A rootkit is malware designed to hide itself and other malicious software from detection by the operating system and security tools. The name originates from Unix — “root” is the highest-privilege account, and “kit” refers to the collection of tools. Modern rootkits are sophisticated pieces of engineering that operate at the deepest levels of system software, making them among the most dangerous and difficult-to-remove malware families.
How Rootkits Hide Themselves
The fundamental challenge of rootkits is that they must hide from the tools used to detect them — a contradiction that they solve by subverting those tools themselves.
On a compromised Windows system, a rootkit might:
- Intercept system calls — when a file browser calls the OS to list files, the rootkit intercepts the call and removes its own files from the response
- Patch kernel data structures — modify the running list of processes so that tools like Task Manager never see the malicious process
- Hook the registry — intercept registry reads to hide malicious persistence entries
- Manipulate disk drivers — hide files at the driver level, below the file system layer
Defenders need to use trusted tools from clean media to reliably detect rootkits — tools running on a potentially compromised OS may themselves be subverted.
Types of Rootkits
User-Mode Rootkits
User-mode (Ring 3) rootkits run with user-level privileges and subvert user-mode components like Windows API libraries (DLLs). They hook functions in libraries like ntdll.dll and kernel32.dll to intercept API calls from security tools.
Detection difficulty: Low to moderate — they’re detectable by tools that bypass the DLL layer and make direct system calls.
Examples: Many banking trojans include user-mode rootkit components to hide their processes and network connections.
Kernel-Mode Rootkits
Kernel-mode (Ring 0) rootkits operate with kernel privileges and can modify the OS kernel directly. They insert a malicious driver into the kernel, which then has unrestricted access to modify data structures, intercept system calls, and subvert any security mechanism.
Windows Kernel Patch Guard (KPP or PatchGuard) attempts to detect unauthorized kernel patches. In response, sophisticated rootkits developed bypass techniques — or install their own signed kernel driver (using stolen or purchased code-signing certificates).
Detection difficulty: High — requires tools that operate at or below the kernel level.
Examples: Necurs (a massive botnet), various APT (Advanced Persistent Threat) implants used in nation-state operations.
Bootkits
Bootkits infect the Master Boot Record (MBR) or the UEFI firmware, loading before the operating system. Because they start before Windows, they can compromise the OS before any security software loads.
UEFI bootkits are particularly dangerous — they survive OS reinstallation, disk wipes, and can re-infect a clean OS installation automatically.
Detection difficulty: Very high — standard OS-based security tools cannot see them.
Examples: LoJax (first in-the-wild UEFI rootkit, attributed to APT28/Fancy Bear), CosmicStrand, BlackLotus (UEFI bootkit that bypassed Secure Boot).
Hypervisor Rootkits (Blue Pill)
Hypervisor rootkits insert themselves below the operating system by creating a Type-1 hypervisor (like VMware ESXi) and running the legitimate OS as a guest VM. The rootkit then has visibility into everything the guest OS does.
Detection difficulty: Extremely high — theoretical category; no widespread in-the-wild examples.
Firmware Rootkits
Firmware rootkits infect device firmware: hard drive controllers, network cards, GPU firmware, or other device ROMs. Even replacing the OS or the infected device’s driver doesn’t remove them.
Detection difficulty: Extremely high — requires firmware-level analysis.
Examples: NSA’s ANT catalog (leaked by Edward Snowden) described firmware implants; Equation Group’s HDD firmware backdoor.
Detection Tools and Techniques
Rootkit Scanners
Malwarebytes Anti-Rootkit (free standalone tool) — uses direct system call techniques to bypass hooked APIs and compare system state:
- Download from malwarebytes.com
- Run from external media if possible
- Scans MBR, kernel driver list, hidden processes, and registry
GMER (Windows-only, free) — powerful rootkit scanner that detects hidden processes, services, registry entries, files, and SSDT hooks:
- Download GMER.exe (portable, no installation)
- Run → Scan → look for items in red (suspicious) or highlighted entries
Sophos Scan & Clean — free bootable rootkit scanner.
Memory Forensics with Volatility
Running a rootkit scanner inside a potentially compromised OS isn’t fully trustworthy. Memory forensics with Volatility on an offline memory dump is more reliable:
# Compare process lists between APIs and raw memory scan
python3 vol.py -f memory.raw windows.pslist # API-based list
python3 vol.py -f memory.raw windows.psscan # Raw pool header scan
# Discrepancies = hidden processes = rootkit indicatorA process visible in psscan but not pslist is almost certainly hidden by a kernel-mode rootkit.
Offline Scanning
Boot from a clean USB drive (Windows PE with AV, or a Linux live boot) and scan the system drive from outside the running OS. This bypasses any hooks in the running system entirely:
- Kaspersky Rescue Disk — bootable USB with full AV engine
- ESET SysRescue — ESET’s bootable rescue scanner
- Bitdefender Rescue — same concept from Bitdefender
UEFI Integrity Checking
For bootkit detection:
# Check Secure Boot status
Confirm-SecureBootUEFI
# Use CHIPSEC for UEFI integrity
pip install chipsec
sudo python chipsec_main.py -m common.bios_wp
sudo python chipsec_main.py -m common.uefi.s3bootscriptCHIPSEC is an Intel-developed framework for UEFI security assessment — it can detect modified UEFI firmware and suspicious SPI flash contents.
Removal Strategies
User-Mode and Kernel-Mode Rootkits
- Boot from clean media (Kaspersky Rescue Disk or ESET SysRescue)
- Run full scan from the offline environment
- If removal fails, complete OS reinstallation from trusted media is the only guaranteed clean state
MBR Bootkits
From a Windows recovery environment or installation media:
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcdOr from Linux:
# Wipe and rewrite the MBR with a clean one
dd if=/dev/zero of=/dev/sda bs=446 count=1
grub-install /dev/sdaUEFI Bootkits
UEFI rootkit removal is complex and sometimes impossible through software:
- Check if your motherboard manufacturer has released a UEFI update that patches the vector used
- Flash updated UEFI firmware through the manufacturer’s recovery tool
- In severe cases (persistent UEFI implant): replace the motherboard — the infected flash chip may retain the malware through flashing attempts
Prevention
- Enable Secure Boot — prevents unsigned bootloaders and kernel drivers (blocks most bootkits)
- Enable TPM + Credential Guard — prevents credential dumping even if kernel is compromised
- Keep UEFI firmware updated — patches vulnerabilities used by UEFI bootkits
- Use code signing enforcement — Driver Signature Enforcement in Windows blocks unsigned kernel drivers
- Anti-rootkit solutions in EDR — enterprise EDR products (CrowdStrike, SentinelOne) use kernel-level drivers that monitor for rootkit indicators in real time
The presence of a rootkit indicates a full system compromise. Even if you remove the rootkit, assume all credentials, SSH keys, and sensitive data on the machine were exfiltrated. Change all passwords and revoke API keys after any confirmed rootkit infection.