A rootkit is another type of malware that has the capability to conceal itself from the Operating System and antivirus application in a computer. A rootkit provide continuous root level (super user) access to a computer where it is installed. The name rootkit came from the UNIX world, where the super user is "root" and a kit.
Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root level access to the computer via a back door, rootkits can conceal other malwares which are installed on the target computer, rootkits can make the installed computer as a zombie computer for network attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more dangerous than other types of malware because they are difficult to detect and cure.
Different types of Rootkits are explained below.
Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network card, system BIOS etc.
Hypervisor (Virtualized) Level Rootkits:
Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.
Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords.