What is a Rootkit? The Origin of Malicious Software

Andrew Sanders
Posted: April 8, 2019

Everything has a beginning – including computer viruses. In this regard, rootkits can be thought of as the origin of all malicious software. Although malware did exist before the term “rootkit” was coined, it typically involved either subverting vulnerabilities such as default passwords. Rootkits were something different.

Essentially, a rootkit is a piece of software that includes built-in tools to create a second administrator on a targeted system. This is where the “root” of rootkit comes from – in Unix, “root” refers to a superuser or system administrator, someone with the privilege to install or modify software, move or delete files, and create other privileged accounts. The rootkit then hides itself from other admins.

History of Rootkit Software

One of the ways in which rootkits are unique is that they were theorized about before they were ever seen in the wild. Back in 1983, a man named Ken Thompson – one of the creators of the Unix operating system – theorized an exploit that would subvert a login command to allow an attacker to use an additional password to access an administrator account. This was a conceptual model of a rootkit.

What is a Rootkit? The Origin of Malicious Software

An early Unix system. Times were different then.

A lot of viruses don’t really have a long pause between conceptualization and deployment in the wild, but rootkits are difficult to make! They allow an attacker to gain total control over a computer while hiding their activities – a technical feat, in other words.

As such, it was three years before rootkits began to affect Unix systems in the wild. This rootkit was called Brain, and its origins were in fact benign – a pair of Pakistani software developers used the rootkit to prevent users from pirating their heart monitoring software. Little did they know that they’d created the first example of a new kind of malware.

Windows users wouldn’t be affected by rootkits until much later. The first rootkit known to affect Windows systems was released in 1999 – sixteen years after they were first theorized.

Rootkits are Difficult to Detect and Remove

The first person to produce a rootkit for Windows – a man named Greg Hoglund – eventually began working for US intelligence agencies. This gives you a basic sense of what rootkits are used for. They’re commonly deployed by governments in order to spy on activists, criminals, and people they don’t like.

Rootkits have also been used by corporations. In 2005, Sony’s music publishing arm began to ship CDs with tools that were supposed to prevent them from being copied and pirated. This tool was a rootkit which installed onto customer computers without their knowledge. This led to multiple class-action lawsuits, malware that took advantage of computers compromised by the rootkit, and a patch that removed the rootkit – which led to an even more dangerous vulnerability.

This last piece of information is an unfortunate clue that tells you what will happen if you get infected by a root

kit. In add likelihood, you won’t notice. May rootkits are difficult to detect without dedicated tools that are distributed outside of normal antivirus packages. For example, one security researcher recommends that if you’re infected by a rootkit, your best way of sniffing out the infection may be to monitor your outbound TCP/IP packets – something that’s beyond the reach of most everyday computer users.

Can Home Computer Users Fight Rootkits?

Fortunately, there are some tools that allow home computer users to scan and remove rootkits. Both MalwareBytes and Kaspersky ship with modes that let users perform what’s known as an offline scan. That means that the computer shuts down, reboots into a safe mode that prevents malicious software from running, and then scans your computer thoroughly. If you detect a rootkit, however, your best option when it comes to removing it is simply to reinstall your operating system.

When it comes to rootkits, your best option is prevention. If you’ve been reading this blog, you’ll know the steps – don’t open suspicious emails or attachments, don’t use strange USB drives, and don’t leave your computer software out of date. For extra tips on computer security, follow the SafetyDetective blog and stay informed about all things malware.

About the Author

Andrew Sanders
Andrew Sanders

Andrew is a writer on technology, information security, telecommunications, and more