Select language
Avast Academy Security Other Threats Rootkits Defined: What They Do, How They Work, and How to Remove Them

Rootkits Defined: What They Do, How They Work, and How to Remove Them

Rootkits are a stealthy and dangerous type of malware that allow hackers to access your computer without your knowledge. Learn how you can detect these nearly-invisible bits of software with a rootkit scanner, and how to use an anti-rootkit tool to remove rootkits from your device for good.


What is a rootkit?

A rootkit is a software package that is designed to remain hidden on your computer while providing remote access and control. Hackers use rootkits to manipulate your computer without your awareness or consent.

Hamburguer menu icon

This article contains:

    To define rootkits, we can take the word apart. The first half, “root,” refers to the administrative account on a device. Since this account can access every aspect of the device, with all user privileges available to it, it has the deepest level of control — deep like the roots of a plant. Rootkits let the hacker “root around” in the guts of your system, like a pig hunting in the dirt for a tasty and fragrant truffle.

    The “kit” portion represents how this root access is unlocked: through a software package that enables the administrative control for the hacker. The hacker builds a software kit that grants them root-level privileges on the targeted system.

    Is a rootkit the same thing as a virus?

    Rootkits and viruses are often seen working together, to the point where a “rootkit virus” is a recognized type of the latter. However, there’s a clear distinction between the two. Rootkits grant administrative-level access to a system, whereas the signature ability of a virus is how it modifies files on a computer in order to replicate itself.

    Hackers typically spread their rootkits with Trojans, a type of malware that appears safe in order to fool you into downloading or opening it. When you do so, the Trojan in turn delivers the rootkit. For this reason, if you’re not protecting yourself against all types of malware, you’re essentially rolling out the red carpet for hackers and their rootkits.

    Avast Free Antivirus provides cutting-edge malware defense, including protecting against the Trojans that cybercriminals use to spread rootkits. Place your trust in the antivirus — and anti-rootkit — tool that’s trusted by over 400 million people.

    OK, but is a rootkit malware?

    Rootkits are only classified as malware when they’re being used for sinister or illegal purposes. Some people choose to install rootkits on their own devices as part of a process known as jailbreaking, in which the user bypasses a manufacturer’s built-in restrictions. Governments and law enforcement agencies sometimes employ rootkits as part of their investigations into criminal activities — which we wouldn’t consider a legitimate use.

    “Stalkerware” is a new malware classification that refers to rootkits that monitor someone’s activity or control the content they consume. Stalkerware is frequently marketed to parents, employers, and even people seeking to keep an eye on their significant others. Such practices are illegal in many countries.

    Alone, a rootkit is just a tool, but like many other tools, whether it’s used legitimately or criminally depends on the user.

    What does a rootkit do?

    Rootkits enable other malware to hide within your device and may make it difficult or even impossible to clean out the infection. Once a rootkit is installed on your device, it grants remote access to essentially every function of your operating system while avoiding detection.

    Rootkits operate deep within your computer’s programming where they’re able to conceal most traces of their existence. This subtlety is a big part of what makes them so dangerous. Some rootkits can even tamper with or disable your computer’s security programs, making it that much harder to both detect and remove them.

    Most of the time, cybercriminals use rootkits to steal information. Some hackers target individuals, using rootkits to harvest personal data for identity theft or fraud. Others go after corporate targets in pursuit of espionage or financial crimes.

    Hackers can customize their rootkits depending on what they’re trying to achieve. Some rootkits can create a permanent “backdoor” into your system, which remains open so that the hacker can return at a later time. Others enable hackers to eavesdrop as you use your computer. With these rootkits, the hacker can intercept your internet traffic, track your keystrokes, and even read your emails.

    How can I tell if my computer has a rootkit?

    When a rootkit does its job properly, you don’t notice it at all. Hackers use rootkits when they want to get away with their cybercrimes right under your nose. If you’re able to tell when a rootkit has been installed on your device, it won’t be of much use to the hacker who put it there.

    A rootkit scanner is your best friend when it comes to rootkit detection and removal. A strong anti-malware tool is the top way to stay ahead of rootkits and other threats. Barring that, here are a few other ways to detect the presence of a rootkit on your device:

    • Your system is acting strangely: Rootkits allow hackers to manipulate your computer’s OS. If your computer seems like it’s doing something that it’s not supposed to be doing, it could be the work of a hacker via a rootkit.

    • Signature scanning: Computers do things by the numbers. All the data, all the programs, all the files, everything on your computer is stored as a series of numbers. A software’s “signature” is the set of numbers that serve as its representation in computer-speak. You can scan your computer against a database of known rootkit signatures and see if any of them turn up.

    • Memory dump analysis: When your Windows machine crashes, it also generates something called a memory dump, or crash dump. A skilled technician can dig through this file to identify the source of the crash. If it was due to a rootkit, this is one way to find out.

    • Your Windows settings change: In general, your computer shouldn’t be doing things without being told, and ideally, the person doing the telling is you. Rootkit-enabled remote access can allow someone else to meddle around with your settings and configurations. If something seems different, there might be cause for concern.

    • Web pages/network activities intermittent: If your internet connection suddenly grows spottier than usual, it might be more than a sustained service hiccup. If a hacker is using a rootkit to send or receive a lot of traffic from your computer, it could bog down your regular internet activities.

    • System memory search: Your computer uses its system memory to operate all the programs and other data that are currently in use. You can search through everything in the system memory to see if anything is out of order. During the search, check up on all ingress points for signs of invoked processes, and track all imported library calls from DLLs. Some may be either hooked or redirected to other functions.

    If all this sounds tedious and/or difficult, that’s because it is. Save yourself multiple headaches by using an anti-malware tool with a rootkit scanner instead.

    Rootkits bury themselves deep into the root of your computer, avoiding detection.

    Where do rootkits come from? How do they spread?

    Rootkits are on the inert side of the malware spectrum of mobility. Unlike worms and viruses, and like Trojans, rootkits must get by with a little help from their friends when it comes to arriving on your computer.

    Hackers bundle their rootkits with two partner programs — a “dropper” and a “loader” — that work together to achieve rootkit installation. Together, the three pieces of malware compose what’s known as a “blended threat”. Let’s take a closer look:

    • Dropper: The dropper’s job is to “drop” or import the rootkit onto the victim’s computer. Below, we cover several of the most common techniques hackers use to get their droppers onto your device. The dropper is the first stage of the installation process. When the victim activates the dropper, the dropper in turn activates its buddy, the loader.

    • Loader: As the dropper executes, the loader springs into action, installing the rootkit onto the target system. Loaders frequently accomplish this through triggering a buffer overflow. This is a common security exploit that allows hackers to land their code in otherwise inaccessible areas of a computer’s memory.

    The cybercriminal’s challenge is to land the blended threat package onto your computer. Here are a few ways they might overcome this hurdle:

    • Messaging programs: If a hacker manages to get its blended threat onto a computer, and if that computer has an instant messaging client installed on it, the blended threat can hijack the client to spread itself. It sends a message with a malicious link to all the victim’s contacts, and when the contacts click through, their computers become infected as well. This type of social engineering has proven to be a highly effective method for how rootkits can spread.

    • Piggybacking on trusted software: Hackers can insert their rootkits into otherwise-trustworthy programs and apps, then upload those poisoned apps to various download portals. When you install the infected app, you unwittingly install the rootkit along with it.

    • With other malware: Viruses and Trojans can be put to work as rootkit spreaders, as both are highly effective when it comes to getting onto your computer. When you execute the program containing the virus, or when you execute the Trojan, they then install the rootkit on your device.

    • Content-rich files: With the advent of content-rich files such as PDFs, hackers no longer need dedicated websites or programs in which to conceal their malware. Instead, they can embed rootkits into these simple rich-content files. When you open up the tainted file, the rootkit dropper executes automatically.

    What kinds of rootkits are there?

    Security experts divide rootkits into six categories, based primarily on where and how deeply they infect your machine.

    User-mode rootkits

    A rootkit of this type infects your operating system’s administrative account. This position grants it all the top-level privileges it needs to change your computer’s security protocols while concealing itself and any other malware that it uses. User-mode rootkits automatically launch every time your computer boots up, so a simple restart isn’t going to be enough to cleanse the infestation.

    Anti-malware programs can detect user-mode rootkits, since rootkit detection software runs at a deeper level, known as the kernel.

    Kernel-mode rootkits

    In response to kernel-level rootkit scanners, hackers created kernel-mode rootkits. They live on the same level of your computer as its actual operating system and compromise the entire OS as a result. Simply put, you can no longer trust anything about your computer once it’s been hit with a kernel-mode rootkit — everything is potentially tainted, including the results of any anti-rootkit scans.

    Fortunately, it’s very difficult to create a kernel-mode rootkit that can operate without causing any noticeable problems for the victim. The excessive system crashes and other hiccups they cause serve as effective warning signs for detection.

    Hybrid rootkits

    Rather than operating solely in one place, these place some of their components in the user level and others in the kernel. This allows hybrid rootkits to enjoy the stability of user-mode rootkits with the enhanced stealth of their kernel-dwelling cousins. Accordingly, user/kernel hybrid rootkits are currently one of the most popular types with cybercriminals.

    Firmware rootkits

    Firmware is a type of low-level software that is dedicated to controlling a piece of computer hardware. Some rootkits have the added ability to hide inside firmware when you turn off your computer. When you turn it back on, a rootkit of this type can reinstall itself and get back to work. If a rootkit scanner manages to find and deactivate it while it’s running, the firmware rootkit will bounce right back the next time you turn on your machine. These are notoriously hard to purge from a computer system.


    When you power on your computer, it refers to its Master Boot Record (MBR) for instructions on how to load its OS. Bootkits, also known as bootloader rootkits, are a kernel-mode variant that infect the MBR of your machine. Every time your computer consults its MBR, the bootkit loads as well.

    Anti-malware programs have a tough time detecting bootkits, as they do with all kernel-mode rootkits, since bootkits don’t reside in the OS at all. By now, bootkits have become obsolete, since both Windows 8 and Windows 10 counter them with the Secure Boot feature.

    Virtual rootkits

    Hosted on a physical computer, a virtual machine is a software-based emulation of a separate computer. Virtual machines are commonly used to allow multiple operating systems to run on one set of hardware, or to test programs in an isolated environment.

    Virtual rootkits, or virtual machine-based rootkits (VMBRs), load themselves underneath the original OS, then place that OS onto a virtual machine. Because they run separately from the computer’s OS, they are very difficult to detect.

    Notable rootkit examples

    The emergence of a new rootkit immediately becomes one of the most pressing issues in the cybersecurity community. Because they’re so difficult to deal with, when a big rootkit hits, it makes serious waves. Let’s take a look at some of the most well-known rootkits in history, some created by hackers, and others surprisingly made and used by large corporations.

    • 1990: Lane Davis and Steven Dake create the first known rootkit at Sun Microsystems for the SunOS Unix OS.

    • 1999: Greg Hoglund publishes an article detailing his creation of a Trojan called NTRootkit, the first rootkit for Windows. It’s an example of a rootkit virus that works in kernel mode.

    • 2003: The HackerDefender rootkit arrives for Windows 2000 and Windows XP, and is a user-mode rootkit. HackerDefender’s emergence sparked a pitched game of cat-and-mouse between it and anti-rootkit tool RootkitRevealer.

    • 2004: A rootkit is used to tap over 100 mobile phones on the Vodafone Greece network, including the phone used by the country’s prime minister, in an attack that would become known as Greek Watergate.

    • 2005: Sony BMG gets slammed with a massive scandal after distributing CDs that install rootkits as an anti-piracy tool—without securing consent from consumers in advance.

    • 2008: The TDL-4 bootkit, then known as TDL-1, fuels the infamous Alureon Trojan, which is used to create and sustain botnets.

    • 2009: The proof-of-concept Machiavelli rootkit targets macOS (then called Mac OS X), demonstrating that Macs are vulnerable to rootkits too.

    • 2010: The Stuxnet worm, allegedly co-developed by the US and Israel, uses a rootkit to conceal its presence as it is unleashed on Iran’s nuclear program.

    • 2012: A massive 20 MB modular malware known as Flame — comparatively massive since lots of malware is under 1 MB in size — is discovered as it wreaks havoc across infrastructure in the Middle East and North Africa. 

    • 2018: LoJax is the first rootkit that infects a computer’s UEFI, the firmware that controls the motherboard, enabling LoJax to survive an operating system reinstall.

    A timeline of notable rootkits throughout history

    Anti-rootkit countermeasures

    Because rootkits can be such a headache to remove, your single best anti-rootkit tactic is to avoid installing one in the first place. Practice smart online security habits, and you’ll be one giant step closer to remaining rootkit-free.

    Be wary of unknown files that you’re sent, even from a trusted contact, and confirm these files with your contact before opening. Never open attachments contained in emails from unknown senders.

    Get your software from reputable sources — direct from the manufacturer if possible, or from the App Store or Google Play. Check the terms and conditions closely to make sure no one is trying to slip a rootkit onto your device.

    Install system updates as soon as they’re available. These updates often patch recently discovered vulnerabilities that hackers can otherwise exploit to access your device.

    Don’t rely solely on Windows Defender or other inbuilt security software, if your device has any, since most rootkits are easily able to subvert these basic protections. For complete protection, you’ll want to consider specialized software.

    Protect yourself with anti-rootkit software

    With over 400 million users, Avast will defend you against all types of malware, including rootkits. Equip yourself with one of the internet’s strongest rootkit scanners and removers, absolutely free, when you install Avast Free Antivirus.

    Protect your Android from threats

    with free Avast Mobile Security


    Protect your iPhone from threats

    with free Avast Mobile Security