The Danger of Rootkits

A rootkit is a collection of program tools that enable user-level access to a computer or a computer network. Typically, a hacker installs a rootkit on your computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking your password. Once the rootkit is installed, it allows the attacker to mask its intrusion and gain root or privileged access to your Windows PC.

A rootkit may consist of spyware and other malicious programs that monitor traffic and keystrokes, create a “backdoor” into the system for the hacker to use, attack other machines on a network and alter existing system tools to escape detection.

Rootkits often try to enter your PC by executing a phishing attack, where a hacker tries to trick you into running an executable file (.exe) in an email attachment, or via a hyperlink distributed via email or instant messaging. Once they are in place, rootkits are not too easy to find or get rid of.

The rootkit threat is not as widespread as viruses, malware and spyware. But removing rootkits is largely a reactive process. You will only notice changes to your computer after you are infected by a rootkit.

Is There Really a Rootkit Problem?

To determine if there is truly a rootkit operating behind the scenes, use a system process analyser such as ‘Sysinternals ProcessExplorer‘ or, better yet, a network analyser. By using these tools, you will probably be surprised to find what programs are doing and what is going in and out of your PC’s network adapter. You may also discover that you simply have an over-worked PC running with too little memory or a severely fragmented hard drive.

However, if your computer is normally super-fast with no lack of memory or hard drive issues, but still slows down and even starts to behave badly, then a rootkit attack could be the cause. But equally these symptoms could be the result of a virus or a spyware attack.

It is one thing to find a rootkit, but quite another to remove it and any spyware it is probably hiding. In fact, it may or may not be possible. In many cases you will never really know if you are infected since a rootkit can often interfere with your scanning and removal programs.

Before you even try to remove a rootkit make sure you take a backup all your important data files.

Rootkit Detection and Removal Using Software

Sysinternals, F-Secure and Kaspersky all offer standalone rootkit detection tools, Sysinternals RootkitRevealer  (is only for Windows XP (32-bit) and Windows Server 2003 (32-bit),  F-Secure Blacklight and Kaspersky TDSSKiller.

Even Microsoft has implemented rootkit detection features in its own malicious software removal tool.

Removing a rootkit with cleaning tools may actually leave Windows in an unstable or inoperable state depending on which files were infected and subsequently cleaned. Or, worse, a well-coded rootkit could conceivably detect the removal process and self-destruct taking your data out with it!

If these cleaning tools do not find anything, or they do find a rootkit but cannot delete it, then you could keep trying other tools, but there does come a point time when you have to evaluate if the effort is worthwhile. Perhaps you should just wipe your Hard Drive and re-install your Windows Operating system.

Some Defences Against Rootkits

To truly protect your computer, make sure you always read the current user instructions for your scanning tools to see what special steps you need to take before, during and after the clean-up process.

Then, after you’ve found and cleaned a rootkit, re scan your system to double-check that it was fully cleaned and the rootkit has not returned.

To help stay protected from rootkits you should regularly update all your software. This includes programs like your antivirus programme and any spyware or malware programmes you make use of.

Also keep all of your Microsoft software up-to-date by turning on Windows Automatic Updates (for Windows 10 – Settings – Update & Security/ Windows Update). Your computer will automatically download Microsoft security updates when your computer is online.

admin