Friday, May 17, 2013

Rootkits Part 1 - Types of rootkits

Rootkits Part 1 - Types of rootkits

Alright this should be a fairly short post to give you a basic understanding of the various types of rootkits.

If you havent read the first part of the blog series I would suggest you do so. It can be found here.

Lets begin --->

So rootkits come in a few different types and each has its own set of things it can and cannot do.

Types of rootkits:

  • User Mode rootkits
  • Kernel Mode
  • Bootkits
  • Hypervisor
  • Firmware

User Mode:

User mode rootkits live at the application level, so they run with the same permissions as most applications and do not have direct access to the kernel.  These rootkits can patch standard APIs to modify and hook other applicatons thus changeing their behavior.

Kernel Mode:

Kernel Mode rootkits run at the kernel level and are thus able to do basically whatever they want.  These live in Ring0 and usually come in the form of device drivers (windows) or loadable modules (*nix).  If the rootkit has a bug in anyway it can crash the system or cause an issue that may lead to the rootkits discovery, that being said these actually are harder to detect as they run at the same level as the OS and can subvert some of the OSs operations. 


Bootkits are a different form of Kernel mode rootkit, these are usually used to replace the bootloader and attack encryption keys using what is called the "Evil Maid Attack"  These are becoming common for cybercriminals and are used to lock a user out of their system and demand ransom to gain back control. 


These rootkits run at ring -1, and are virtualized so they have a higher privileged level than even rin0 rootkits (Kernel Mode).  "A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions." ~ Wikipedia


These rootkits are based in the firmware of chips, or the hardware.  These are extremely hard to detect because firmware code isnt normaly inspected for rootkits and yes these rootkits have been seen in the wild.  These can hide in the NIC, HardDrive, System BIOS or wherever else.  The new EFI that replaced the BIOS even has a rootkit for it already called "Dreamboot". 

So now you have an idea of the different types of rootkits that are out there, this is just to give you a quick understanding of them.  We will mainly focus on User and Kernel Mode rootkits, maybe venture into hypervisor rootkits who knows.

Next up we sill dig a little more into how rootkits work

Feel free to leave feedback in comments or drop me a line on Twitter.


  1. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Rijschool Tilburg