Rootkit is a program that hides its own malicious actions from antiviruses, or masks the work of other malware, for example, a Trojan. The rootkit hides, in particular, system processes, files, drivers, registry entries and network connections, preventing antiviruses from identifying traces of the presence of this malicious program.
Information security audit
The functionality of rootkits is diverse: they can steal passwords, bank card data, read keyboard taps, remotely control bots for DDoS attacks, disable antiviruses, etc.
The name was formed from root (“superuser” in Unix terminology) and kit (“kit”). That is, a rootkit is a set of tools for system actions with administrator rights. In fact, in terms of rights, rootkits are divided into two categories: user-level and kernel-level.
A rootkit with user rights has the same status as any regular application that is installed by a victim user. They disguise themselves as a system process and parasitize applications, disrupting their work or correcting it in the right way.
“Nuclear” rootkits get full access to the system at the OS kernel level. This is the most dangerous kind of them. Detecting and removing a nuclear rootkit is much more difficult than a user-level rootkit. One example is the Backdoor bootkit (a subspecies of the rootkit).Win32.Sinowal, which infects the boot sector of the MBR (Master Boot Record) hard disk and runs before the system boots, gaining full control over it.
Rootkits are downloaded under the guise of free software, hide behind banners and links on infected sites, and are downloaded from external drives (flash drives, SD cards, disks).