Finding and Avoiding Rootkits on Your Computer

What is a rootkit?

Hand pointing on laptop
Diego Lezama/Lonely Planet Images/Getty Images

A rootkit allows someone, either legitimately or maliciously, to gain and maintain command and control over a computer system without the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer usage.

Most users are familiar with common threats such as viruses, worms, spyware, and even phishing scams, but many users are unfamiliar with this potential computer threat.

Is a rootkit malware?

There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee's or children's computer systems. Products such as eBlaster or Spector Pro are essentially rootkits that allow for such monitoring.

However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a Trojan virus of some sort, the rootkit itself is not malware.

Detecting a rootkit

Detecting a rootkit on your system is easier said than done. There is no off-the-shelf product like there is for viruses or spyware that can magically find and remove all of the rootkits of the world. There are various tools to scan memory or file system areas, or to look for hooks into the system used by rootkits, but most of these tools are not automated tools and those that often focus on detecting and removing a specific rootkit.

Another method is just to look for bizarre or strange behavior on the computer system. If there are suspicious things going on, you might be compromised by a rootkit. Of course, you might also just need to clean up your system.

In the end, many security experts suggest a complete reinstallation of a system compromised by a rootkit or suspected of being compromised by a rootkit. The reason is, even if you detect files or processes associated with the rootkit, it is difficult to be 100% sure that you have in fact removed every piece of the rootkit. Peace of mind can be found by completely erasing the system and starting over.

Protecting your system from rootkits

As mentioned above regarding detecting rootkits, there is no packaged application to guard against rootkits, and while they may be used for malicious purposes at times, some are not necessarily malware.

Many malicious rootkits manage to infiltrate computer systems and install themselves by propagating with a malware threat such as a virus, however, and you can defend your system from rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is updated and running, and that you don't accept files from or open email file attachments from unknown sources. You should also be careful when installing all software—pay attention during software installation wizard processes to see what is being installed, and read carefully before agreeing to EULA's (end user license agreements) because some may state overtly that a rootkit of some sort will be installed.