Computer Security Wiki

A rootkit is a set of software tools that, when installed on a computer, provides remote access to resources, files and system information without the owner’s knowledge. Law enforcement and parental “nanny programs” utilize various types of rootkits to secretly monitor activity on computers for surveillance purposes, but malicious hackers can also install rootkits on the computers of unsuspecting victims.[1]


The word “rootkit” comes from the UNIX operating system (OS) that was prevalent prior to Microsoft Windows. Linux and Berkeley Software Distribution (BSD) are derivatives of UNIX. The “root” level of a UNIX system is akin to Windows’ administrator privileges. The remote-control software bundle was referred to as a “kit,” giving us “rootkit” sometimes written as “root kit.”

Rootkits have been creating a buzz since the early 1990’s. The type of rootkits that attack Windows machines embed themselves in the kernel of the OS. From here the rootkit can modify the operating system itself and intercept calls to the system (system requests for information), providing false answers to disguise the presence of the rootkit. Since the rootkit hides its processes from the operating system and system logs, it is difficult to detect.


A malicious hacker can get a rootkit on to a computer through various means. Rootkits can be delivered in a Trojan or even tucked away in a seemingly benign file. This could be a graphic or a silly program distributed through email. Victims have no way of knowing that a rootkit will be installed by clicking on the graphic or program. Rootkits can also be installed by surfing the Web. A popup window might state, for example, that a program is necessary to view the site correctly, disguising a rootkit as a legitimate plugin.

Once a rootkit is installed the hacker can secretly communicate with the targeted computer whenever it is online. The rootkit is typically used to install more hidden programs and create “back doors” to the system. If the hacker wants information, a keylogger program can be installed. This program will secretly record everything the victim types, online and off, delivering the results to the interloper at the next opportunity. Keylogger programs can reveal usernames, passwords, credit card numbers, bank account numbers, and other sensitive data setting up the victim for potential fraud or identity theft.

Other malicious uses for rootkits include compromising several hundred or even hundreds of thousands of computers to form a remote ‘rootkit network’ called a botnet. Botnets are used to send Distributed Denial of Service (DDoS) attacks, spam, viruses and trojans to other computers. This activity, if traced back to the senders, can potentially result in legal seizure of computers from innocent owners that had no idea their computers were being used for illegal purposes.


External links[]