Skip to content
Science, Maths & Technology

Introducing rootkits

Updated Tuesday, 28th October 2014

Why do people use rootkits and what are they intended for?

This page was published over five years ago. Please be aware that due to the passage of time, the information provided on this page may be out of date or otherwise inaccurate, and any views or opinions expressed may no longer be relevant. Some technical elements such as audio-visual and interactive media may no longer work. For more detail, see our Archive and Deletion Policy

Camouflaged lizard in the desert Creative commons image Icon Tom Coates under CC BY-NC 2.0 licence under Creative-Commons license Like this lizard, you may not notice a rootkit has set up home in your computer

Rootkits are powerful pieces of software that perform tasks on a computer without being noticed.  People using rootkits can take control of a computer from under the noses of intended users. Unsurprisingly, rootkits are often associated with criminal activity, but they can be used by law enforcement as part of criminal investigations or for research purposes to explore the operation of computers.

Rootkits circumvent the built-in protections of computer operating systems intended to keep the machine operating safely. The operating system (such as Microsoft Windows, Apple’s MacOS X and the Linux family of operating systems) controls how users work with a computer. Among many other tasks, an operating system manages files on the disk, reads keyboards and mice, sends and receives data across a network and displays information on the screen. Crucially, the operating system prevents key files from being overwritten, stops one user accessing another’s data and keeps records of every action performed on the computer.

Almost all modern computer operating systems provide user accounts, requiring you to log in before you can use the computer.  A user account gives a user a certain amount of disk space to store their files and access to the computer’s applications, network connection, disk drives and so on. There are different types of accounts providing people with different levels of access.

The least privileged type of users are assigned so-called ‘guest accounts’. These provide basic functionality such as access to a few applications, but does not allow them to change the machine’s settings and (for machines in public spaces such as libraries and internet cafes) may even delete their files after they leave. Normal user accounts have more privileges than guests and have access to most of the machine’s facilities, but can still not make changes to the operating system.

The most privileged users are called administrators (or sometimes superusers or just ‘root’). Administrators have great power – for instance, they can create new accounts, delete data, view private information and edit the log files recording every operation of the computer. Users are encouraged not to work as administrators unless necessary because an inadvertent error can render a computer useless or lead to irrevocable data loss.

Once a rootkit is installed on a computer, it allows its user to act as an administrator even if they do not have actual administrator rights. Many rootkits are spread as part of malware infections and exploit weaknesses in the operating system to install themselves, then alert their owner that the machine has been compromised. Rootkits can ‘cloak’ themselves from the operating system effectively making themselves invisible, or they can alter or disable the automated logging of activities which would reveal their presence.

Once the rootkit is installed it can act as a ‘backdoor’ for its owners who are able to access the infected machine, steal or delete data and cover their traces. However, in many cases, the rootkit is just part of the problem; rootkits rarely travel alone, they either come as part of a package of malicious software, or they are able to download other malware once they are installed on a computer. Some of these programs include password-stealing applications, others that hunt for credit card information, read address books, or generate spam emails.

The Sony BMG Extended Copy Protection software (XCP) was intended to stop piracy by preventing any media player software other than that provided by Sony, or any music copying program (called a ‘ripper’) from accessing the content of Sony BMG CDs. In actuality, XCP wasn’t very effective at stopping piracy, many computers ignored it entirely, it could be simply circumvented by switching off ‘autoplay’ on CDs and even defeated with the aid of a line drawn using a black marker pen around the edge of the disc!

XCP can be considered a rootkit on two grounds – first, nowhere did Sony alert users to the fact that new software was being installed on their computer, and second, the program attempted to hide itself from the user so they could not tell it was running on their computer. Although unethical, XCP’s real problems lay elsewhere, not only did it create a number of serious security flaws on host machines, but it taught malware creators new tricks for hiding their activities from users.

Extended Copy Protection eventually cost Sony millions of dollars as it was forced to compensate people who had bought the affected discs and recall all of the unsold CDs. Worse still, the XCP affair badly tainted Sony’s reputation just as the company was struggling to remain relevant in the marketplace. Significantly, no other company has attempted to sell copy-protected CDs and most legally downloaded music can be copied between devices without restriction.





Related content (tags)

Copyright information

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?