{
	"id": "279b946a-ca9b-4716-8f3e-2f2719b74d97",
	"created_at": "2026-04-06T00:15:47.883261Z",
	"updated_at": "2026-04-10T03:33:51.908771Z",
	"deleted_at": null,
	"sha1_hash": "a08b6b717d13f55e6bebc4a0033a6a526ee8f13b",
	"title": "Rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 542528,
	"plain_text": "Rootkit\r\nBy Contributors to Wikimedia projects\r\nPublished: 2003-05-09 · Archived: 2026-04-05 19:39:22 UTC\r\nA rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an\r\narea of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its\r\nexistence or the existence of other software.[1] The term rootkit is a compound of \"root\" (the traditional name of\r\nthe privileged account on Unix-like operating systems) and the word \"kit\" (which refers to the software\r\ncomponents that implement the tool).[2] The term \"rootkit\" has negative connotations through its association with\r\nmalware.\r\n[1]\r\nRootkit installation can be automated, or an attacker can install it after having obtained root or administrator\r\naccess.[3] Obtaining this access is a result of direct attack on a system, i.e., exploiting a vulnerability (such as\r\nprivilege escalation) or a password (obtained by cracking or social engineering tactics like \"phishing\"). Once\r\ninstalled, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a\r\nsystem means that existing software can be modified, including software that might otherwise be used to detect or\r\ncircumvent it.\r\nRootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it.\r\nDetection methods include using an alternative and trusted operating system, behavior-based methods, signature\r\nscanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible,\r\nespecially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only\r\navailable solution to the problem. When dealing with firmware rootkits, removal may require hardware\r\nreplacement, or specialized equipment.\r\nThe term rootkit, rkit, or root kit originally referred to a maliciously modified set of administrative tools for a\r\nUnix-like operating system that granted \"root\" access.[4] If an intruder could replace the standard administrative\r\ntools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously\r\nconcealing these activities from the legitimate system administrator. These first-generation rootkits were trivial to\r\ndetect by using tools such as Tripwire that had not been compromised to access the same information.[5][6] Lane\r\nDavis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems' SunOS UNIX operating\r\nsystem.[7] In the lecture he gave upon receiving the Turing Award in 1983, Ken Thompson of Bell Labs, one of\r\nthe creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit.\r\nThe modified compiler would detect attempts to compile the Unix login command and generate altered code\r\nthat would accept not only the user's correct password, but an additional \"backdoor\" password known to the\r\nattacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would\r\ninsert the same exploits into the new compiler. A review of the source code for the login command or the\r\nupdated compiler would not reveal any malicious code.[8] This exploit was equivalent to a rootkit.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 1 of 17\n\nThe first documented computer virus to target the personal computer, discovered in 1986, used Helix Cloaking\r\ntechniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to\r\nelsewhere on the disk, where a copy of the original boot sector was kept.[1] Over time, DOS-virus cloaking\r\nmethods became more sophisticated. Advanced techniques included hooking low-level disk INT 13H BIOS\r\ninterrupt calls to hide unauthorized modifications to files.[1]\r\nThe first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit\r\ncreated by Greg Hoglund.\r\n[9]\r\n It was followed by HackerDefender in 2003.[1] The first rootkit targeting Mac OS X,\r\nWeaponX/Weapox, appeared in 2004[10] while the Stuxnet worm was the first to target programmable logic\r\ncontrollers (PLC).[11]\r\nLenovo BIOS Rootkit (Lenovo Service Engine) Incident (2015)\r\n[edit]\r\nIn mid-2015, it was discovered that Lenovo had been shipping certain consumer PCs with firmware that behaved\r\nlike a built-in rootkit. The feature, called Lenovo Service Engine (LSE), was embedded in the system BIOS and\r\nwould execute on startup, even before Windows booted. LSE was designed to ensure that Lenovo’s system update\r\nutility and related pre-installed programs remained installed by automatically reinstalling them if they were\r\nremoved. Because it resided in firmware, the code was difficult for users to detect or remove; even a clean\r\nWindows installation would not eliminate LSE, as it would be reinstalled on the next reboot.\r\nResearchers later discovered that LSE introduced a serious security issue – a vulnerability allowing a privilege\r\nescalation attack (via a buffer overflow) to gain administrator-level control. In response, Lenovo released BIOS\r\nupdates and a removal utility in 2015 to disable and delete the LSE feature. Microsoft also updated its Windows\r\nsecurity guidelines to bar such firmware behavior, effectively forcing Lenovo to cease using LSE in new systems.\r\nThe LSE functionality was removed from subsequent models, and Lenovo urged customers to install the updated\r\nfirmware to eliminate the risk.[12][13]\r\nStuxnet, uncovered in 2010, was a highly sophisticated worm developed in a joint U.S.–Israeli intelligence\r\noperation targeting Iran’s nuclear facilities. It notably included a Windows kernel-mode rootkit that concealed the\r\nmalware’s files and processes, enabling the worm to silently sabotage industrial control systems. Stuxnet is often\r\ncited as the first known cyberweapon; it destroyed a significant part of Iran’s uranium centrifuges, while\r\nremaining difficult to detect.[14][15][16]\r\nSony BMG copy protection rootkit scandal (2005)\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 2 of 17\n\nScreenshot of RootkitRevealer, showing the files hidden by the Extended Copy Protection rootkit\r\nIn 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended\r\nCopy Protection, created by software company First 4 Internet. The software included a music player but silently\r\ninstalled a rootkit which limited the user's ability to access the CD.[17] Software engineer Mark Russinovich, who\r\ncreated the rootkit detection tool RootkitRevealer, discovered the rootkit on one of his computers.[1] The ensuing\r\nscandal raised the public's awareness of rootkits.[18] To cloak itself, the rootkit hid any file starting with \"$sys$\"\r\nfrom the user. Soon after Russinovich's report, malware appeared which took advantage of the existing rootkit on\r\naffected systems.[1] One BBC analyst called it a \"public relations nightmare.\"[19] Sony BMG released patches to\r\nuninstall the rootkit, but it exposed users to an even more serious vulnerability.\r\n[20]\r\n The company eventually\r\nrecalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG.[21]\r\nGreek wiretapping case (2004–05)\r\n[edit]\r\nThe Greek wiretapping case 2004–05, also referred to as Greek Watergate,[22] involved the illegal telephone\r\ntapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the\r\nGreek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004\r\nand were removed in March 2005 without discovering the identity of the perpetrators. The intruders installed a\r\nrootkit targeting Ericsson's AXE telephone exchange. According to IEEE Spectrum, this was \"the first time a\r\nrootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch.\"[23] The rootkit\r\nwas designed to patch the memory of the exchange while it was running, enable wiretapping while disabling audit\r\nlogs, patch the commands that list active processes and active data blocks, and modify the data block checksum\r\nverification command. A \"backdoor\" allowed an operator with sysadmin status to deactivate the exchange's\r\ntransaction log, alarms and access commands related to the surveillance capability.\r\n[23]\r\n The rootkit was discovered\r\nafter the intruders installed a faulty update, which caused SMS texts to be undelivered, leading to an automated\r\nfailure report being generated. Ericsson engineers were called in to investigate the fault and discovered the hidden\r\ndata blocks containing the list of phone numbers being monitored, along with the rootkit and illicit monitoring\r\nsoftware.\r\nModern rootkits do not elevate access,[4] but rather are used to make another software payload undetectable by\r\nadding stealth capabilities.[9] Most rootkits are classified as malware, because the payloads they are bundled with\r\nare malicious. For example, a payload might covertly steal user passwords, credit card information, computing\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 3 of 17\n\nresources, or conduct other unauthorized activities. A small number of rootkits may be considered utility\r\napplications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game\r\nusers to defeat anti-piracy measures that require insertion of the original installation media into a physical optical\r\ndrive to verify that the software was legitimately purchased.\r\nRootkits and their payloads have many uses:\r\nProvide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or\r\nfalsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the\r\n/bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function\r\nnormally, but also accepts a secret login combination that allows an attacker direct access to the system\r\nwith administrative privileges, bypassing standard authentication and authorization mechanisms.\r\nConceal other malware, notably password-stealing key loggers and computer viruses.\r\n[24]\r\nAppropriate the compromised machine as a zombie computer for attacks on other computers. (The attack\r\noriginates from the compromised system or network, instead of the attacker's system.) \"Zombie\" computers\r\nare typically members of large botnets that can–amongst other things–launch denial-of-service attacks,\r\ndistribute email spam, and conduct click fraud.\r\n[25]\r\nIn some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the\r\ncomputer user:\r\nDetect attacks, for example, in a honeypot.\r\n[26]\r\nEnhance emulation software and security software.[27] Alcohol 120% and Daemon Tools are commercial\r\nexamples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and\r\nSecuROM.\r\n[28]\r\n Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from\r\nmalicious actions. It loads its own drivers to intercept system activity, and then prevents other processes\r\nfrom doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.\r\nAnti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a\r\ncentral authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it\r\nis stolen.[29]\r\nBypassing Microsoft Product Activation[30]\r\nThere are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest\r\nprivileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of\r\nthese may occur spanning, for example, user mode and kernel mode.[31]\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 4 of 17\n\nIntel based computer security rings (Note that Ring -1 is not shown.)\r\nUser-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes.\r\n[32]\r\n They have a number of possible installation vectors to intercept and modify the standard behavior of\r\napplication programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on\r\nWindows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target\r\nprocess to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection\r\nmechanisms include:[32]\r\nUse of vendor-supplied application extensions. For example, Windows Explorer has public interfaces that\r\nallow third parties to extend its functionality.\r\nInterception of messages.\r\nDebuggers.\r\nExploitation of security vulnerabilities.\r\nFunction hooking or patching of commonly used APIs, for example, to hide a running process or file that\r\nresides on a filesystem.[33]\r\n...since user mode applications all run in their own memory space, the rootkit needs to perform this\r\npatching in the memory space of every running application. In addition, the rootkit needs to monitor the\r\nsystem for any new applications that execute and patch those programs' memory space before they fully\r\nexecute.\r\n— Windows Rootkit Overview, Symantec[4]\r\nKernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing\r\nportions of the core operating system, including both the kernel and associated device drivers.\r\n[citation needed]\r\n Most\r\noperating systems support kernel-mode device drivers, which execute with the same privileges as the operating\r\nsystem itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as\r\nloadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted\r\nsecurity access, but is more difficult to write.[34] The complexity makes bugs common, and any bugs in code\r\noperating at the kernel level may seriously impact system stability, leading to discovery of the rootkit.[34] One of\r\nthe first widely known kernel rootkits was developed for Windows NT 4.0 and released in Phrack magazine in\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 5 of 17\n\n1999 by Greg Hoglund.\r\n[35][36]\r\n Kernel rootkits can be especially difficult to detect and remove because they\r\noperate at the same security level as the operating system itself, and are thus able to intercept or subvert the most\r\ntrusted operating system operations. Any software, such as antivirus software, running on the compromised\r\nsystem is equally vulnerable.[37] In this situation, no part of the system can be trusted.\r\nA rootkit can modify data structures in the Windows kernel using a method known as direct kernel object\r\nmanipulation (DKOM).[38] This method can be used to hide processes. A kernel mode rootkit can also hook the\r\nSystem Service Descriptor Table (SSDT), or modify the gates between user mode and kernel mode, in order to\r\ncloak itself.[4] Similarly for the Linux operating system, a rootkit can modify the system call table to subvert\r\nkernel functionality.\r\n[39][40]\r\n It is common that a rootkit creates a hidden, encrypted filesystem in which it can hide\r\nother malware or original copies of files it has infected.[41] Operating systems are evolving to counter the threat of\r\nkernel-mode rootkits. For example, 64-bit editions of Microsoft Windows now implement mandatory signing of\r\nall kernel-level drivers in order to make it more difficult for untrusted code to execute with the highest privileges\r\nin a system.[42]\r\nA kernel-mode rootkit variant called a bootkit can infect startup code like the Master Boot Record (MBR),\r\nVolume Boot Record (VBR), or boot sector, and in this way can be used to attack full disk encryption systems.[43]\r\nAn example of such an attack on disk encryption is the \"evil maid attack\", in which an attacker installs a bootkit\r\non an unattended computer. The envisioned scenario is a maid sneaking into the hotel room where the victims left\r\ntheir hardware.[44] The bootkit replaces the legitimate boot loader with one under their control. Typically the\r\nmalware loader persists through the transition to protected mode when the kernel has loaded, and is thus able to\r\nsubvert the kernel.[45][46][47] For example, the \"Stoned Bootkit\" subverts the system by using a compromised boot\r\nloader to intercept encryption keys and passwords.[48][self-published source?] In 2010, the Alureon rootkit has\r\nsuccessfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7, by modifying the\r\nmaster boot record.\r\n[49]\r\n Although not malware in the sense of doing something the user doesn't want, certain \"Vista\r\nLoader\" or \"Windows Loader\" software work in a similar way by injecting an ACPI SLIC (System Licensed\r\nInternal Code) table in the RAM-cached version of the BIOS during boot, in order to defeat the Windows Vista\r\nand Windows 7 activation process.\r\n[citation needed]\r\n This vector of attack was rendered useless in the (non-server)\r\nversions of Windows 8, which use a unique, machine-specific key for each system, that can only be used by that\r\none machine.[50] Many antivirus companies provide free utilities and programs to remove bootkits.\r\nRootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware\r\nvirtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target\r\noperating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the\r\noriginal operating system.[6] Unlike normal hypervisors, they do not have to load before the operating system, but\r\ncan load into an operating system before promoting it into a virtual machine.[6] A hypervisor rootkit does not have\r\nto make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be\r\ndetected by the guest operating system. For example, timing differences may be detectable in CPU instructions.[6]\r\nThe \"SubVirt\" laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is an\r\nacademic example of a virtual-machine–based rootkit (VMBR),[51] while Blue Pill software is another. In 2009,\r\nresearchers from Microsoft and North Carolina State University demonstrated a hypervisor-layer anti-rootkit\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 6 of 17\n\ncalled Hooksafe, which provides generic protection against kernel-mode rootkits.[52]\r\n Windows 10 introduced a\r\nnew feature called \"Device Guard\", that takes advantage of virtualization to provide independent external\r\nprotection of an operating system against rootkit-type malware.[53]\r\nFirmware and hardware\r\n[edit]\r\nA firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a\r\nrouter, network card,\r\n[54]\r\n hard drive, or the system BIOS.\r\n[32][55]\r\n The rootkit hides in firmware, because firmware\r\nis not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both\r\nACPI firmware routines[56] and in a PCI expansion card ROM.\r\n[57]\r\n In October 2008, criminals tampered with\r\nEuropean credit-card-reading machines before they were installed. The devices intercepted and transmitted credit\r\ncard details via a mobile phone network.[58] In March 2009, researchers Alfredo Ortega and Anibal Sacco\r\npublished details of a BIOS-level Windows rootkit that was able to survive disk replacement and operating system\r\nre-installation.[59][60][61] A few months later they learned that some laptops are sold with a legitimate rootkit,\r\nknown as Absolute CompuTrace or Absolute LoJack for Laptops, preinstalled in many BIOS images. This is an\r\nanti-theft technology system that researchers showed can be turned to malicious purposes.[29]\r\nIntel Active Management Technology, part of Intel vPro, implements out-of-band management, giving\r\nadministrators remote administration, remote management, and remote control of PCs with no involvement of the\r\nhost processor or BIOS, even when the system is powered off. Remote administration includes remote power-up\r\nand power-down, remote reset, redirected boot, console redirection, pre-boot access to BIOS settings,\r\nprogrammable filtering for inbound and outbound network traffic, agent presence checking, out-of-band policy-based alerting, access to system information, such as hardware asset information, persistent event logs, and other\r\ninformation that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is\r\ndown or the PC is powered off. Some of these functions require the deepest level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have \"the ability to\r\nremotely kill and restore a lost or stolen PC via 3G\". Hardware rootkits built into the chipset can help recover\r\nstolen computers, remove data, or render them useless, but they also present privacy and security concerns of\r\nundetectable spying and redirection by management or hackers who might gain control.\r\nInstallation and cloaking\r\n[edit]\r\nRootkits employ a variety of techniques to gain control of a system; the type of rootkit influences the choice of\r\nattack vector. The most common technique leverages security vulnerabilities to achieve surreptitious privilege\r\nescalation. Another approach is to use a Trojan horse, deceiving a computer user into trusting the rootkit's\r\ninstallation program as benign—in this case, social engineering convinces a user that the rootkit is beneficial.[34]\r\nThe installation task is made easier if the principle of least privilege is not applied, since the rootkit then does not\r\nhave to explicitly request elevated (administrator-level) privileges. Other classes of rootkits can be installed only\r\nby someone with physical access to the target system. Some rootkits may also be installed intentionally by the\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 7 of 17\n\nowner of the system or somebody authorized by the owner, e.g. for the purpose of employee monitoring, rendering\r\nsuch subversive techniques unnecessary.\r\n[62]\r\n Some malicious rootkit installations are commercially driven, with a\r\npay-per-install (PPI) compensation method typical for distribution.[63][64]\r\nOnce installed, a rootkit takes active measures to obscure its presence within the host system through subversion\r\nor evasion of standard operating system security tools and application programming interface (APIs) used for\r\ndiagnosis, scanning, and monitoring.[65] Rootkits achieve this by modifying the behavior of core parts of an\r\noperating system through loading code into other processes, the installation or modification of drivers, or kernel\r\nmodules. Obfuscation techniques include concealing running processes from system-monitoring mechanisms and\r\nhiding system files and other configuration data.[66] It is not uncommon for a rootkit to disable the event logging\r\ncapacity of an operating system, in an attempt to hide evidence of an attack. Rootkits can, in theory, subvert any\r\noperating system activities.[67] The \"perfect rootkit\" can be thought of as similar to a \"perfect crime\": one that\r\nnobody realizes has taken place. Rootkits also take a number of measures to ensure their survival against detection\r\nand \"cleaning\" by antivirus software in addition to commonly installing into Ring 0 (kernel-mode), where they\r\nhave complete access to a system. These include polymorphism (changing so their \"signature\" is hard to detect),\r\nstealth techniques, regeneration, disabling or turning off anti-malware software,[68] and not installing on virtual\r\nmachines where it may be easier for researchers to discover and analyze them.\r\nThe fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by\r\na kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components.[67]\r\nActions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave\r\nas expected. In other words, rootkit detectors that work while running on infected systems are only effective\r\nagainst rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than the\r\ndetection software in the kernel.[34] As with computer viruses, the detection and elimination of rootkits is an\r\nongoing struggle between both sides of this conflict.[67] Detection can take a number of different approaches,\r\nincluding looking for virus \"signatures\" (e.g., antivirus software), integrity checking (e.g., digital signatures),\r\ndifference-based detection (comparison of expected vs. actual results), and behavioral detection (e.g., monitoring\r\nCPU usage or network traffic).\r\nFor kernel-mode rootkits, detection is considerably more complex, requiring careful scrutiny of the System Call\r\nTable to look for hooked functions where the malware may be subverting system behavior,\r\n[69]\r\n as well as forensic\r\nscanning of memory for patterns that indicate hidden processes. Unix rootkit detection offerings include Zeppoo,\r\n[70]\r\n chkrootkit, rkhunter and OSSEC. For Windows, detection tools include Microsoft Sysinternals\r\nRootkitRevealer,\r\n[71]\r\n Avast Antivirus,\r\n[72]\r\n Sophos Anti-Rootkit,[73] F-Secure,\r\n[74]\r\n Radix,[75] GMER,\r\n[76]\r\n and\r\nWindowsSCOPE. Any rootkit detectors that prove effective ultimately contribute to their own ineffectiveness, as\r\nmalware authors adapt and test their code to escape detection by well-used tools.[Notes 1] Detection by examining\r\nstorage while the suspect operating system is not operational can miss rootkits not recognised by the checking\r\nsoftware, as the rootkit is not active and suspicious behavior is suppressed; conventional anti-malware software\r\nrunning with the rootkit operational may fail if the rootkit hides itself effectively.\r\nAlternative trusted medium\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 8 of 17\n\n[edit]\r\nThe best and most reliable method for operating-system-level rootkit detection is to shut down the computer\r\nsuspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g., a\r\n\"rescue\" CD-ROM or USB flash drive).[77] The technique is effective because a rootkit cannot actively hide its\r\npresence if it is not running.\r\nThe behavioral-based approach to detecting rootkits attempts to infer the presence of a rootkit by looking for\r\nrootkit-like behavior. For example, by profiling a system, differences in the timing and frequency of API calls or\r\nin overall CPU utilization can be attributed to a rootkit. The method is complex and is hampered by a high\r\nincidence of false positives. Defective rootkits can sometimes introduce very obvious changes to a system: the\r\nAlureon rootkit crashed Windows systems after a security update exposed a design flaw in its code.[78][79] Logs\r\nfrom a packet analyzer, firewall, or intrusion prevention system may present evidence of rootkit behaviour in a\r\nnetworked environment.[31]\r\nAntivirus products rarely catch all viruses in public tests (depending on what is used and to what extent), even\r\nthough security software vendors incorporate rootkit detection into their products. Should a rootkit attempt to hide\r\nduring an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload itself from the\r\nsystem, signature detection (or \"fingerprinting\") can still find it.[80] This combined approach forces attackers to\r\nimplement counterattack mechanisms, or \"retro\" routines, that attempt to terminate antivirus programs. Signature-based detection methods can be effective against well-published rootkits, but less so against specially crafted,\r\ncustom-root rootkits.[67]\r\nAnother method that can detect rootkits compares \"trusted\" raw data with \"tainted\" content returned by an API.\r\nFor example, binaries present on disk can be compared with their copies within operating memory (in some\r\noperating systems, the in-memory image should be identical to the on-disk image), or the results returned from file\r\nsystem or Windows Registry APIs can be checked against raw structures on the underlying physical disks[67][81]\r\n—however, in the case of the former, some valid differences can be introduced by operating system mechanisms\r\nlike memory relocation or shimming. A rootkit may detect the presence of such a difference-based scanner or\r\nvirtual machine (the latter being commonly used to perform forensic analysis), and adjust its behaviour so that no\r\ndifferences can be detected. Difference-based detection was used by Russinovich's RootkitRevealer tool to find the\r\nSony DRM rootkit.[1]\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 9 of 17\n\nThe rkhunter utility uses SHA-1 hashes to verify the integrity of system files.\r\nCode signing uses public-key infrastructure to check if a file has been modified since being digitally signed by its\r\npublisher. Alternatively, a system owner or administrator can use a cryptographic hash function to compute a\r\n\"fingerprint\" at installation time that can help to detect subsequent unauthorized changes to on-disk code libraries.\r\n[82]\r\n However, unsophisticated schemes check only whether the code has been modified since installation time;\r\nsubversion prior to that time is not detectable. The fingerprint must be re-established each time changes are made\r\nto the system: for example, after installing security updates or a service pack. The hash function creates a message\r\ndigest, a relatively short code calculated from each bit in the file using an algorithm that creates large changes in\r\nthe message digest with even smaller changes to the original file. By recalculating and comparing the message\r\ndigest of the installed files at regular intervals against a trusted list of message digests, changes in the system can\r\nbe detected and monitored—as long as the original baseline was created before the malware was added.\r\nMore-sophisticated rootkits are able to subvert the verification process by presenting an unmodified copy of the\r\nfile for inspection, or by making code modifications only in memory, reconfiguration registers, which are later\r\ncompared to a white list of expected values.[83] The code that performs hash, compare, or extend operations must\r\nalso be protected—in this context, the notion of an immutable root-of-trust holds that the very first code to\r\nmeasure security properties of a system must itself be trusted to ensure that a rootkit or bootkit does not\r\ncompromise the system at its most fundamental level.[84]\r\nForcing a complete dump of virtual memory will capture an active rootkit (or a kernel dump in the case of a\r\nkernel-mode rootkit), allowing offline forensic analysis to be performed with a debugger against the resulting\r\ndump file, without the rootkit being able to take any measures to cloak itself. This technique is highly specialized,\r\nand may require access to non-public source code or debugging symbols. Memory dumps initiated by the\r\noperating system cannot always be used to detect a hypervisor-based rootkit, which is able to intercept and subvert\r\nthe lowest-level attempts to read memory[6]—a hardware device, such as one that implements a non-maskable\r\ninterrupt, may be required to dump memory in this scenario.[85][86] Virtual machines also make it easier to\r\nanalyze the memory of a compromised machine from the underlying hypervisor, so some rootkits will avoid\r\ninfecting virtual machines for this reason.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 10 of 17\n\nManual removal of a rootkit is often extremely difficult for a typical computer user,\r\n[32]\r\n but a number of security-software vendors offer tools to automatically detect and remove some rootkits, typically as part of an antivirus\r\nsuite. As of 2005, Microsoft's monthly Windows Malicious Software Removal Tool is able to detect and remove\r\nsome classes of rootkits.[87][88] Also, Windows Defender Offline can remove rootkits, as it runs from a trusted\r\nenvironment before the operating system starts.[89] Some antivirus scanners can bypass file system APIs, which\r\nare vulnerable to manipulation by a rootkit. Instead, they access raw file system structures directly, and use this\r\ninformation to validate the results from the system APIs to identify any differences that may be caused by a\r\nrootkit.[Notes 2][90][91][92][93] There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.[94][95]\r\n This is because antivirus and malware removal tools\r\nrunning on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an\r\nalternative operating system from trusted media can allow an infected system volume to be mounted and\r\npotentially safely cleaned and critical data to be copied off—or, alternatively, a forensic examination performed.\r\n[31]\r\n Lightweight operating systems such as Windows PE, Windows Recovery Console, Windows Recovery\r\nEnvironment, BartPE, or Live Distros can be used for this purpose, allowing the system to be \"cleaned\". Even if\r\nthe type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating\r\nsystem and applications is safer, simpler and quicker.\r\n[94]\r\nSystem hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to be\r\ninstalled in the first place.[96] Applying security patches, implementing the principle of least privilege, reducing\r\nthe attack surface and installing antivirus software are some standard security best practices that are effective\r\nagainst all classes of malware.[97] New secure boot specifications like UEFI have been designed to address the\r\nthreat of bootkits, but even these are vulnerable if the security features they offer are not utilized.[55] For server\r\nsystems, remote server attestation using technologies such as Intel Trusted Execution Technology (TXT) provide a\r\nway of verifying that servers remain in a known good state. For example, Microsoft Bitlocker's encryption of data-at-rest verifies that servers are in a known \"good state\" on bootup. PrivateCore vCage is a software offering that\r\nsecures data-in-use (memory) to avoid bootkits and rootkits by verifying servers are in a known \"good\" state on\r\nbootup. The PrivateCore implementation works in concert with Intel TXT and locks down server system\r\ninterfaces to avoid potential bootkits and rootkits.\r\nAnother defense mechanism called the Virtual Wall (VTW) approach, serves as a lightweight hypervisor with\r\nrootkit detection and event tracing capabilities. In normal operation (guest mode), Linux runs, and when a loaded\r\nLKM violates security policies, the system switches to host mode. The VTW in host mode detects, traces, and\r\nclassifies rootkit events based on memory access control and event injection mechanisms. Experimental results\r\ndemonstrate the VTW's effectiveness in timely detection and defense against kernel rootkits with minimal CPU\r\noverhead (less than 2%). The VTW is compared favorably to other defense schemes, emphasizing its simplicity in\r\nimplementation and potential performance gains on Linux servers.[98]\r\nComputer security conference\r\nHost-based intrusion detection system\r\nMan-in-the-middle attack\r\nThe Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 11 of 17\n\n1. ^ The process name of Sysinternals RootkitRevealer was targeted by malware; in an attempt to counter this\r\ncountermeasure, the tool now uses a randomly generated process name.\r\n2. ^ In theory, a sufficiently sophisticated kernel-level rootkit could subvert read operations against raw file\r\nsystem data structures as well, so that they match the results returned by APIs.\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \"Rootkits, Part 1 of 3: The Growing Threat\" (PDF). McAfee. 2006-04-17.\r\nArchived from the original (PDF) on 2006-08-23.\r\n2. ^ Evancich, N.; Li, J. (2016-08-23). \"6.2.3 Rootkits\". In Colbert, Edward J. M.; Kott, Alexander (eds.).\r\nCyber-security of SCADA and Other Industrial Control Systems. Springer. p. 100. ISBN 9783319321257 –\r\nvia Google Books.\r\n3. ^ \"What is Rootkit – Definition and Explanation\". www.kaspersky.com. 2021-04-09. Retrieved 2021-11-13.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Windows Rootkit Overview\" (PDF). Symantec. 2006-03-26. Archived from the\r\noriginal (PDF) on 2010-12-14. Retrieved 2010-08-17.\r\n5. ^ Sparks, Sherri; Butler, Jamie (2005-08-01). \"Raising The Bar For Windows Rootkit Detection\". Phrack.\r\n0xb (x3d).\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Myers, Michael; Youndt, Stephen (2007-08-07). An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits (Report). Crucial Security. CiteSeerX 10.1.1.90.8832.\r\n7. ^ Andrew Hay; Daniel Cid; Rory Bray (2008). OSSEC Host-Based Intrusion Detection Guide. Syngress.\r\np. 276. ISBN 978-1-59749-240-9 – via Google Books.\r\n8. ^ Thompson, Ken (August 1984). \"Reflections on Trusting Trust\" (PDF). Communications of the ACM. 27\r\n(8): 761. doi:10.1145/358198.358210. Archived (PDF) from the original on 2007-09-24. Retrieved 2010-\r\n06-09.\r\n9. ^ Jump up to: a\r\n \r\nb\r\n Greg Hoglund; James Butler (2006). Rootkits: Subverting the Windows kernel. Addison-Wesley. p. 4. ISBN 978-0-321-29431-9 – via Google Books.\r\n10. ^ Ferrie, Peter (2005-07-01). \"Got [Mac]Root?\" (PDF). Virus Bulletin. Archived (PDF) from the original\r\non 2022-05-28. Retrieved 2025-10-03.\r\n11. ^ \"Stuxnet Introduces the First Known Rootkit for Industrial Control Systems\". Symantec. 2010-08-06.\r\nArchived from the original on August 20, 2010. Retrieved 2010-12-04.\r\n12. ^ \"CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS\".\r\nArchived from the original on 2025-09-06. Retrieved 2025-10-26.\r\n13. ^ Hern, Alex (2015-08-14). \"Lenovo does it again as LSE component removed after security fears\". The\r\nGuardian. ISSN 0261-3077. Retrieved 2025-10-26.\r\n14. ^ \"Is Stuxnet the 'best' malware ever?\". Computerworld. Retrieved 2025-10-26.\r\n15. ^ \"The Real Story of Stuxnet - IEEE Spectrum\". spectrum.ieee.org. Retrieved 2025-10-26.\r\n16. ^ Weinberger, Sharon (2011-06-01). \"Computer security: Is this the start of cyberwarfare?\". Nature. 474\r\n(7350): 142–145. doi:10.1038/474142a. ISSN 1476-4687. PMID 21654779.\r\n17. ^ \"Spyware Detail: XCP.Sony.Rootkit\". Computer Associates. 2005-11-05. Archived from the original on\r\n2010-08-18. Retrieved 2010-08-19.\r\n18. ^ Russinovich, Mark (2005-10-31). \"Sony, Rootkits and Digital Rights Management Gone Too Far\".\r\nTechNet Blogs. Microsoft. Archived from the original on 2016-01-01. Retrieved 2010-08-16.\r\n19. ^ \"Sony's long-term rootkit CD woes\". BBC News. 2005-11-21. Archived from the original on 2026-02-20.\r\nRetrieved 2026-02-20.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 12 of 17\n\n20. ^ Felton, Ed (2005-11-15). \"Sony's Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall\r\nDiscs\".\r\n21. ^ Knight, Will (2005-11-11). \"Sony BMG sued over cloaking software on music CD\". New Scientist.\r\nArchived from the original on 2011-01-15. Retrieved 2010-11-21.\r\n22. ^ Kyriakidou, Dina (March 2, 2006). \"\"Greek Watergate\" Scandal Sends Political Shockwaves\". Reuters.\r\nRetrieved 2007-11-24.\r\n[dead link]\r\n23. ^ Jump up to: a\r\n \r\nb\r\n Vassilis Prevelakis; Diomidis Spinellis (July 2007). \"The Athens Affair\". Archived from\r\nthe original on August 1, 2009.\r\n24. ^ Russinovich, Mark (June 2005). \"Unearthing Root Kits\". Windows IT Pro. Archived from the original on\r\n2005-11-03. Retrieved 2026-02-21.\r\n25. ^ Marks, Joseph (July 1, 2021). \"The Cybersecurity 202: DOJ's future is in disrupting hackers, not just\r\nindicting them\". The Washington Post. Archived from the original on February 7, 2022. Retrieved July 24,\r\n2021.\r\n26. ^ Steve Hanna (September 2007). \"Using Rootkit Technology for Honeypot-Based Malware Detection\"\r\n(PDF). CCEID Meeting.\r\n27. ^ Russinovich, Mark (6 February 2006). \"Using Rootkits to Defeat Digital Rights Management\".\r\nWinternals. SysInternals. Archived from the original on 14 August 2006. Retrieved 2006-08-13.\r\n28. ^ \"Symantec Releases Update for its Own Rootkit\". HWM (March): 89. 2006 – via Google Books.\r\n29. ^ Jump up to: a\r\n \r\nb\r\n Ortega, Alfredo; Sacco, Anibal (2009-07-24). Deactivate the Rootkit: Attacks on BIOS\r\nanti-theft technologies (PDF). Black Hat USA 2009 (PDF). Boston, MA: Core Security Technologies.\r\nArchived (PDF) from the original on 2014-10-16. Retrieved 2014-06-12.\r\n30. ^ Kleissner, Peter (2009-09-02). \"Stoned Bootkit: The Rise of MBR Rootkits \u0026 Bootkits in the Wild\"\r\n(PDF). Archived from the original (PDF) on 2011-07-16. Retrieved 2010-11-23.\r\n31. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Anson, Steve; Bunting, Steve (2007). Mastering Windows Network Forensics and\r\nInvestigation. John Wiley and Sons. pp. 73–74. ISBN 978-0-470-09762-5.\r\n32. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Rootkits Part 2: A Technical Primer\" (PDF). McAfee. 2007-04-03. Archived from the\r\noriginal (PDF) on 2008-12-05. Retrieved 2010-08-17.\r\n33. ^ Kdm. \"NTIllusion: A portable Win32 userland rootkit\". Phrack. 62 (12). Archived from the original on\r\n2026-02-20. Retrieved 2026-02-21.\r\n34. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Understanding Anti-Malware Technologies\" (PDF). Microsoft. 2007-02-21. Archived\r\nfrom the original (PDF) on 2010-09-11. Retrieved 2010-08-17.\r\n35. ^ Hoglund, Greg (1999-09-09). \"A *REAL* NT Rootkit, Patching the NT Kernel\". Phrack. 9 (55). Archived\r\nfrom the original on 2026-02-20. Retrieved 2026-02-21.\r\n36. ^ Chuvakin, Anton (2003-02-02). An Overview of Unix Rootkits (PDF) (Report). Chantilly, Virginia:\r\niDEFENSE. Archived from the original (PDF) on 2011-07-25. Retrieved 2010-11-21.\r\n37. ^ Butler, James; Sparks, Sherri (2005-11-16). \"Windows Rootkits of 2005, Part Two\". Symantec Connect.\r\nSymantec. Retrieved 2010-11-13.\r\n38. ^ Butler, James; Sparks, Sherri (2005-11-03). \"Windows Rootkits of 2005, Part One\". Symantec Connect.\r\nSymantec. Archived from the original on 2021-01-21. Retrieved 2010-11-12.\r\n39. ^ Burdach, Mariusz (2004-11-17). \"Detecting Rootkits And Kernel-level Compromises In Linux\".\r\nSymantec. Archived from the original on 2020-08-10. Retrieved 2010-11-23.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 13 of 17\n\n40. ^ Osborne, Charlie (September 17, 2019). \"Skidmap malware buries into the kernel to hide illicit\r\ncryptocurrency mining\". ZDNet. Archived from the original on July 25, 2021. Retrieved July 24, 2021.\r\n41. ^ Marco Giuliani (11 April 2011). \"ZeroAccess – An Advanced Kernel Mode Rootkit\" (PDF). Webroot\r\nSoftware. Archived (PDF) from the original on 25 August 2011. Retrieved 10 August 2011.\r\n42. ^ \"Driver Signing Requirements for Windows\". Microsoft. 2017-01-06. Archived from the original on\r\n2026-02-20. Retrieved 2026-02-20.\r\n43. ^ Salter, Jim (July 31, 2020). \"Red Hat and CentOS systems aren't booting due to BootHole patches\". Ars\r\nTechnica. Retrieved July 24, 2021.\r\n44. ^ Schneier, Bruce (2009-10-23). \"'Evil Maid' Attacks on Encrypted Hard Drives\". Archived from the\r\noriginal on 2026-02-20. Retrieved 2026-02-20.\r\n45. ^ Soeder, Derek; Permeh, Ryan (2007-05-09). \"Bootroot\". eEye Digital Security. Archived from the\r\noriginal on 2013-08-17. Retrieved 2010-11-23.\r\n46. ^ Kumar, Nitin; Kumar, Vipin (2007). Vbootkit: Compromising Windows Vista Security (PDF). Black Hat\r\nEurope 2007.\r\n47. ^ \"BOOT KIT: Custom boot sector based Windows 2000/XP/2003 Subversion\". NVlabs. 2007-02-04.\r\nArchived from the original on June 10, 2010. Retrieved 2010-11-21.\r\n48. ^ Kleissner, Peter (2013-03-16). \"Stoned Bootkit\". Peter Kleissner. Archived from the original on 2014-12-\r\n09. Retrieved 2026-02-20.\r\n[self-published source]\r\n49. ^ Goodin, Dan (2010-11-16). \"World's Most Advanced Rootkit Penetrates 64-bit Windows\". The Register.\r\nArchived from the original on 2010-11-21. Retrieved 2010-11-22.\r\n50. ^ Francisco, Neil McAllister in San. \"Microsoft tightens grip on OEM Windows 8 licensing\".\r\nwww.theregister.com. Archived from the original on 2021-10-08. Retrieved 2021-10-08.\r\n51. ^ King, Samuel T.; Chen, Peter M.; Wang, Yi-Min; Verbowski, Chad; Wang, Helen J.; Lorch, Jacob R.\r\n(2006-04-03). \"SubVirt: Implementing malware with virtual machines\" (PDF). 2006 IEEE Symposium on\r\nSecurity and Privacy (S\u0026P'06). Institute of Electrical and Electronics Engineers. pp. 14 pp.-327.\r\ndoi:10.1109/SP.2006.38. ISBN 0-7695-2574-1. S2CID 1349303. Archived (PDF) from the original on\r\n2008-12-07. Retrieved 2008-09-15.\r\n52. ^ Wang, Zhi; Jiang, Xuxian; Cui, Weidong; Ning, Peng (2009-08-11). \"Countering Kernel Rootkits with\r\nLightweight Hook Protection\" (PDF). In Al-Shaer, Ehab (General Chair) (ed.). Proceedings of the 16th\r\nACM Conference on Computer and Communications Security. CCS 2009: 16th ACM Conference on\r\nComputer and Communications Security. Jha, Somesh; Keromytis, Angelos D. (Program Chairs). New\r\nYork: ACM New York. doi:10.1145/1653662.1653728. ISBN 978-1-60558-894-0. Archived (PDF) from the\r\noriginal on 2009-12-29. Retrieved 2009-11-11.\r\n53. ^ \"Device Guard is the combination of Windows Defender Application Control and virtualization-based\r\nprotection of code integrity (Windows 10)\". 11 July 2023.\r\n54. ^ Delugré, Guillaume (2010-11-21). Reversing the Broacom NetExtreme's Firmware (PDF). hack.lu.\r\nSogeti. Archived from the original (PDF) on 2012-04-25. Retrieved 2010-11-25.\r\n55. ^ Jump up to: a\r\n \r\nb\r\n \"Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems -\r\nTrendLabs Security Intelligence Blog\". 2015-07-13. Archived from the original on 2015-07-23. Retrieved\r\n2015-07-15.\r\n56. ^ Heasman, John (2006-01-25). Implementing and Detecting an ACPI BIOS Rootkit (PDF). Black Hat\r\nFederal 2006. NGS Consulting. Archived (PDF) from the original on 2011-02-27. Retrieved 2010-11-21.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 14 of 17\n\n57. ^ Heasman, John (2006-11-15). \"Implementing and Detecting a PCI Rootkit\" (PDF). Next Generation\r\nSecurity Software. CiteSeerX: 10.1.1.89.7305. Retrieved 2010-11-13.\r\n58. ^ Modine, Austin (2008-10-10). \"Organized crime tampers with European card swipe devices: Customer\r\ndata beamed overseas\". The Register. Situation Publishing. Archived from the original on 2008-10-13.\r\nRetrieved 2008-10-13.\r\n59. ^ Sacco, Anibal; Ortéga, Alfredo (2009). Persistent BIOS infection (PDF). CanSecWest 2009. Core\r\nSecurity Technologies. Archived from the original (PDF) on 2011-07-08. Retrieved 2010-11-21.\r\n60. ^ Goodin, Dan (2009-03-24). \"Newfangled rootkits survive hard disk wiping\". The Register. Situation\r\nPublishing. Retrieved 2009-03-25.\r\n61. ^ Sacco, Anibal; Ortéga, Alfredo (2009-06-01). \"Persistent BIOS Infection: The Early Bird Catches the\r\nWorm\". Phrack. 66 (7). Archived from the original on 2026-02-20. Retrieved 2026-02-20.\r\n62. ^ Ric Vieler (2007). Professional Rootkits. John Wiley \u0026 Sons. p. 244. ISBN 9780470149546.\r\n63. ^ Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). \"TDL3: The Rootkit of All Evil?\" (PDF).\r\nMoscow: ESET. p. 3. Archived from the original (PDF) on 2011-05-13. Retrieved 2010-08-17.\r\n64. ^ Matrosov, Aleksandr; Rodionov, Eugene (2011-06-27). \"The Evolution of TDL: Conquering x64\" (PDF).\r\nESET. Archived from the original (PDF) on 2015-07-29. Retrieved 2011-08-08.\r\n65. ^ Gatlan, Sergiu (May 6, 2021). \"New Moriya rootkit used in the wild to backdoor Windows systems\".\r\nBleeping Computer. Retrieved July 24, 2021.\r\n66. ^ Brumley, David (1999-11-16), \"Invisible Intruders: rootkits in practice\" (pdf), Login, USENIX\r\nAssociation, pp. 27–29, retrieved 2007-08-27[dead link]\r\n67. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Davis, Michael A.; Bodmer, Sean; LeMasters, Aaron (2009-09-03). \"Chapter 10:\r\nRootkit Detection\" (PDF). Hacking Exposed Malware \u0026 Rootkits: Malware \u0026 rootkits security secrets \u0026\r\nsolutions. New York: McGraw Hill Professional. ISBN 978-0-07-159118-8. Archived from the original\r\n(PDF) on 2012-03-08. Retrieved 2010-08-14.\r\n68. ^ Trlokom (2006-07-05). \"Defeating Rootkits and Keyloggers\" (PDF). Trlokom. Archived from the original\r\n(PDF) on 2011-07-17. Retrieved 2010-08-17.\r\n69. ^ Dai Zovi, Dino (2011). \"Kernel Rootkits\". Archived from the original on September 10, 2012. Retrieved\r\n13 Sep 2012.\r\n70. ^ \"Zeppoo\". SourceForge. 18 July 2009. Retrieved 8 August 2011.\r\n71. ^ Cogswell, Bryce; Russinovich, Mark (2006-11-01). \"RootkitRevealer v1.71\". Microsoft. Archived from\r\nthe original on 2017-07-01. Retrieved 2010-11-13.\r\n72. ^ \"Rootkit \u0026 Anti-rootkit\". Retrieved 13 September 2017.\r\n73. ^ \"Sophos Anti-Rootkit\". Sophos. Archived from the original on 2012-11-19. Retrieved 2026-02-20.\r\n74. ^ \"BlackLight\". F-Secure. Archived from the original on 2011-01-01. Retrieved 2026-02-21.\r\n75. ^ \"Radix Anti-Rootkit\". usec.at. Archived from the original on 2022-07-03. Retrieved 2026-02-21.\r\n76. ^ \"GMER\". Archived from the original on 2026-02-16. Retrieved 2026-02-21.\r\n77. ^ Harriman, Josh (2007-10-19). \"A Testing Methodology for Rootkit Removal Effectiveness\" (PDF).\r\nDublin, Ireland: Symantec Security Response. Archived from the original (PDF) on 2009-10-07. Retrieved\r\n2010-08-17.\r\n78. ^ Cuibotariu, Mircea (2010-02-12). \"Tidserv and MS10-015\". Symantec. Retrieved 2010-08-19.\r\n79. ^ \"Restart Issues After Installing MS10-015\". Microsoft. 2010-02-11. Retrieved 2010-10-05.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 15 of 17\n\n80. ^ Steinberg, Joseph (June 9, 2021). \"What You Need To Know About Keyloggers\". bestantivirus.com.\r\nArchived from the original on June 4, 2023. Retrieved July 24, 2021.\r\n81. ^ \"Strider GhostBuster Rootkit Detection\". Microsoft Research. 2010-01-28. Archived from the original on\r\n2016-07-07. Retrieved 2026-02-21.\r\n82. ^ \"Signing and Checking Code with Authenticode\". Microsoft. Archived from the original on 2008-12-29.\r\nRetrieved 2008-09-15.\r\n83. ^ \"Stopping Rootkits at the Network Edge\" (PDF). Beaverton, Oregon: Trusted Computing Group. January\r\n2017. Retrieved 2008-07-11.\r\n84. ^ \"TCG PC Specific Implementation Specification, Version 1.1\" (PDF). Trusted Computing Group. 2003-\r\n08-18. Archived (PDF) from the original on 2011-09-28. Retrieved 2010-11-22.\r\n85. ^ \"How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a\r\nWindows-based system\". Microsoft. Archived from the original on 2015-03-24. Retrieved 2010-11-13.\r\n86. ^ Seshadri, Arvind; et al. (2005). \"Pioneer\". Proceedings of the twentieth ACM symposium on Operating\r\nsystems principles. Carnegie Mellon University. pp. 1–16. doi:10.1145/1095810.1095812.\r\nISBN 1595930795. S2CID 9960430.\r\n87. ^ Dillard, Kurt (2005-08-03). \"Rootkit battle: Rootkit Revealer vs. Hacker Defender\". Archived from the\r\noriginal on 2014-02-13. Retrieved 2026-02-21.\r\n88. ^ \"The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious\r\nsoftware from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows\r\nServer 2008, or Windows XP\". Microsoft. 2010-09-14. Archived from the original on 2016-12-30.\r\nRetrieved 2016-05-16.\r\n89. ^ Bettany, Andrew; Halsey, Mike (2017). Windows Virus and Malware Troubleshooting. Apress. p. 17.\r\nISBN 9781484226070 – via Google Books.\r\n90. ^ Hultquist, Steve (2007-04-30). \"Rootkits: The next big enterprise threat?\". InfoWorld. Archived from the\r\noriginal on 2015-09-26. Retrieved 2010-11-21.\r\n91. ^ \"Security Watch: Rootkits for fun and profit\". CNET Reviews. 2007-01-19. Archived from the original on\r\n2012-10-08. Retrieved 2009-04-07.\r\n92. ^ Bort, Julie (2007-09-29). \"Six ways to fight back against botnets\". PCWorld. San Francisco: PCWorld\r\nCommunications. Archived from the original on 2012-10-11. Retrieved 2009-04-07.\r\n93. ^ Hoang, Mimi (2006-11-02). \"Handling Today's Tough Security Threats: Rootkits\". Symantec Connect.\r\nSymantec. Archived from the original on 2021-07-26. Retrieved 2010-11-21.\r\n94. ^ Jump up to: a\r\n \r\nb\r\n Danseglio, Mike; Bailey, Tony (2005-10-06). \"Rootkits: The Obscure Hacker Attack\".\r\nMicrosoft.\r\n95. ^ Messmer, Ellen (2006-08-26). \"Experts Divided Over Rootkit Detection and Removal\".\r\nNetworkWorld.com. Framingham, Mass.: IDG. Archived from the original on 2024-11-02. Retrieved 2010-\r\n08-15.\r\n96. ^ Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting Malicious Code. Prentice Hall PTR. p. 335.\r\nISBN 978-0-13-101405-3.\r\n97. ^ Hannel, Jeromey (2003-01-23). \"Linux RootKits For Beginners - From Prevention to Removal\". SANS\r\nInstitute. Archived from the original (PDF) on October 24, 2010. Retrieved 2010-11-22.\r\n98. ^ Li, Yong-Gang; Chung, Yeh-Ching; Hwang, Kai; Li, Yue-Jin (2021). \"Virtual Wall: Filtering Rootkit\r\nAttacks to Protect Linux Kernel Functions\". IEEE Transactions on Computers. 70 (10): 1640–1653.\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 16 of 17\n\nBibcode:2021ITCmp..70.1640L. doi:10.1109/TC.2020.3022023. S2CID 226480878.\r\nBlunden, Bill (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System.\r\nWordware. ISBN 978-1-59822-061-2.\r\nHoglund, Greg; Butler, James (2005). Rootkits: Subverting the Windows Kernel. Addison-Wesley\r\nProfessional. ISBN 978-0-321-29431-9.\r\nGrampp, F. T.; Morris, Robert H. Sr. (October 1984). \"The UNIX System: UNIX Operating System\r\nSecurity\". AT\u0026T Bell Laboratories Technical Journal. 62 (8): 1649–1672. Bibcode:1984BSTJ...63.1649G.\r\ndoi:10.1002/j.1538-7305.1984.tb00058.x. S2CID 26877484.\r\nKong, Joseph (2007). Designing BSD Rootkits. No Starch Press. ISBN 978-1-59327-142-8.\r\nVeiler, Ric (2007). Professional Rootkits. Wrox. ISBN 978-0-470-10154-4.\r\n Media related to Rootkits at Wikimedia Commons\r\nSource: https://en.wikipedia.org/wiki/Rootkit\r\nhttps://en.wikipedia.org/wiki/Rootkit\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Rootkit"
	],
	"report_names": [
		"Rootkit"
	],
	"threat_actors": [
		{
			"id": "99845f58-2c39-46f7-8369-bb621ebb7002",
			"created_at": "2022-10-25T16:07:24.238844Z",
			"updated_at": "2026-04-10T02:00:04.90851Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"G0041",
				"ProjectSauron"
			],
			"source_name": "ETDA:Strider",
			"tools": [
				"Backdoor.Remsec",
				"ProjectSauron",
				"Remsec"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979",
			"created_at": "2022-10-25T15:50:23.311311Z",
			"updated_at": "2026-04-10T02:00:05.407733Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"ProjectSauron"
			],
			"source_name": "MITRE:Strider",
			"tools": [
				"Remsec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434547,
	"ts_updated_at": 1775792031,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a08b6b717d13f55e6bebc4a0033a6a526ee8f13b.pdf",
		"text": "https://archive.orkl.eu/a08b6b717d13f55e6bebc4a0033a6a526ee8f13b.txt",
		"img": "https://archive.orkl.eu/a08b6b717d13f55e6bebc4a0033a6a526ee8f13b.jpg"
	}
}