Avast Academy Security Malware What Is a Rootkit and How to Remove It?

What Is a Rootkit and How to Remove It?

A rootkit is a stealthy and dangerous type of malware that lets hackers access your computer without your knowledge. Thankfully, these nearly-invisible bits of software can be found and removed. Learn about the different types of rootkits, how to detect them, and how to remove them from your device with smart anti-malware software like Avast One, which features a built-in rootkit scanner and remover.

Editors' choice
Top Rated
Written by Carly Burdova
Published on July 22, 2021

What is a rootkit?

A rootkit is a malicious software bundle designed to give unauthorized access to a computer or other software. Rootkits are hard to detect and can conceal their presence within an infected system. Hackers use rootkit malware to remotely access your computer, manipulate it, and steal data.

Hamburguer menu icon

This Article Contains :

    When a rootkit takes hold, your system acts as if it were a zombie computer, and the hacker can exert absolute control over your device using remote access. This part of the rootkit definition is what makes them so powerful.

    Similar to how fileless malware uses legitimate programs without leaving a trace, rookits may also appear to be legitimate, because the hacker has privileged access to system files and system processes. Rootkits make your computer lie to you, and sometimes, lie to antivirus and security software, too.

    What does a rootkit do?

    Rootkits let malicious code hide within your device. Once a rootkit attack hits, it grants remote admin access to your operating system while avoiding detection.

    What does a rootkit modify? Because a rootkit’s purpose is to gain admin-level, privileged access to your computer system, a rootkit can modify anything an administrator can. Here’s a short list of what a rootkit can do or modify.

    • Conceal malware: Rootkits hide other types of malware within your device and make it harder to remove them.

    • Gain remote access: Rootkits provide remote access to your operating system while avoiding detection. Rootkit installations are increasingly associated with remote access scams.

    • Tamper with or deactivate security programs: Some rootkits can conceal themselves from your computer’s security programs, or turn them off entirely — making it hard to detect and remove the malware.

    • Steal data: Most of the time, cybercriminals use rootkits to steal data. Some hackers target individuals and capture personal data for identity theft or fraud. Others go after corporate targets in pursuit of espionage or financial crimes.

    • Create a permanent “backdoor”: Some rootkits can create a cybersecurity backdoor into your system, which remains open so the hacker can return later.

    • Eavesdrop on you: Rootkits can be used as monitoring tools, which let hackers eavesdrop on you.

    • Invade your privacy: With a rootkit, a hacker can intercept your internet traffic, track your keystrokes, and even read your emails.

    What the experts say

    “One of the most used techniques for hiding malicious activity is using rootkits. In general, the main goal of the rootkits is to hide itself and other modules of the hosted malware on the kernel layer. The rootkits are potent tools but carry a high risk of being detected because the rootkits work in the kernel-mode, and each critical bug leads to BSoD (the Blue Screen of Death).”

    Martin Chlumecký, Malware Researcher

    Avast Threat Labs

    How to remove a rootkit

    Rootkit removal is not easy. Because rootkits can bury themselves deep within your operating system, it’s hard to tell that they’re even there. But once you know you have one, curing your zombie computer of its rootkit infection is critical.

    Step 1: Run rootkit removal software

    Don’t rely on Windows Defender or other inbuilt security software, since most rootkits can subvert basic protections. For complete protection, use specialized software like Avast One. Avast combines the world's largest threat-detection network and machine-learning malware protection into a single, lightweight tool that can detect and remove rootkits, and defend against all kinds of future online threats.

    Avast One will scan your computer to find and remove rootkits and other types of malware.Avast One offers a variety of scans to make sure rootkits and other kinds of malware stay off your computer.

    Avast One knows how to remove rootkit viruses and prevent them from coming back. So before a hacker can steal your data or gain privileged access to your computer, let Avast scan and remove the malware for good.

    Step 2: Perform boot-time scan

    Modern malware uses sophisticated techniques to evade detection by antivirus products. Once an operating system is running, rootkits present on the device can outsmart automated antivirus scans.

    If an antivirus program asks the operating system to open a particular malware file, the rootkit can change the information flow and open a harmless file instead. They can also change a malware file’s enumeration code — used for storing and sharing information about malware — which would prevent it from being included in a scan.

    That's why a boot-time scan, like the one included in Avast One, is so handy. Boot-time scans run during your computer’s startup procedure and catch rootkits before they can act. The benefit of a boot-time scan is that usually the rootkit will still be in a dormant state and unable to conceal itself in your system.

    Step 3: Wipe device and reinstall OS

    If antivirus software and a boot-time scan fail to remove the rootkit, try backing up your data, wiping your device, and performing a clean install. This is sometimes the only remedy when a rootkit is operating at the boot, firmware, or hypervisor level.

    For starters, you need to know how to format a hard drive and clone a hard drive to back up your important files. You might need to wipe the main C: drive, but you can still keep most of your data. This is the last resort to removing a rootkit.

    Avoid rootkits in the first place

    The best approach to removing a rootkit virus is to avoid having to remove one at all. There are actions you can take right now to avoid the dreaded question of how to remove a rootkit. Practice smart online security habits, and you’ll be much closer to remaining rootkit-free.

    • Be wary of unknown files: Even files sent to you from trusted contacts should be reviewed closely before opening. Never open attachments from unknown senders — they could be phishing attacks. And add an extra layer of security against phishing and other online threats by using a dedicated secure browser.

    • Get software from reputable sources: Ideally, directly from the manufacturer, or from the App Store or Google Play Store. Check the terms and conditions closely to make sure no one is trying to slip a rootkit onto your device.

    • Install system updates ASAP: These updates often patch recently discovered vulnerabilities that hackers can exploit to access your device.

    How to identify and find rootkits

    When a rootkit does its job properly, you don’t notice it. The best way to find and detect rootkits is with a rootkit scanner and removal tool like Avast One This free rootkit scan tool not only finds and removes rootkits installed on your device, it also prevents them from being installed in the future.

    For the do-it-yourself crowd, we have alternative tips for how to find a rootkit. It won't be as easy as choosing the best free antivirus software — and even if you do find a rootkit on your own, you might not be able to remove it — but we're here to help.

    Signs of a rootkit attack

    The following warning signs may indicate the presence of a rootkit on your device: 

    • Your system is acting strangely: Rootkits allow hackers to manipulate your computer’s OS. If your computer is acting strangely, it could be the work of a hacker via a rootkit.

    • Change in settings: In general, your computer shouldn’t do things without being told — and ideally, the person doing the telling is you. Rootkit-enabled remote access can allow someone else to meddle with your settings and configurations. If something seems different, there might be cause for concern.

    • Web pages/network activities intermittent: If your internet connection suddenly grows spottier than usual, it might be more than a service hiccup. If a hacker is using a rootkit to send or receive a lot of traffic from your computer, it could bog down your internet connection.

    How to find a rootkit

    If you suspect your computer has been infected, the following techniques may help you find the rootkit:

    • Signature scanning: Computers do things with numbers. A software’s signature is the set of numbers that serve as its representation in computer-speak. You can scan your computer against a database of known rootkit signatures and see if any of them turn up.

    • Memory dump analysis: When your Windows machine crashes, it also generates a file called a memory dump, or crash dump. A skilled technician can examine this file to identify the source of the crash and see if it was due to a rootkit.

    • System memory search: Search through your computer’s system memory to see if anything is out of order. During the search, check all ingress (access) points for signs of invoked processes, and track all imported library calls from DLLs (Dynamic-Link Libraries). Some may be either hooked or redirected to other functions.

    How do rootkits get installed?

    Unlike computer worms and viruses — but similar to Trojan malware — rootkit infections need help to get installed on your computer.

    Hackers bundle their rootkits with two partner programs — a dropper and a loader — that work together to install the rootkit. Together, the three pieces of malware compose a blended threat. Let’s take a closer look at the tools rootkits use to get installed:

    • Dropper: The dropper imports the rootkit onto the victim’s computer. The dropper is the first stage of the installation process. When the victim activates the dropper, the dropper in turn activates the loader.

    • Loader: As the dropper executes, the loader springs into action, installing the rootkit onto the target system. Loaders often do this by triggering a buffer overflow. This is a common security exploit that lets hackers land their code in otherwise inaccessible areas of a computer’s memory.

    Rootkits come bundled with a "dropper" and a "loader" that work together to perform an attack.Rootkits come bundled with a “dropper” and a “loader” that work together to perform an attack.

    The cybercriminal’s challenge is to land the blended threat package. Here are a few ways a hacker might do this to install a rootkit on your computer:

    • Hijacking messaging programs: A blended threat can hijack instant messaging clients to spread itself to a victim’s contacts. When the recipients click the malicious link in the message, their computers become infected as well. This type of social engineering attack is a highly effective method for spreading rootkits.

    • Piggybacking on trusted software: Hackers can insert a computer rootkit into otherwise-trustworthy programs and apps, then upload those poisoned apps to various download portals. When you install the infected app, you unwittingly install the rootkit, too.

    • Using other malware: Viruses and Trojans can be used as rootkit spreaders, because both are highly effective at getting onto your computer. When you execute the program containing the virus, or execute the Trojan, the rootkit is installed on your device.

    • Hiding in rich-content files: With the advent of rich-content files such as PDFs, hackers no longer need to hide malware in dedicated websites or programs. Instead, they can embed rootkits into these simple rich-content files. When you open up the tainted file, the rootkit dropper executes automatically.

    Types of rootkits

    Security experts divide rootkits into six categories, based on where and how deeply they infect your machine.

    User-mode rootkits

    User-mode rootkits infect your operating system’s administrative account, gaining the top-level privileges needed to change your computer’s security protocols while concealing themselves and any other malware they use.

    These rootkits automatically launch when your computer boots up, so a simple restart isn’t enough to cleanse the infestation. Malware scanner and removal programs like Avast One can detect user-mode rootkits, since rootkit-detection software runs at a deeper level, known as the kernel.

    Kernel-mode rootkits

    In response to kernel-level rootkit scanners, hackers created kernel-mode rootkits. They live on the same level of your computer as its actual operating system and compromise the entire OS as a result.

    Once it’s been hit with a kernel mode rootkit, you can no longer trust anything about your computer — everything is potentially tainted, including the results of any anti-rootkit scans. Fortunately, it’s very difficult to create a kernel-mode rootkit that can operate without causing excessive system crashes and other hiccups that reveal its presence.

    Hybrid rootkits

    Hybrid rootkits place some of their components in the user level and others in the kernel. This allows a hybrid rootkit to enjoy the stability of user-mode rootkits with the enhanced stealth of their kernel-dwelling cousins. Accordingly, user-kernel hybrid rootkits are one of the most popular types with cybercriminals.

    Firmware rootkits

    Firmware is a type of low-level software that controls a piece of computer hardware. Some rootkits can hide inside firmware when you turn off your computer. When you turn it back on, a firmware rootkit can reinstall itself and get back to work.

    If a rootkit scanner finds and deactivates a firmware rootkit while it’s running, the rootkit will bounce right back the next time you turn on your machine. Firmware rootkits are notoriously hard to purge from a computer system.


    When you power on your computer, it refers to its Master Boot Record (MBR) for instructions on how to load its OS. Bootkits, also known as bootloader rootkits, are a kernel-mode rootkit variant that infect your computer’s MBR. Whenever your computer consults its MBR, the bootkit loads as well.

    Anti-malware programs have difficulty detecting bootkits, like they do with all kernel-mode rootkits, since bootkits don’t reside in the OS at all. Thankfully, bootkits have become obsolete, since both Windows 8 and Windows 10 counter them with the Secure Boot feature.

    Virtual rootkits

    A virtual machine is a software-based emulation of a separate computer hosted on a physical computer. Virtual machines are used to run multiple operating systems on one machine, or to test programs in an isolated environment.

    Virtual rootkits, or virtual machine–based rootkits (VMBRs), load themselves underneath the original OS, then place that OS onto a virtual machine. Because they run separately from the computer’s OS, they’re very difficult to detect.

    Rootkit examples

    When a new rootkit emerges, it immediately becomes one of the most urgent issues in cybersecurity. Let’s take a look at some of the most well-known rootkit examples in history, some created by hackers, and others surprisingly made and used by large corporations.

    A timeline of some of the most notorious rootkit attacks, including the first known rootkit in 1990 and the Stuxnet worm in 2010.A timeline of some of the most well-known examples of rootkit attacks.

    • 1990: Lane Davis and Steven Dake create the first known rootkit at Sun Microsystems for the SunOS Unix OS.

    • 1999: Greg Hoglund publishes an article describing his creation of a Trojan called NTRootkit, the first rootkit for Windows. It’s an example of a rootkit virus that works in kernel mode.

    • 2003: The user-mode HackerDefender rootkit arrives for Windows 2000 and Windows XP. HackerDefender’s emergence sparked a game of cat-and-mouse between it and the anti-rootkit tool RootkitRevealer.

    • 2004: A rootkit is used to tap over 100 mobile phones on the Vodafone Greece network, including the phone used by the country’s prime minister, in an attack that would become known as Greek Watergate.

    • 2005: Sony BMG gets slammed with a massive scandal after distributing CDs that install rootkits as an anti-piracy tool — without securing consent from consumers in advance.

    • 2008: The TDL-4 bootkit, then known as TDL-1, fuels the infamous Alureon Trojan, which is used to create and sustain botnets.

    • 2009: The proof-of-concept Machiavelli rootkit targets macOS (then called Mac OS X), demonstrating that Macs are vulnerable to malware like rootkits, too.

    • 2010: The Stuxnet worm, allegedly co-developed by the US and Israel, used a rootkit to conceal its presence while targeting Iran’s nuclear program.

    • 2012: A 20 MB modular malware known as Flame — comparatively massive since lots of malware is under 1 MB — wreaks havoc across infrastructure in the Middle East and North Africa.

    • 2018: LoJax is the first rootkit that infects a computer’s UEFI, the firmware that controls the motherboard, letting LoJax survive an operating system reinstall.

    • 2019: This recent rootkit attack comes from Scranos, a rootkit that steals passwords and payment details stored in your browser. And, notably, it turns your computer into a clickfarm to secretly generate video revenue and YouTube subscribers.

    Protect your devices with anti-rootkit software

    Trusted by over 400 million users around the world, Avast defends against all types of malware, including rootkits. When you install Avast One, you’re equipping yourself with one of the strongest rootkit scanners and removers available. You’ll get rootkit protection at its best — along with a suite of other security and privacy features — absolutely free.

    Protect your iPhone against rootkits and other malware with Avast One

    Free install

    Protect your Android phone against rootkits and other malware with Avast One

    Free install
    Carly Burdova