📹 Join the wait list

FULL SECURITY+ IN 31 DAYS COURSE 📹 Join the wait list - https://certbros.kit.com/01730e35f7 BOSON PRACTICE EXAMS ✔ Best practice exams - https://www.certbros.com/security-plus/exsim HAVE A QUESTION? 💬 Discord - https://www.certbros.com/discord Disclaimer: Some of these are affiliate links. If you purchase using these links, I'll receive a small commission at no extra charge to you. --------------------------------------------------------------------------------------------------------------- Rootkits are some of the hardest types of malware to detect because they are built to hide in plain sight while giving an attacker deep, ongoing control of a system. What Is a Rootkit? The term rootkit comes from root, the highest level of permissions in Unix and Linux systems. A rootkit is a collection of malicious software designed to enable unauthorised access to a computer system at the highest level. Once installed, a rootkit can hide its presence, allowing an attacker to maintain access while staying undetected by many standard security measures. Types of Rootkit Malware There are many rootkit variations, but these are the main types you need to know. Firmware Rootkits One of the most dangerous rootkit types is the firmware rootkit. Firmware is the code that runs as soon as you power on a computer, and it helps initialise hardware so the system can function. It runs separately from the operating system, and most security tools focus on the operating system layer. That separation is what makes a firmware rootkit so difficult to detect and remove. In some cases, a firmware rootkit can even survive a fresh installation of the operating system, because the malicious code is not stored where the operating system lives. Bootkits A bootkit is a rootkit that targets the boot process, specifically the Master Boot Record used by BIOS firmware or the GUID Partition Table used by UEFI firmware. This allows the rootkit to load before the operating system starts. When malware loads this early, standard operating system security tools may not be able to detect or remove it, because the compromise is already in place before those tools can run. User Mode Rootkits A user mode rootkit operates within user space, where application programs run and interact with the operating system. Instead of attacking the kernel directly, a user mode rootkit targets processes and applications. It can manipulate how programs behave, execute malicious actions, or hide activity by presenting false information to the user. For example, after gaining access and the necessary permissions, an attacker might modify existing applications or replace them with malicious versions. If they wanted to target the login process on a Linux machine, they could replace it with a malicious version that bypasses authentication and grants unauthorised access. Similarly, they could target Secure Shell, commonly known as SSH, which is used for remote connections, and replace or modify it to provide unrestricted access without valid credentials. Attackers might also modify or replace tools like ps in Linux or Task Manager in Windows to hide malicious processes, helping them evade detection and maintain control. Because user mode rootkits target applications, they are generally easier for security tools to detect and remove. Kernel Mode Rootkits A kernel mode rootkit operates at the kernel level of the operating system. Developing a kernel level rootkit is tricky, but once installed it can be extremely difficult to detect. Because it operates inside the operating system core, it can directly manipulate critical functions, making this type of rootkit particularly dangerous. One common technique involves modifying the system call table. System calls are how user mode applications request services from the kernel, such as accessing files, reading memory, or listing processes. A rootkit is a stealthy form of malware designed to maintain unauthorised access while hiding from detection. Whether it targets applications, the kernel, the boot process, or firmware, a rootkit can be extremely difficult to remove fully. You should now understand what rootkit malware is, why it is so hard to detect, and how the most common rootkit types work at different levels of a computer system.