tools like Wireshark or Netstat can detect suspicious network traffic initiated by a rootkit communicating with remote servers. 

Example command for Windows to check active connections: 

powershell 

netstat -ano | findstr :80

If unknown IP addresses or persistent outbound connections appear, a rootkit could be operating in the background. 

Checking the Master Boot Record (MBR)

Some rootkits take up residence in the system bootloader, executing themselves before the operating system even boots up. To check for anomalies:

On Windows, run these commands in Command Prompt (Admin)

powershell 

bootrec /scanos 

bootrec /fixmbr

On Linux, check the boot sector with: 

bash 

sudo dd if=/dev/sda bs=512 count=1 | hexdump -C

If unexpected modifications appear, the system may be infected with an MBR rootkit

The activation of malware

How to remove a rootkit from your system 

Rootkits are among the most difficult types of malware to remove, as they are designed to hide deep within the system and resist standard removal attempts.

Some modify system files, disable antivirus software, alter the bootloader, or even infect the device’s firmware, making a simple antivirus scan ineffective. 

To safely eliminate a rootkit, a methodical approach is necessary, combining specialized tools, system recovery techniques, and, in extreme cases, a full OS reinstallation. 

1. Identify the type of rootkit before removal 

Before proceeding with removal, it is essential to determine where the rootkit is located and what type it is. The elimination strategy varies depending on its classification: 

  • User-mode rootkit
    Easier to detect and remove, as they operate like normal processes. 
  • Kernel-mode rootkit
    Much more difficult to remove, as they operate at the level of the operating system kernel.
  • Firmware rootkit
    These are highly persistent, surviving disk formatting and requiring a BIOS/UEFI update. 
  • Bootkit (MBR rootkit)
    Infects the Master Boot Record (MBR) and can prevent the system from booting. 

If you’re unsure which type of rootkit is present, use tools like GMER, Kaspersky TDSSKiller, or Rkhunter to detect the malware’s location. 

2. Boot into Safe Mode 

Many rootkits do not activate in Safe Mode, making detection and removal easier. 

How to start Windows in Safe Mode 

  1. Press Win + R, type msconfig, and press Enter;
  2. Navigate to the Boot options tab and select Safe boot with Network;
  3. Restart the system. 

How to start Linux in recovery mode 

  1. Restart the system and access the GRUB menu;
  2. Select Advanced Options for Ubuntu and choose Recovery Mode;
  3. Open the terminal and run rootkit scans: (sudo chkrootkit or sudo rkhunter -c)

Once in Safe Mode, run antivirus or anti-rootkit tools to scan the system. 

3. Use specialized anti-rootkit tools 

Traditional antivirus programs often fail to detect rootkits, so dedicated software is necessary. 

Best rootkit removal tools for Windows 

  • GMER
    Detects and removes kernel-mode rootkits. 
  • Malwarebytes anti-rootkit
    Identifies and eliminates user-mode and kernel-mode rootkits. 
  • Microsoft defender offline
    Conducts deep scans before Windows starts to detect hidden rootkits. 

Best rootkit removal tools for Linux 

  • Chkrootkit
    Scans for known rootkits in system files and processes. 
  • Rootkit Hunter (Rkhunter)
    Analyzes libraries, binaries, and system settings for anomalies. 
  • Lynis
    Security auditing tool that can detect persistent threats. 

Best rootkit removal tools for macOS 

  • KnockKnock
    Identifies persistent applications that could be rootkits. 
  • ESET Rootkit Detector
    Detects suspicious modifications in system files. 

Tip: Download these tools from another device and transfer them via USB to avoid interference from the rootkit. 

4. Manually remove rootkits (for advanced users) 

If the automatic tools fail to remove the rootkit, you can proceed manually by deleting the suspicious files.

Identify infected files with Process Explorer 

  1. Download Process Explorer from Microsoft;
  2. Check running processes: if a file lacks a digital signature or is linked to an unknown program, it could be a rootkit;
  3. Terminate the suspicious process and delete the associated file (if possible). 

Example
Some rootkits disguise themselves as system processes (e.g., svch0st.exe instead of svchost.exe). 

5. Remove rootkits from the Master Boot Record (MBR) 

If the rootkit has infected the MBR, it prevents the system from booting normally and must be removed using specific commands. 

Repair MBR on Windows 

  1. Boot from a Windows installation USB/DVD;
  2. Select Repair your computer > Command Prompt;
  3. Run the following commands one by one;
powershell 

bootrec /fixmbr 

bootrec /fixboot 

bootrec /scanos 

bootrec /rebuildbcd

4. Restart the system and check if the issue is resolved. 

Repair MBR on Linux 

  1. Boot from a Live CD (e.g., Ubuntu);
  2. Open the terminal and run;
bash 

sudo dd if=/dev/zero of=/dev/sda bs=512 count=1 

sudo grub-install --root-directory=/mnt /dev/sda

3. Restart the system. 

6. Check firmware and reset BIOS/UEFI 

Firmware rootkits are extremely persistent and cannot be removed even by reinstalling the operating system. The only way to eliminate them is to update the BIOS/UEFI

How to reset BIOS/UEFI 

  1. Enter the BIOS/UEFI menu by pressing F2, F12, or DEL during startup. 
  2. Locate the reset to default settings option. 
  3. If the problem persists, download the latest BIOS update from the motherboard manufacturer’s website and install it. 

Warning: Updating the BIOS/UEFI is a delicate operation. If done incorrectly, it can render your PC unusable. 

7. Reformat the system (last resort) 

If the rootkit is highly advanced and other removal methods fail, the only solution is to completely format the drive and reinstall the operating system

Steps for a secure format 

1. Backup
Backup important files to an external drive (avoid transferring potentially infected files). 

2. Create a bootable installation drive

  • Windows
    Download the official Windows ISO from Microsoft. 
  • Linux
    Download a trusted distribution (Ubuntu, Fedora, Debian). 

3. Perform a full format
During installation, select “Delete all partitions” and create a new filesystem. 

Important: After reinstalling, update the system immediately and install a reliable antivirus to prevent future infections. 

To conclude 

Rootkits are among the most dangerous and hard-to-detect cyber security threats, allowing hackers to gain complete and hidden control over infected devices. Recognizing their presence is crucial to protecting your privacy, sensitive data, and system security

If you suspect your PC has been compromised, use anti-rootkit scanners, restore system files and, in severe cases, consider a complete reinstallation of the operating system. Prevention is the best weapon: surf safely, avoid untrusted software and keep your devices up to date.

Questions and answers

1. What are rootkits, and why are they dangerous? 

Rootkits are malware designed to gain hidden access and administrative privileges on a system, allowing hackers to control it without detection. They are dangerous because they can steal sensitive data, hide other viruses, disable antivirus programs, and compromise system security. 

2. How do rootkits spread to computers? 

Rootkits can infect a system through: 

  • Downloaded counterfeit or pirated software. 
  • Infected email attachments and phishing attacks. 
  • Compromised websites that secretly install rootkits (drive-by downloads). 
  • Infected USB drives or other removable devices. 
  • Exploiting system or software vulnerabilities in outdated applications. 

3. How can I tell if my computer is infected with a rootkit? 

Symptoms of a rootkit infection may include: 

  • Sudden slowdowns or frequent crashes. 
  • Unknown processes running in Task Manager. 
  • Antivirus and firewall being disabled for no reason. 
  • System files being modified or deleted. 
  • Suspicious network connections to unknown servers. 
  • Corrupted or missing system logs. 

4. Can standard antivirus programs detect and remove rootkits? 

No, rootkits are designed to evade traditional antivirus detection. To detect and remove them, you need specialized scanners like GMER, Kaspersky TDSSKiller, Malwarebytes Anti-Rootkit, or Rkhunter for Linux. 

5. What is the best way to remove a rootkit? 

The removal method depends on the type of rootkit: 

  • Boot into Safe Mode to prevent the malware from activating. 
  • Use anti-rootkit tools to detect and eliminate the threat. 
  • Repair the Master Boot Record (MBR) if the rootkit has infected the bootloader. 
  • Update BIOS/UEFI in case of a firmware rootkit. 
  • Format the disk and reinstall the OS if the infection is severe. 

6. How can I protect my system from rootkits? 

To prevent rootkit infections, follow these best practices: 

  • Download software only from official sources. 
  • Keep your operating system and software updated. 
  • Do not open suspicious emails or unknown attachments. 
  • Avoid using unverified USB drives. 
  • Install a reliable antivirus with anti-rootkit protection. 
  • Use a firewall to monitor outgoing connections. 

7. Can rootkits infect smartphones and tablets? 

Yes, rootkits can target mobile devices, especially Android and iOS. These malware programs can intercept calls, steal data, and monitor user activity. They spread through: Apps downloaded from unofficial sources,system vulnerabilities and malicious links in emails or messages. 

8. If I format my computer, will the rootkit be removed? 

It depends on the type of rootkit: 

  • Software rootkits
    Yes, a full format removes them. 
  • Bootkits (MBR rootkits)
    No, you need to repair the bootloader with specific commands. 
  • Firmware rootkits (BIOS/UEFI)
    No, you must update the firmware to eliminate them. 

9. Do rootkits only affect Windows, or can they infect Mac and Linux too? 

While Windows is the primary target, macOS and Linux can also be infected. 

  • On macOS, rootkits like OSX/Morcut have proven the system’s vulnerabilities. 
  • On Linux, tools like Rootkit Hunter (Rkhunter) and Chkrootkit are essential for detecting infections. 

10. I removed a rootkit, but my system is still unstable. What should I do? 

If your system continues to behave abnormally after removing the rootkit: 

  • Run a scan with multiple anti-rootkit tools to ensure no traces remain. 
  • Restore damaged system files using commands like sfc /scannow (Windows). 
  • Analyze network connections to check if the rootkit left any backdoors. 
  • Consider a clean reinstallation of the operating system for maximum security. 
5
To top