Some Observations on Rootkits

Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.

How big is the rootkit problem?

Of all infections reported from client machines, low-level rootkits represent about 7% of infections.


Of course, measuring the prevalence of rootkits is not entirely straightforward; by definition rootkits do everything they can to remain unseen. When we added some additional checks to our default scheduled scan to look for files that are hidden from Windows API calls, some threats that had appeared relatively benign suddenly revealed that they had moved to using a rootkit to try and avoid detection:

Worst of the worst

In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports:


You can learn more about these top families in the Malware Encyclopedia:

This list includes threats that tried to run and were blocked by real-time protection. If we look at threats that had files detected as being actively hidden on disk from Windows, we get a somewhat different picture.


Rootkits in their natural habitat 

Rootkits tend to hide their malicious binaries on disk in predetermined locations. Here are the most popular locations we see hidden rootkit binaries living on the hard disk:

Rank Location Example
1 %system%drivers c:windowssystem32drivers
2 user temp c:UsersusernameAppDataLocalTemp
3 %system% c:windowssystem32
4 system drive root c:
5 windows temp c:windowstemp
6 %windows% c:windows
7 install folder location installer was run from


Windows may not show anything unusual in these locations, but a more thorough antirootkit scan can shine a light on the hidden rootkit threats and take appropriate action.

Hidden file types

In terms of the type of file being hidden on user’s computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising.

Type % of rootkit threats
SYS 59%
EXE 40%
DLL 1%

Kernel-health screening

Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel.

Here’s a sample of report volume showing computers that have had their Windows kernel altered, across a recent consecutive 10-day period:

That’s about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide. If the kernel is already hooked by a “legitimate” program, the rootkit can hook at the next level, making it more difficult to trace the hook chain to the malicious code.

An unspoiled landscape

As Joe pointed out in his recent post on the 64-bit malware landscape, running 64-bit Windows offers even more protection for customers. For the rootkit space, the difference between 64-bit and 32-bit is even more pronounced.

In fact, it’s likely that an even smaller percentage of the reported rootkit threats from 64-bit computers were actually able to successfully become active and hide anything. Enforced driver signing and features such as Kernel Patch Protection make 64-bit Windows a much more hostile environment for rootkits.

Parting thoughts

We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys. Regardless, here are a couple tips to avoid getting hit by a rootkit:

  • Keep real-time protection enabled
    while running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature. If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor. Keep your defenses up and you’re much less likely to have headaches down the road.
  • Run 64-bit Windows
    for the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits. While the threat landscape is co

Comments (0)