CINXE.COM
Rootkit - Wikipedia
<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Rootkit - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"d3bfd117-92ab-4418-b492-e4e3a6862cf1","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Rootkit","wgTitle":"Rootkit","wgCurRevisionId":1279240302,"wgRevisionId":1279240302,"wgArticleId":223942,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["All articles with dead external links","Articles with dead external links from September 2012","All accuracy disputes","Accuracy disputes from November 2010","Articles with short description","Short description is different from Wikidata","All articles with unsourced statements","Articles with unsourced statements from July 2021","All articles with self-published sources","Articles with self-published sources from November 2010","Articles containing potentially dated statements from 2005","All articles containing potentially dated statements","Commons category link is on Wikidata","Types of malware","Rootkits","Privilege escalation exploits","Cryptographic attacks","Cyberwarfare"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Rootkit","wgRelevantArticleId":223942,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":70000,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q14645","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGELevelingUpEnabledForUser":false}; RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","mediawiki.page.media","site","mediawiki.page.ready","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.quicksurveys.init","ext.growthExperiments.SuggestedEditSession"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.23"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Rootkit - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Rootkit"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Rootkit&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Rootkit"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="auth.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Rootkit rootpage-Rootkit skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" title="Main menu" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li><li id="n-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages"><span>Special pages</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign=en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Rootkit" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Rootkit" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign=en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Rootkit" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Rootkit" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"><!-- CentralNotice --></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-History" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#History"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>History</span> </div> </a> <button aria-controls="toc-History-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle History subsection</span> </button> <ul id="toc-History-sublist" class="vector-toc-list"> <li id="toc-Sony_BMG_copy_protection_rootkit_scandal" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Sony_BMG_copy_protection_rootkit_scandal"> <div class="vector-toc-text"> <span class="vector-toc-numb">1.1</span> <span>Sony BMG copy protection rootkit scandal</span> </div> </a> <ul id="toc-Sony_BMG_copy_protection_rootkit_scandal-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Greek_wiretapping_case_2004–05" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Greek_wiretapping_case_2004–05"> <div class="vector-toc-text"> <span class="vector-toc-numb">1.2</span> <span>Greek wiretapping case 2004–05</span> </div> </a> <ul id="toc-Greek_wiretapping_case_2004–05-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Uses" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Uses"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Uses</span> </div> </a> <ul id="toc-Uses-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Types" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Types"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Types</span> </div> </a> <button aria-controls="toc-Types-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Types subsection</span> </button> <ul id="toc-Types-sublist" class="vector-toc-list"> <li id="toc-User_mode" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#User_mode"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.1</span> <span>User mode</span> </div> </a> <ul id="toc-User_mode-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Kernel_mode" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Kernel_mode"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.2</span> <span>Kernel mode</span> </div> </a> <ul id="toc-Kernel_mode-sublist" class="vector-toc-list"> <li id="toc-Bootkits" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Bootkits"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.2.1</span> <span>Bootkits</span> </div> </a> <ul id="toc-Bootkits-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Hypervisor_level" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Hypervisor_level"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.3</span> <span>Hypervisor level</span> </div> </a> <ul id="toc-Hypervisor_level-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Firmware_and_hardware" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Firmware_and_hardware"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.4</span> <span>Firmware and hardware</span> </div> </a> <ul id="toc-Firmware_and_hardware-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Installation_and_cloaking" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Installation_and_cloaking"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Installation and cloaking</span> </div> </a> <ul id="toc-Installation_and_cloaking-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Detection" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Detection"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Detection</span> </div> </a> <button aria-controls="toc-Detection-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Detection subsection</span> </button> <ul id="toc-Detection-sublist" class="vector-toc-list"> <li id="toc-Alternative_trusted_medium" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Alternative_trusted_medium"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.1</span> <span>Alternative trusted medium</span> </div> </a> <ul id="toc-Alternative_trusted_medium-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Behavioral-based" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Behavioral-based"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2</span> <span>Behavioral-based</span> </div> </a> <ul id="toc-Behavioral-based-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Signature-based" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Signature-based"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.3</span> <span>Signature-based</span> </div> </a> <ul id="toc-Signature-based-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Difference-based" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Difference-based"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.4</span> <span>Difference-based</span> </div> </a> <ul id="toc-Difference-based-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Integrity_checking" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Integrity_checking"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.5</span> <span>Integrity checking</span> </div> </a> <ul id="toc-Integrity_checking-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Memory_dumps" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Memory_dumps"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.6</span> <span>Memory dumps</span> </div> </a> <ul id="toc-Memory_dumps-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Removal" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Removal"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Removal</span> </div> </a> <ul id="toc-Removal-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Defenses" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Defenses"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>Defenses</span> </div> </a> <ul id="toc-Defenses-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Notes" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Notes"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>Notes</span> </div> </a> <ul id="toc-Notes-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">10</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Further_reading" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Further_reading"> <div class="vector-toc-text"> <span class="vector-toc-numb">11</span> <span>Further reading</span> </div> </a> <ul id="toc-Further_reading-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">12</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" title="Table of Contents" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Rootkit</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 46 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-46" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">46 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D8%A3%D8%AF%D9%88%D8%A7%D8%AA_%D8%A7%D9%84%D8%AA%D8%A3%D8%B5%D9%8A%D9%84" title="أدوات التأصيل – Arabic" lang="ar" hreflang="ar" data-title="أدوات التأصيل" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-az mw-list-item"><a href="https://az.wikipedia.org/wiki/Rutkit" title="Rutkit – Azerbaijani" lang="az" hreflang="az" data-title="Rutkit" data-language-autonym="Azərbaycanca" data-language-local-name="Azerbaijani" class="interlanguage-link-target"><span>Azərbaycanca</span></a></li><li class="interlanguage-link interwiki-bg mw-list-item"><a href="https://bg.wikipedia.org/wiki/%D0%A0%D1%83%D1%82%D0%BA%D0%B8%D1%82" title="Руткит – Bulgarian" lang="bg" hreflang="bg" data-title="Руткит" data-language-autonym="Български" data-language-local-name="Bulgarian" class="interlanguage-link-target"><span>Български</span></a></li><li class="interlanguage-link interwiki-br mw-list-item"><a href="https://br.wikipedia.org/wiki/Rootkit" title="Rootkit – Breton" lang="br" hreflang="br" data-title="Rootkit" data-language-autonym="Brezhoneg" data-language-local-name="Breton" class="interlanguage-link-target"><span>Brezhoneg</span></a></li><li class="interlanguage-link interwiki-ca mw-list-item"><a href="https://ca.wikipedia.org/wiki/Eina_d%27intrusi%C3%B3" title="Eina d'intrusió – Catalan" lang="ca" hreflang="ca" data-title="Eina d'intrusió" data-language-autonym="Català" data-language-local-name="Catalan" class="interlanguage-link-target"><span>Català</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/Rootkit" title="Rootkit – Czech" lang="cs" hreflang="cs" data-title="Rootkit" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Rootkit" title="Rootkit – German" lang="de" hreflang="de" data-title="Rootkit" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-el mw-list-item"><a href="https://el.wikipedia.org/wiki/Rootkit" title="Rootkit – Greek" lang="el" hreflang="el" data-title="Rootkit" data-language-autonym="Ελληνικά" data-language-local-name="Greek" class="interlanguage-link-target"><span>Ελληνικά</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Rootkit" title="Rootkit – Spanish" lang="es" hreflang="es" data-title="Rootkit" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-eo mw-list-item"><a href="https://eo.wikipedia.org/wiki/%C4%88efuzula_ilaro" title="Ĉefuzula ilaro – Esperanto" lang="eo" hreflang="eo" data-title="Ĉefuzula ilaro" data-language-autonym="Esperanto" data-language-local-name="Esperanto" class="interlanguage-link-target"><span>Esperanto</span></a></li><li class="interlanguage-link interwiki-eu mw-list-item"><a href="https://eu.wikipedia.org/wiki/Rootkit" title="Rootkit – Basque" lang="eu" hreflang="eu" data-title="Rootkit" data-language-autonym="Euskara" data-language-local-name="Basque" class="interlanguage-link-target"><span>Euskara</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%B1%D9%88%D8%AA%E2%80%8C%DA%A9%DB%8C%D8%AA" title="روتکیت – Persian" lang="fa" hreflang="fa" data-title="روتکیت" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr badge-Q17437798 badge-goodarticle mw-list-item" title="good article badge"><a href="https://fr.wikipedia.org/wiki/Rootkit" title="Rootkit – French" lang="fr" hreflang="fr" data-title="Rootkit" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-ga mw-list-item"><a href="https://ga.wikipedia.org/wiki/Trealamh_fr%C3%A9amhrochtana" title="Trealamh fréamhrochtana – Irish" lang="ga" hreflang="ga" data-title="Trealamh fréamhrochtana" data-language-autonym="Gaeilge" data-language-local-name="Irish" class="interlanguage-link-target"><span>Gaeilge</span></a></li><li class="interlanguage-link interwiki-gl mw-list-item"><a href="https://gl.wikipedia.org/wiki/Rootkit" title="Rootkit – Galician" lang="gl" hreflang="gl" data-title="Rootkit" data-language-autonym="Galego" data-language-local-name="Galician" class="interlanguage-link-target"><span>Galego</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/%EB%A3%A8%ED%8A%B8%ED%82%B7" title="루트킷 – Korean" lang="ko" hreflang="ko" data-title="루트킷" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-hi mw-list-item"><a href="https://hi.wikipedia.org/wiki/%E0%A4%B0%E0%A5%82%E0%A4%9F%E0%A4%95%E0%A4%BF%E0%A4%9F" title="रूटकिट – Hindi" lang="hi" hreflang="hi" data-title="रूटकिट" data-language-autonym="हिन्दी" data-language-local-name="Hindi" class="interlanguage-link-target"><span>हिन्दी</span></a></li><li class="interlanguage-link interwiki-hr mw-list-item"><a href="https://hr.wikipedia.org/wiki/Rootkit" title="Rootkit – Croatian" lang="hr" hreflang="hr" data-title="Rootkit" data-language-autonym="Hrvatski" data-language-local-name="Croatian" class="interlanguage-link-target"><span>Hrvatski</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/Perkakas_akar" title="Perkakas akar – Indonesian" lang="id" hreflang="id" data-title="Perkakas akar" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/Rootkit" title="Rootkit – Italian" lang="it" hreflang="it" data-title="Rootkit" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-he mw-list-item"><a href="https://he.wikipedia.org/wiki/Rootkit" title="Rootkit – Hebrew" lang="he" hreflang="he" data-title="Rootkit" data-language-autonym="עברית" data-language-local-name="Hebrew" class="interlanguage-link-target"><span>עברית</span></a></li><li class="interlanguage-link interwiki-kn mw-list-item"><a href="https://kn.wikipedia.org/wiki/%E0%B2%B0%E0%B3%82%E0%B2%9F%E0%B3%8D%E2%80%8C%E0%B2%95%E0%B2%BF%E0%B2%9F%E0%B3%8D" title="ರೂಟ್ಕಿಟ್ – Kannada" lang="kn" hreflang="kn" data-title="ರೂಟ್ಕಿಟ್" data-language-autonym="ಕನ್ನಡ" data-language-local-name="Kannada" class="interlanguage-link-target"><span>ಕನ್ನಡ</span></a></li><li class="interlanguage-link interwiki-ka mw-list-item"><a href="https://ka.wikipedia.org/wiki/%E1%83%A0%E1%83%A3%E1%83%A2%E1%83%99%E1%83%98%E1%83%A2%E1%83%98" title="რუტკიტი – Georgian" lang="ka" hreflang="ka" data-title="რუტკიტი" data-language-autonym="ქართული" data-language-local-name="Georgian" class="interlanguage-link-target"><span>ქართული</span></a></li><li class="interlanguage-link interwiki-ky mw-list-item"><a href="https://ky.wikipedia.org/wiki/%D0%A0%D1%83%D1%82%D0%BA%D0%B8%D1%82" title="Руткит – Kyrgyz" lang="ky" hreflang="ky" data-title="Руткит" data-language-autonym="Кыргызча" data-language-local-name="Kyrgyz" class="interlanguage-link-target"><span>Кыргызча</span></a></li><li class="interlanguage-link interwiki-lmo mw-list-item"><a href="https://lmo.wikipedia.org/wiki/Rootkit" title="Rootkit – Lombard" lang="lmo" hreflang="lmo" data-title="Rootkit" data-language-autonym="Lombard" data-language-local-name="Lombard" class="interlanguage-link-target"><span>Lombard</span></a></li><li class="interlanguage-link interwiki-hu mw-list-item"><a href="https://hu.wikipedia.org/wiki/Rootkit" title="Rootkit – Hungarian" lang="hu" hreflang="hu" data-title="Rootkit" data-language-autonym="Magyar" data-language-local-name="Hungarian" class="interlanguage-link-target"><span>Magyar</span></a></li><li class="interlanguage-link interwiki-ml mw-list-item"><a href="https://ml.wikipedia.org/wiki/%E0%B4%B1%E0%B5%82%E0%B4%9F%E0%B5%8D%E0%B4%9F%E0%B5%8D%E0%B4%95%E0%B4%BF%E0%B4%B1%E0%B5%8D%E0%B4%B1%E0%B5%8D%E2%80%8C" title="റൂട്ട്കിറ്റ് – Malayalam" lang="ml" hreflang="ml" data-title="റൂട്ട്കിറ്റ്" data-language-autonym="മലയാളം" data-language-local-name="Malayalam" class="interlanguage-link-target"><span>മലയാളം</span></a></li><li class="interlanguage-link interwiki-ms mw-list-item"><a href="https://ms.wikipedia.org/wiki/Kit_akar" title="Kit akar – Malay" lang="ms" hreflang="ms" data-title="Kit akar" data-language-autonym="Bahasa Melayu" data-language-local-name="Malay" class="interlanguage-link-target"><span>Bahasa Melayu</span></a></li><li class="interlanguage-link interwiki-nl mw-list-item"><a href="https://nl.wikipedia.org/wiki/Rootkit" title="Rootkit – Dutch" lang="nl" hreflang="nl" data-title="Rootkit" data-language-autonym="Nederlands" data-language-local-name="Dutch" class="interlanguage-link-target"><span>Nederlands</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/%E3%83%AB%E3%83%BC%E3%83%88%E3%82%AD%E3%83%83%E3%83%88" title="ルートキット – Japanese" lang="ja" hreflang="ja" data-title="ルートキット" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-no mw-list-item"><a href="https://no.wikipedia.org/wiki/Rootkit" title="Rootkit – Norwegian Bokmål" lang="nb" hreflang="nb" data-title="Rootkit" data-language-autonym="Norsk bokmål" data-language-local-name="Norwegian Bokmål" class="interlanguage-link-target"><span>Norsk bokmål</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/Rootkit" title="Rootkit – Polish" lang="pl" hreflang="pl" data-title="Rootkit" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/Rootkit" title="Rootkit – Portuguese" lang="pt" hreflang="pt" data-title="Rootkit" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ro mw-list-item"><a href="https://ro.wikipedia.org/wiki/Rootkit" title="Rootkit – Romanian" lang="ro" hreflang="ro" data-title="Rootkit" data-language-autonym="Română" data-language-local-name="Romanian" class="interlanguage-link-target"><span>Română</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/%D0%A0%D1%83%D1%82%D0%BA%D0%B8%D1%82" title="Руткит – Russian" lang="ru" hreflang="ru" data-title="Руткит" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-simple mw-list-item"><a href="https://simple.wikipedia.org/wiki/Rootkit" title="Rootkit – Simple English" lang="en-simple" hreflang="en-simple" data-title="Rootkit" data-language-autonym="Simple English" data-language-local-name="Simple English" class="interlanguage-link-target"><span>Simple English</span></a></li><li class="interlanguage-link interwiki-ckb mw-list-item"><a href="https://ckb.wikipedia.org/wiki/%DA%95%DB%86%D8%AA%DA%A9%DB%8C%D8%AA" title="ڕۆتکیت – Central Kurdish" lang="ckb" hreflang="ckb" data-title="ڕۆتکیت" data-language-autonym="کوردی" data-language-local-name="Central Kurdish" class="interlanguage-link-target"><span>کوردی</span></a></li><li class="interlanguage-link interwiki-sr mw-list-item"><a href="https://sr.wikipedia.org/wiki/%D0%A0%D1%83%D1%82%D0%BA%D0%B8%D1%82" title="Руткит – Serbian" lang="sr" hreflang="sr" data-title="Руткит" data-language-autonym="Српски / srpski" data-language-local-name="Serbian" class="interlanguage-link-target"><span>Српски / srpski</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/Rootkit" title="Rootkit – Finnish" lang="fi" hreflang="fi" data-title="Rootkit" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-sv mw-list-item"><a href="https://sv.wikipedia.org/wiki/Rootkit" title="Rootkit – Swedish" lang="sv" hreflang="sv" data-title="Rootkit" data-language-autonym="Svenska" data-language-local-name="Swedish" class="interlanguage-link-target"><span>Svenska</span></a></li><li class="interlanguage-link interwiki-tl mw-list-item"><a href="https://tl.wikipedia.org/wiki/Rootkit" title="Rootkit – Tagalog" lang="tl" hreflang="tl" data-title="Rootkit" data-language-autonym="Tagalog" data-language-local-name="Tagalog" class="interlanguage-link-target"><span>Tagalog</span></a></li><li class="interlanguage-link interwiki-th mw-list-item"><a href="https://th.wikipedia.org/wiki/%E0%B8%A3%E0%B8%B9%E0%B8%95%E0%B8%84%E0%B8%B4%E0%B8%95" title="รูตคิต – Thai" lang="th" hreflang="th" data-title="รูตคิต" data-language-autonym="ไทย" data-language-local-name="Thai" class="interlanguage-link-target"><span>ไทย</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/K%C3%B6k_kullan%C4%B1c%C4%B1_tak%C4%B1m%C4%B1" title="Kök kullanıcı takımı – Turkish" lang="tr" hreflang="tr" data-title="Kök kullanıcı takımı" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/%D0%A0%D1%83%D1%82%D0%BA%D1%96%D1%82" title="Руткіт – Ukrainian" lang="uk" hreflang="uk" data-title="Руткіт" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-vi mw-list-item"><a href="https://vi.wikipedia.org/wiki/Rootkit" title="Rootkit – Vietnamese" lang="vi" hreflang="vi" data-title="Rootkit" data-language-autonym="Tiếng Việt" data-language-local-name="Vietnamese" class="interlanguage-link-target"><span>Tiếng Việt</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/Rootkit" title="Rootkit – Chinese" lang="zh" hreflang="zh" data-title="Rootkit" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q14645#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Rootkit" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Rootkit" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Rootkit"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Rootkit&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Rootkit&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Rootkit"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Rootkit&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Rootkit&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Rootkit" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Rootkit" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Rootkit&oldid=1279240302" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Rootkit&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Rootkit&id=1279240302&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRootkit"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRootkit"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Rootkit&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Rootkit&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="wb-otherproject-link wb-otherproject-commons mw-list-item"><a href="https://commons.wikimedia.org/wiki/Rootkit" hreflang="en"><span>Wikimedia Commons</span></a></li><li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q14645" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Software designed to enable access to unauthorized locations in a computer</div> <p>A <b>rootkit</b> is a collection of <a href="/wiki/Software" title="Software">computer software</a>, typically malicious, designed to enable access to a <a href="/wiki/Computer" title="Computer">computer</a> or an area of its <a href="/wiki/Software" title="Software">software</a> that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.<sup id="cite_ref-McAfee1_1-0" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> The term <i>rootkit</i> is a <a href="/wiki/Compound_(linguistics)" title="Compound (linguistics)">compound</a> of "<a href="/wiki/Superuser" title="Superuser">root</a>" (the traditional name of the <a href="/wiki/Superuser" title="Superuser">privileged account</a> on <a href="/wiki/Unix-like" title="Unix-like">Unix-like</a> operating systems) and the word "kit" (which refers to the software components that implement the tool).<sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup> The term "rootkit" has negative connotations through its association with <a href="/wiki/Malware" title="Malware">malware</a>.<sup id="cite_ref-McAfee1_1-1" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> </p><p>Rootkit installation can be automated, or an <a href="/wiki/Security_hacker" title="Security hacker">attacker</a> can install it after having obtained root or administrator access.<sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup> Obtaining this access is a result of direct attack on a system, i.e. exploiting a vulnerability (such as <a href="/wiki/Privilege_escalation" title="Privilege escalation">privilege escalation</a>) or a <a href="/wiki/Password" title="Password">password</a> (obtained by <a href="/wiki/Password_cracking" title="Password cracking">cracking</a> or <a href="/wiki/Social_engineering_(security)" title="Social engineering (security)">social engineering</a> tactics like "<a href="/wiki/Phishing" title="Phishing">phishing</a>"). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. </p><p>Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted <a href="/wiki/Operating_system" title="Operating system">operating system</a>, behavior-based methods, signature scanning, difference scanning, and <a href="/wiki/Core_dump" title="Core dump">memory dump</a> analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the <a href="/wiki/Kernel_(operating_system)" title="Kernel (operating system)">kernel</a>; reinstallation of the operating system may be the only available solution to the problem. When dealing with <a href="/wiki/Firmware" title="Firmware">firmware</a> rootkits, removal may require <a href="/wiki/Computer_hardware" title="Computer hardware">hardware</a> replacement, or specialized equipment. </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="History">History</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=1" title="Edit section: History"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The term <i>rootkit</i>, <i>rkit</i>, or <i>root kit</i> originally referred to a maliciously modified set of administrative tools for a <a href="/wiki/Unix-like" title="Unix-like">Unix-like</a> <a href="/wiki/Operating_system" title="Operating system">operating system</a> that granted "<a href="/wiki/Superuser" title="Superuser">root</a>" access.<sup id="cite_ref-Symantec_4-0" class="reference"><a href="#cite_note-Symantec-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate <a href="/wiki/System_administrator" title="System administrator">system administrator</a>. These first-generation rootkits were trivial to detect by using tools such as <a href="/wiki/Open_Source_Tripwire" title="Open Source Tripwire">Tripwire</a> that had not been compromised to access the same information.<sup id="cite_ref-Sparks-Bar_5-0" class="reference"><a href="#cite_note-Sparks-Bar-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-Harris_6-0" class="reference"><a href="#cite_note-Harris-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for <a href="/wiki/Sun_Microsystems" title="Sun Microsystems">Sun Microsystems</a>' <a href="/wiki/SunOS" title="SunOS">SunOS</a> UNIX operating system.<sup id="cite_ref-7" class="reference"><a href="#cite_note-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> In the lecture he gave upon receiving the <a href="/wiki/Turing_Award" title="Turing Award">Turing Award</a> in 1983, <a href="/wiki/Ken_Thompson" title="Ken Thompson">Ken Thompson</a> of <a href="/wiki/Bell_Labs" title="Bell Labs">Bell Labs</a>, one of the creators of <a href="/wiki/Unix" title="Unix">Unix</a>, theorized about subverting the <a href="/wiki/C_compiler" class="mw-redirect" title="C compiler">C compiler</a> in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix <code>login</code> command and generate altered code that would accept not only the user's correct password, but an additional "<a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">backdoor</a>" password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the <code>login</code> command or the updated compiler would not reveal any malicious code.<sup id="cite_ref-Turing_Award_Lecture_8-0" class="reference"><a href="#cite_note-Turing_Award_Lecture-8"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup> This exploit was equivalent to a rootkit. </p><p>The first documented <a href="/wiki/Computer_virus" title="Computer virus">computer virus</a> to target the <a href="/wiki/Personal_computer" title="Personal computer">personal computer</a>, discovered in 1986, used <a href="/wiki/Cloaking" title="Cloaking">cloaking</a> techniques to hide itself: the <a href="/wiki/Brain_(computer_virus)" title="Brain (computer virus)">Brain virus</a> intercepted attempts to read the <a href="/wiki/Boot_sector" title="Boot sector">boot sector</a>, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.<sup id="cite_ref-McAfee1_1-2" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> Over time, <a href="/wiki/DOS" title="DOS">DOS</a>-virus cloaking methods became more sophisticated. Advanced techniques included <a href="/wiki/Hooking" title="Hooking">hooking</a> low-level disk <a href="/wiki/INT_13H" title="INT 13H">INT 13H</a> BIOS <a href="/wiki/Interrupt" title="Interrupt">interrupt</a> calls to hide unauthorized modifications to files.<sup id="cite_ref-McAfee1_1-3" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> </p><p>The first malicious rootkit for the <a href="/wiki/Windows_NT" title="Windows NT">Windows NT</a> operating system appeared in 1999: a trojan called <i>NTRootkit</i> created by <a href="/wiki/Greg_Hoglund" title="Greg Hoglund">Greg Hoglund</a>.<sup id="cite_ref-Hoglund_9-0" class="reference"><a href="#cite_note-Hoglund-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> It was followed by <i>HackerDefender</i> in 2003.<sup id="cite_ref-McAfee1_1-4" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> The first rootkit targeting <a href="/wiki/MacOS" title="MacOS">Mac OS X</a> appeared in 2009,<sup id="cite_ref-10" class="reference"><a href="#cite_note-10"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup> while the <a href="/wiki/Stuxnet" title="Stuxnet">Stuxnet</a> worm was the first to target <a href="/wiki/Programmable_logic_controller" title="Programmable logic controller">programmable logic controllers</a> (PLC).<sup id="cite_ref-11" class="reference"><a href="#cite_note-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Sony_BMG_copy_protection_rootkit_scandal">Sony BMG copy protection rootkit scandal</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=2" title="Edit section: Sony BMG copy protection rootkit scandal"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <figure class="mw-default-size mw-halign-right" typeof="mw:File/Thumb"><a href="/wiki/File:RootkitRevealer.png" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/en/thumb/9/9c/RootkitRevealer.png/250px-RootkitRevealer.png" decoding="async" width="220" height="157" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/9/9c/RootkitRevealer.png/330px-RootkitRevealer.png 1.5x, //upload.wikimedia.org/wikipedia/en/9/9c/RootkitRevealer.png 2x" data-file-width="373" data-file-height="267" /></a><figcaption>Screenshot of <a href="/wiki/RootkitRevealer" title="RootkitRevealer">RootkitRevealer</a>, showing the files hidden by the <a href="/wiki/Extended_Copy_Protection" title="Extended Copy Protection">Extended Copy Protection</a> rootkit</figcaption></figure> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Sony_BMG_copy_protection_rootkit_scandal" title="Sony BMG copy protection rootkit scandal">Sony BMG copy protection rootkit scandal</a></div> <p>In 2005, <a href="/wiki/Sony_BMG" title="Sony BMG">Sony BMG</a> published <a href="/wiki/Compact_disc" title="Compact disc">CDs</a> with <a href="/wiki/Copy_protection" title="Copy protection">copy protection</a> and <a href="/wiki/Digital_rights_management" title="Digital rights management">digital rights management</a> software called <a href="/wiki/Extended_Copy_Protection" title="Extended Copy Protection">Extended Copy Protection</a>, created by software company First 4 Internet. The software included a music player but silently installed a rootkit which limited the user's ability to access the CD.<sup id="cite_ref-CA-XCP_12-0" class="reference"><a href="#cite_note-CA-XCP-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> Software engineer <a href="/wiki/Mark_Russinovich" title="Mark Russinovich">Mark Russinovich</a>, who created the rootkit detection tool <a href="/wiki/RootkitRevealer" title="RootkitRevealer">RootkitRevealer</a>, discovered the rootkit on one of his computers.<sup id="cite_ref-McAfee1_1-5" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> The ensuing scandal raised the public's awareness of rootkits.<sup id="cite_ref-markrussinovich_13-0" class="reference"><a href="#cite_note-markrussinovich-13"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> To cloak itself, the rootkit hid any file starting with "$sys$" from the user. Soon after Russinovich's report, malware appeared which took advantage of the existing rootkit on affected systems.<sup id="cite_ref-McAfee1_1-6" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> One <a href="/wiki/BBC" title="BBC">BBC</a> analyst called it a "<a href="/wiki/Public_relations" title="Public relations">public relations</a> nightmare."<sup id="cite_ref-14" class="reference"><a href="#cite_note-14"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> Sony BMG released <a href="/wiki/Patch_(computing)" title="Patch (computing)">patches</a> to <a href="/wiki/Uninstaller" title="Uninstaller">uninstall</a> the rootkit, but it exposed users to an even more serious vulnerability.<sup id="cite_ref-felton_15-0" class="reference"><a href="#cite_note-felton-15"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup> The company eventually recalled the CDs. In the United States, a <a href="/wiki/Class_action" title="Class action">class-action lawsuit</a> was brought against Sony BMG.<sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Greek_wiretapping_case_2004–05"><span id="Greek_wiretapping_case_2004.E2.80.9305"></span>Greek wiretapping case 2004–05</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=3" title="Edit section: Greek wiretapping case 2004–05"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951" /><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Greek_wiretapping_case_2004%E2%80%9305" title="Greek wiretapping case 2004–05">Greek wiretapping case 2004–05</a></div> <p>The <a href="/wiki/Greek_wiretapping_case_2004%E2%80%9305" title="Greek wiretapping case 2004–05">Greek wiretapping case 2004–05</a>, also referred to as Greek Watergate,<sup id="cite_ref-17" class="reference"><a href="#cite_note-17"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> involved the illegal <a href="/wiki/Telephone_tapping" class="mw-redirect" title="Telephone tapping">telephone tapping</a> of more than 100 <a href="/wiki/Mobile_phone" title="Mobile phone">mobile phones</a> on the <a href="/wiki/Vodafone_Greece" title="Vodafone Greece">Vodafone Greece</a> network belonging mostly to members of the <a href="/wiki/Greece" title="Greece">Greek</a> government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators. The intruders installed a rootkit targeting Ericsson's <a href="/wiki/AXE_telephone_exchange" title="AXE telephone exchange">AXE telephone exchange</a>. According to <i><a href="/wiki/IEEE_Spectrum" title="IEEE Spectrum">IEEE Spectrum</a></i>, this was "the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch."<sup id="cite_ref-ieee_18-0" class="reference"><a href="#cite_note-ieee-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> The rootkit was designed to patch the memory of the exchange while it was running, enable <a href="/wiki/Wiretapping" title="Wiretapping">wiretapping</a> while disabling audit logs, patch the commands that list active processes and active data blocks, and modify the data block <a href="/wiki/Checksum" title="Checksum">checksum</a> verification command. A "backdoor" allowed an operator with <a href="/wiki/Sysadmin" class="mw-redirect" title="Sysadmin">sysadmin</a> status to deactivate the exchange's transaction log, alarms and access commands related to the surveillance capability.<sup id="cite_ref-ieee_18-1" class="reference"><a href="#cite_note-ieee-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> The rootkit was discovered after the intruders installed a faulty update, which caused <a href="/wiki/SMS" title="SMS">SMS</a> texts to be undelivered, leading to an automated failure report being generated. Ericsson engineers were called in to investigate the fault and discovered the hidden data blocks containing the list of phone numbers being monitored, along with the rootkit and illicit monitoring software. </p> <div class="mw-heading mw-heading2"><h2 id="Uses">Uses</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=4" title="Edit section: Uses"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Modern rootkits do not elevate access,<sup id="cite_ref-Symantec_4-1" class="reference"><a href="#cite_note-Symantec-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> but rather are used to make another software payload undetectable by adding stealth capabilities.<sup id="cite_ref-Hoglund_9-1" class="reference"><a href="#cite_note-Hoglund-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> Most rootkits are classified as <a href="/wiki/Malware" title="Malware">malware</a>, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user <a href="/wiki/Password" title="Password">passwords</a>, <a href="/wiki/Credit_card" title="Credit card">credit card</a> information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a <a href="/wiki/CD-ROM" title="CD-ROM">CD-ROM</a>-emulation driver, allowing <a href="/wiki/Video_game" title="Video game">video game</a> users to defeat <a href="/wiki/Copy_protection#Anti-piracy" title="Copy protection">anti-piracy</a> measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased. </p><p>Rootkits and their payloads have many uses: </p> <ul><li>Provide an attacker with full access via a <a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">backdoor</a>, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on <a href="/wiki/Unix-like" title="Unix-like">Unix-like</a> systems or <a href="/wiki/Graphical_identification_and_authentication" title="Graphical identification and authentication">GINA</a> on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard <a href="/wiki/Authentication" title="Authentication">authentication</a> and <a href="/wiki/Authorization" title="Authorization">authorization</a> mechanisms.</li> <li>Conceal other <a href="/wiki/Malware" title="Malware">malware</a>, notably password-stealing <a href="/wiki/Keystroke_logging" title="Keystroke logging">key loggers</a> and <a href="/wiki/Computer_virus" title="Computer virus">computer viruses</a>.<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup></li> <li>Appropriate the compromised machine as a <a href="/wiki/Zombie_(computing)" title="Zombie (computing)">zombie computer</a> for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large <a href="/wiki/Botnet" title="Botnet">botnets</a> that can–amongst other things–launch <a href="/wiki/Denial-of-service_attack" title="Denial-of-service attack">denial-of-service attacks</a>, distribute <a href="/wiki/Email" title="Email">email</a> <a href="/wiki/Spamming" title="Spamming">spam</a>, and conduct <a href="/wiki/Click_fraud" title="Click fraud">click fraud</a>.<sup id="cite_ref-20" class="reference"><a href="#cite_note-20"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup></li></ul> <p>In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of the computer user: </p> <ul><li>Detect attacks, for example, in a <a href="/wiki/Honeypot_(computing)" title="Honeypot (computing)">honeypot</a>.<sup id="cite_ref-21" class="reference"><a href="#cite_note-21"><span class="cite-bracket">[</span>21<span class="cite-bracket">]</span></a></sup></li> <li>Enhance emulation software and security software.<sup id="cite_ref-22" class="reference"><a href="#cite_note-22"><span class="cite-bracket">[</span>22<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Alcohol_120%25" title="Alcohol 120%">Alcohol 120%</a> and <a href="/wiki/Daemon_Tools" title="Daemon Tools">Daemon Tools</a> are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as <a href="/wiki/SafeDisc" title="SafeDisc">SafeDisc</a> and <a href="/wiki/SecuROM" title="SecuROM">SecuROM</a>.<sup id="cite_ref-23" class="reference"><a href="#cite_note-23"><span class="cite-bracket">[</span>23<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Kaspersky_Anti-Virus" title="Kaspersky Anti-Virus">Kaspersky antivirus software</a> also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own <a href="/wiki/Device_driver" title="Device driver">drivers</a> to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.</li> <li>Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.<sup id="cite_ref-Ortega_24-0" class="reference"><a href="#cite_note-Ortega-24"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup></li> <li>Bypassing <a href="/wiki/Microsoft_Product_Activation" title="Microsoft Product Activation">Microsoft Product Activation</a><sup id="cite_ref-25" class="reference"><a href="#cite_note-25"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup></li></ul> <div class="mw-heading mw-heading2"><h2 id="Types">Types</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=5" title="Edit section: Types"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951" /><div role="note" class="hatnote navigation-not-searchable">Further information: <a href="/wiki/Protection_ring" title="Protection ring">Protection ring</a></div> <p>There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in <a href="/wiki/Protection_ring" title="Protection ring">Ring 3</a>. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.<sup id="cite_ref-anson-forensics_26-0" class="reference"><a href="#cite_note-anson-forensics-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="User_mode">User mode</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=6" title="Edit section: User mode"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <figure class="mw-default-size mw-halign-right" typeof="mw:File/Thumb"><a href="/wiki/File:CPU_ring_scheme.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/2/25/CPU_ring_scheme.svg/250px-CPU_ring_scheme.svg.png" decoding="async" width="220" height="220" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/2/25/CPU_ring_scheme.svg/330px-CPU_ring_scheme.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/2/25/CPU_ring_scheme.svg/440px-CPU_ring_scheme.svg.png 2x" data-file-width="442" data-file-height="442" /></a><figcaption>Intel based computer security <a href="/wiki/Protection_ring" title="Protection ring">rings</a> (Note that <a href="/wiki/Hypervisor" title="Hypervisor">Ring -1</a> is not shown)</figcaption></figure> <p>User-mode rootkits run in <a href="/wiki/Protection_ring" title="Protection ring">Ring 3</a>, along with other applications as user, rather than low-level system processes.<sup id="cite_ref-McAfee2_27-0" class="reference"><a href="#cite_note-McAfee2-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a <a href="/wiki/Dynamic_linker" title="Dynamic linker">dynamically linked</a> library (such as a <a href="/wiki/Dynamic-link_library" title="Dynamic-link library">.DLL</a> file on Windows, or a .dylib file on <a href="/wiki/MacOS" title="MacOS">Mac OS X</a>) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection mechanisms include:<sup id="cite_ref-McAfee2_27-1" class="reference"><a href="#cite_note-McAfee2-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> </p> <ul><li>Use of vendor-supplied application extensions. For example, <a href="/wiki/Windows_Explorer" class="mw-redirect" title="Windows Explorer">Windows Explorer</a> has public interfaces that allow third parties to extend its functionality.</li> <li>Interception of <a href="/wiki/Message_passing" title="Message passing">messages</a>.</li> <li><a href="/wiki/Debugger" title="Debugger">Debuggers</a>.</li> <li>Exploitation of <a href="/wiki/Vulnerability_(computing)" class="mw-redirect" title="Vulnerability (computing)">security vulnerabilities</a>.</li> <li>Function <a href="/wiki/Hooking" title="Hooking">hooking</a> or patching of commonly used APIs, for example, to hide a running process or file that resides on a filesystem.<sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">[</span>28<span class="cite-bracket">]</span></a></sup></li></ul> <style data-mw-deduplicate="TemplateStyles:r1244412712">.mw-parser-output .templatequote{overflow:hidden;margin:1em 0;padding:0 32px}.mw-parser-output .templatequotecite{line-height:1.5em;text-align:left;margin-top:0}@media(min-width:500px){.mw-parser-output .templatequotecite{padding-left:1.6em}}</style><blockquote class="templatequote"><p>...since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs' memory space before they fully execute.</p><div class="templatequotecite">— <cite>Windows Rootkit Overview, Symantec<sup id="cite_ref-Symantec_4-2" class="reference"><a href="#cite_note-Symantec-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup></cite></div></blockquote> <div class="mw-heading mw-heading3"><h3 id="Kernel_mode">Kernel mode</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=7" title="Edit section: Kernel mode"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Kernel-mode rootkits run with the highest operating system privileges (<a href="/wiki/Protection_ring" title="Protection ring">Ring 0</a>) by adding code or replacing portions of the core operating system, including both the <a href="/wiki/Kernel_(operating_system)" title="Kernel (operating system)">kernel</a> and associated <a href="/wiki/Device_driver" title="Device driver">device drivers</a>.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (July 2021)">citation needed</span></a></i>]</sup> Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as <a href="/wiki/Loadable_kernel_module" title="Loadable kernel module">loadable kernel modules</a> in <a href="/wiki/Linux" title="Linux">Linux</a> or <a href="/wiki/Device_driver" title="Device driver">device drivers</a> in <a href="/wiki/Microsoft_Windows" title="Microsoft Windows">Microsoft Windows</a>. This class of rootkit has unrestricted security access, but is more difficult to write.<sup id="cite_ref-UAMT_29-0" class="reference"><a href="#cite_note-UAMT-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> The complexity makes bugs common, and any bugs in code operating at the kernel level may seriously impact system stability, leading to discovery of the rootkit.<sup id="cite_ref-UAMT_29-1" class="reference"><a href="#cite_note-UAMT-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> One of the first widely known kernel rootkits was developed for <a href="/wiki/Windows_NT_4.0" title="Windows NT 4.0">Windows NT 4.0</a> and released in <i><a href="/wiki/Phrack" title="Phrack">Phrack</a></i> magazine in 1999 by <a href="/wiki/Greg_Hoglund" title="Greg Hoglund">Greg Hoglund</a>.<sup id="cite_ref-30" class="reference"><a href="#cite_note-30"><span class="cite-bracket">[</span>30<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">[</span>31<span class="cite-bracket">]</span></a></sup> Kernel rootkits can be especially difficult to detect and remove because they operate at the same <a href="/wiki/Protection_ring" title="Protection ring">security level</a> as the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations. Any software, such as <a href="/wiki/Antivirus_software" title="Antivirus software">antivirus software</a>, running on the compromised system is equally vulnerable.<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">[</span>32<span class="cite-bracket">]</span></a></sup> In this situation, no part of the system can be trusted. </p><p>A rootkit can modify data structures in the Windows kernel using a method known as <i><a href="/wiki/Direct_kernel_object_manipulation" title="Direct kernel object manipulation">direct kernel object manipulation</a></i> (DKOM).<sup id="cite_ref-33" class="reference"><a href="#cite_note-33"><span class="cite-bracket">[</span>33<span class="cite-bracket">]</span></a></sup> This method can be used to hide processes. A kernel mode rootkit can also hook the <a href="/wiki/System_Service_Descriptor_Table" title="System Service Descriptor Table">System Service Descriptor Table</a> (SSDT), or modify the gates between user mode and kernel mode, in order to cloak itself.<sup id="cite_ref-Symantec_4-3" class="reference"><a href="#cite_note-Symantec-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> Similarly for the <a href="/wiki/Linux" title="Linux">Linux</a> operating system, a rootkit can modify the <i>system call table</i> to subvert kernel functionality.<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">[</span>34<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-35" class="reference"><a href="#cite_note-35"><span class="cite-bracket">[</span>35<span class="cite-bracket">]</span></a></sup> It is common that a rootkit creates a hidden, encrypted filesystem in which it can hide other malware or original copies of files it has infected.<sup id="cite_ref-36" class="reference"><a href="#cite_note-36"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup> Operating systems are evolving to counter the threat of kernel-mode rootkits. For example, 64-bit editions of Microsoft Windows now implement mandatory signing of all kernel-level drivers in order to make it more difficult for untrusted code to execute with the highest privileges in a system.<sup id="cite_ref-37" class="reference"><a href="#cite_note-37"><span class="cite-bracket">[</span>37<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Bootkits"><span class="anchor" id="bootkit"></span>Bootkits</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=8" title="Edit section: Bootkits"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>A kernel-mode rootkit variant called a <b>bootkit</b> can infect startup code like the <a href="/wiki/Master_Boot_Record" class="mw-redirect" title="Master Boot Record">Master Boot Record</a> (MBR), <a href="/wiki/Volume_Boot_Record" class="mw-redirect" title="Volume Boot Record">Volume Boot Record</a> (VBR), or <a href="/wiki/Boot_sector" title="Boot sector">boot sector</a>, and in this way can be used to attack <a href="/wiki/Full_disk_encryption" class="mw-redirect" title="Full disk encryption">full disk encryption</a> systems.<sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">[</span>38<span class="cite-bracket">]</span></a></sup> An example of such an attack on disk encryption is the "<a href="/wiki/Evil_maid_attack" title="Evil maid attack">evil maid attack</a>", in which an attacker installs a bootkit on an unattended computer. The envisioned scenario is a maid sneaking into the hotel room where the victims left their hardware.<sup id="cite_ref-39" class="reference"><a href="#cite_note-39"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup> The bootkit replaces the legitimate <a href="/wiki/Booting" title="Booting">boot loader</a> with one under their control. Typically the malware loader persists through the transition to <a href="/wiki/Protected_mode" title="Protected mode">protected mode</a> when the kernel has loaded, and is thus able to subvert the kernel.<sup id="cite_ref-40" class="reference"><a href="#cite_note-40"><span class="cite-bracket">[</span>40<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-kumar-vbootkit_41-0" class="reference"><a href="#cite_note-kumar-vbootkit-41"><span class="cite-bracket">[</span>41<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">[</span>42<span class="cite-bracket">]</span></a></sup> For example, the "Stoned Bootkit" subverts the system by using a compromised <a href="/wiki/Booting" title="Booting">boot loader</a> to intercept encryption keys and passwords.<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">[</span>43<span class="cite-bracket">]</span></a></sup><sup class="noprint Inline-Template" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Verifiability#Self-published_sources" title="Wikipedia:Verifiability"><span title="The material near this tag may rely on a self-published source. (November 2010)">self-published source?</span></a></i>]</sup> In 2010, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in <a href="/wiki/Windows_7" title="Windows 7">Windows 7</a>, by modifying the <a href="/wiki/Master_boot_record" title="Master boot record">master boot record</a>.<sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">[</span>44<span class="cite-bracket">]</span></a></sup> Although not malware in the sense of doing something the user doesn't want, certain "Vista Loader" or "Windows Loader" software work in a similar way by injecting an <a href="/wiki/ACPI" title="ACPI">ACPI</a> SLIC (System Licensed Internal Code) table in the RAM-cached version of the BIOS during boot, in order to defeat the <a href="/wiki/Microsoft_Product_Activation" title="Microsoft Product Activation">Windows Vista and Windows 7 activation process</a>.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (July 2021)">citation needed</span></a></i>]</sup> This vector of attack was rendered useless in the (non-server) versions of <a href="/wiki/Windows_8" title="Windows 8">Windows 8</a>, which use a unique, machine-specific key for each system, that can only be used by that one machine.<sup id="cite_ref-45" class="reference"><a href="#cite_note-45"><span class="cite-bracket">[</span>45<span class="cite-bracket">]</span></a></sup> Many antivirus companies provide free utilities and programs to remove bootkits. </p> <div class="mw-heading mw-heading3"><h3 id="Hypervisor_level">Hypervisor level</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=9" title="Edit section: Hypervisor level"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Rootkits have been created as Type II <a href="/wiki/Hypervisor" title="Hypervisor">Hypervisors</a> in academia as proofs of concept. By exploiting hardware virtualization features such as <a href="/wiki/Intel_VT" class="mw-redirect" title="Intel VT">Intel VT</a> or <a href="/wiki/AMD-V" class="mw-redirect" title="AMD-V">AMD-V</a>, this type of rootkit runs in Ring -1 and hosts the target operating system as a <a href="/wiki/Virtual_machine" title="Virtual machine">virtual machine</a>, thereby enabling the rootkit to intercept hardware calls made by the original operating system.<sup id="cite_ref-Harris_6-1" class="reference"><a href="#cite_note-Harris-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine.<sup id="cite_ref-Harris_6-2" class="reference"><a href="#cite_note-Harris-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in <a href="/wiki/Central_processing_unit" title="Central processing unit">CPU</a> instructions.<sup id="cite_ref-Harris_6-3" class="reference"><a href="#cite_note-Harris-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> The "SubVirt" laboratory rootkit, developed jointly by <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a> and <a href="/wiki/University_of_Michigan" title="University of Michigan">University of Michigan</a> researchers, is an academic example of a virtual-machine–based rootkit (VMBR),<sup id="cite_ref-46" class="reference"><a href="#cite_note-46"><span class="cite-bracket">[</span>46<span class="cite-bracket">]</span></a></sup> while <a href="/wiki/Blue_Pill_(software)" title="Blue Pill (software)">Blue Pill</a> software is another. In 2009, researchers from Microsoft and <a href="/wiki/North_Carolina_State_University" title="North Carolina State University">North Carolina State University</a> demonstrated a hypervisor-layer anti-rootkit called <a href="/wiki/Hooksafe" title="Hooksafe">Hooksafe</a>, which provides generic protection against kernel-mode rootkits.<sup id="cite_ref-47" class="reference"><a href="#cite_note-47"><span class="cite-bracket">[</span>47<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Windows_10" title="Windows 10">Windows 10</a> introduced a new feature called "Device Guard", that takes advantage of virtualization to provide independent external protection of an operating system against rootkit-type malware.<sup id="cite_ref-48" class="reference"><a href="#cite_note-48"><span class="cite-bracket">[</span>48<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Firmware_and_hardware">Firmware and hardware</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=10" title="Edit section: Firmware and hardware"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>A <a href="/wiki/Firmware" title="Firmware">firmware</a> rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a <a href="/wiki/Router_(computing)" title="Router (computing)">router</a>, <a href="/wiki/Network_interface_controller" title="Network interface controller">network card</a>,<sup id="cite_ref-49" class="reference"><a href="#cite_note-49"><span class="cite-bracket">[</span>49<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Hard_disk_drive" title="Hard disk drive">hard drive</a>, or the system <a href="/wiki/BIOS" title="BIOS">BIOS</a>.<sup id="cite_ref-McAfee2_27-2" class="reference"><a href="#cite_note-McAfee2-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-blog.trendmicro.com_50-0" class="reference"><a href="#cite_note-blog.trendmicro.com-50"><span class="cite-bracket">[</span>50<span class="cite-bracket">]</span></a></sup> The rootkit hides in firmware, because firmware is not usually inspected for <a href="/wiki/Code_integrity" title="Code integrity">code integrity</a>. John Heasman demonstrated the viability of firmware rootkits in both <a href="/wiki/ACPI" title="ACPI">ACPI</a> firmware routines<sup id="cite_ref-51" class="reference"><a href="#cite_note-51"><span class="cite-bracket">[</span>51<span class="cite-bracket">]</span></a></sup> and in a <a href="/wiki/Conventional_PCI" class="mw-redirect" title="Conventional PCI">PCI</a> expansion card <a href="/wiki/Read-only_memory" title="Read-only memory">ROM</a>.<sup id="cite_ref-52" class="reference"><a href="#cite_note-52"><span class="cite-bracket">[</span>52<span class="cite-bracket">]</span></a></sup> In October 2008, criminals tampered with European <a href="/wiki/Credit-card" class="mw-redirect" title="Credit-card">credit-card</a>-reading machines before they were installed. The devices intercepted and transmitted credit card details via a mobile phone network.<sup id="cite_ref-53" class="reference"><a href="#cite_note-53"><span class="cite-bracket">[</span>53<span class="cite-bracket">]</span></a></sup> In March 2009, researchers Alfredo Ortega and <a href="/w/index.php?title=Anibal_Sacco&action=edit&redlink=1" class="new" title="Anibal Sacco (page does not exist)">Anibal Sacco</a> published details of a <a href="/wiki/BIOS" title="BIOS">BIOS</a>-level Windows rootkit that was able to survive disk replacement and operating system re-installation.<sup id="cite_ref-54" class="reference"><a href="#cite_note-54"><span class="cite-bracket">[</span>54<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-55" class="reference"><a href="#cite_note-55"><span class="cite-bracket">[</span>55<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-56" class="reference"><a href="#cite_note-56"><span class="cite-bracket">[</span>56<span class="cite-bracket">]</span></a></sup> A few months later they learned that some laptops are sold with a legitimate rootkit, known as Absolute <a href="/wiki/CompuTrace" class="mw-redirect" title="CompuTrace">CompuTrace</a> or Absolute <a href="/wiki/LoJack_for_Laptops" class="mw-redirect" title="LoJack for Laptops">LoJack for Laptops</a>, preinstalled in many BIOS images. This is an anti-<a href="/wiki/Laptop_theft" title="Laptop theft">theft</a> technology system that researchers showed can be turned to malicious purposes.<sup id="cite_ref-Ortega_24-1" class="reference"><a href="#cite_note-Ortega-24"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup> </p><p><a href="/wiki/Intel_Active_Management_Technology" title="Intel Active Management Technology">Intel Active Management Technology</a>, part of <a href="/wiki/Intel_vPro#Remote_management" title="Intel vPro">Intel vPro</a>, implements <a href="/wiki/Out-of-band_management" title="Out-of-band management">out-of-band management</a>, giving administrators <a href="/wiki/Remote_administration" title="Remote administration">remote administration</a>, <a href="/wiki/Remote_infrastructure_management" title="Remote infrastructure management">remote management</a>, and <a href="/wiki/Remote_desktop_software" title="Remote desktop software">remote control</a> of PCs with no involvement of the host processor or BIOS, even when the system is powered off. Remote administration includes remote power-up and power-down, remote reset, redirected boot, console redirection, pre-boot access to BIOS settings, programmable filtering for inbound and outbound network traffic, agent presence checking, out-of-band policy-based alerting, access to system information, such as hardware asset information, persistent event logs, and other information that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off. Some of these functions require the deepest level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have "the ability to remotely kill and restore a lost or stolen PC via 3G". Hardware rootkits built into the <a href="/wiki/Chipset" title="Chipset">chipset</a> can help recover stolen computers, remove data, or render them useless, but they also present privacy and security concerns of undetectable spying and redirection by management or hackers who might gain control. </p> <div class="mw-heading mw-heading2"><h2 id="Installation_and_cloaking">Installation and cloaking</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=11" title="Edit section: Installation and cloaking"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Rootkits employ a variety of techniques to gain control of a system; the type of rootkit influences the choice of attack vector. The most common technique leverages <a href="/wiki/Vulnerability_(computing)" class="mw-redirect" title="Vulnerability (computing)">security vulnerabilities</a> to achieve surreptitious <a href="/wiki/Privilege_escalation" title="Privilege escalation">privilege escalation</a>. Another approach is to use a <a href="/wiki/Trojan_horse_(computing)" title="Trojan horse (computing)">Trojan horse</a>, deceiving a computer user into trusting the rootkit's installation program as benign—in this case, <a href="/wiki/Social_engineering_(security)" title="Social engineering (security)">social engineering</a> convinces a user that the rootkit is beneficial.<sup id="cite_ref-UAMT_29-2" class="reference"><a href="#cite_note-UAMT-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> The installation task is made easier if the <a href="/wiki/Principle_of_least_privilege" title="Principle of least privilege">principle of least privilege</a> is not applied, since the rootkit then does not have to explicitly request elevated (administrator-level) privileges. Other classes of rootkits can be installed only by someone with physical access to the target system. Some rootkits may also be installed intentionally by the owner of the system or somebody authorized by the owner, e.g. for the purpose of <a href="/wiki/Employee_monitoring" title="Employee monitoring">employee monitoring</a>, rendering such subversive techniques unnecessary.<sup id="cite_ref-57" class="reference"><a href="#cite_note-57"><span class="cite-bracket">[</span>57<span class="cite-bracket">]</span></a></sup> Some malicious rootkit installations are commercially driven, with a pay-per-install (PPI) compensation method typical for distribution.<sup id="cite_ref-58" class="reference"><a href="#cite_note-58"><span class="cite-bracket">[</span>58<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-59" class="reference"><a href="#cite_note-59"><span class="cite-bracket">[</span>59<span class="cite-bracket">]</span></a></sup> </p><p>Once installed, a rootkit takes active measures to obscure its presence within the host system through subversion or evasion of standard operating system <a href="/wiki/Computer_security" title="Computer security">security</a> tools and <a href="/wiki/Application_programming_interface" class="mw-redirect" title="Application programming interface">application programming interface</a> (APIs) used for diagnosis, scanning, and monitoring.<sup id="cite_ref-60" class="reference"><a href="#cite_note-60"><span class="cite-bracket">[</span>60<span class="cite-bracket">]</span></a></sup> Rootkits achieve this by modifying the behavior of <a href="/wiki/Protection_ring" title="Protection ring">core parts of an operating system</a> through loading code into other processes, the installation or modification of <a href="/wiki/Device_driver" title="Device driver">drivers</a>, or <a href="/wiki/Loadable_kernel_module" title="Loadable kernel module">kernel modules</a>. Obfuscation techniques include concealing running processes from system-monitoring mechanisms and hiding system files and other configuration data.<sup id="cite_ref-61" class="reference"><a href="#cite_note-61"><span class="cite-bracket">[</span>61<span class="cite-bracket">]</span></a></sup> It is not uncommon for a rootkit to disable the <a href="/wiki/Event_log" class="mw-redirect" title="Event log">event logging</a> capacity of an operating system, in an attempt to hide evidence of an attack. Rootkits can, in theory, subvert <i>any</i> operating system activities.<sup id="cite_ref-MIT_62-0" class="reference"><a href="#cite_note-MIT-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> The "perfect rootkit" can be thought of as similar to a "<a href="/wiki/Perfect_crime" title="Perfect crime">perfect crime</a>": one that nobody realizes has taken place. Rootkits also take a number of measures to ensure their survival against detection and "cleaning" by antivirus software in addition to commonly installing into Ring 0 (kernel-mode), where they have complete access to a system. These include <a href="/wiki/Polymorphic_code" title="Polymorphic code">polymorphism</a> (changing so their "signature" is hard to detect), stealth techniques, regeneration, disabling or turning off anti-malware software,<sup id="cite_ref-trlokom_63-0" class="reference"><a href="#cite_note-trlokom-63"><span class="cite-bracket">[</span>63<span class="cite-bracket">]</span></a></sup> and not installing on <a href="/wiki/Virtual_machine" title="Virtual machine">virtual machines</a> where it may be easier for researchers to discover and analyze them. </p> <div class="mw-heading mw-heading2"><h2 id="Detection">Detection</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=12" title="Edit section: Detection"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components.<sup id="cite_ref-MIT_62-1" class="reference"><a href="#cite_note-MIT-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected. In other words, rootkit detectors that work while running on infected systems are only effective against rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than the detection software in the kernel.<sup id="cite_ref-UAMT_29-3" class="reference"><a href="#cite_note-UAMT-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> As with <a href="/wiki/Computer_virus" title="Computer virus">computer viruses</a>, the detection and elimination of rootkits is an ongoing struggle between both sides of this conflict.<sup id="cite_ref-MIT_62-2" class="reference"><a href="#cite_note-MIT-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> Detection can take a number of different approaches, including looking for virus "signatures" (e.g. antivirus software), integrity checking (e.g. <a href="/wiki/Digital_signature" title="Digital signature">digital signatures</a>), difference-based detection (comparison of expected vs. actual results), and behavioral detection (e.g. monitoring CPU usage or network traffic). </p><p>For kernel-mode rootkits, detection is considerably more complex, requiring careful scrutiny of the System Call Table to look for <a href="/wiki/Hooking" title="Hooking">hooked functions</a> where the malware may be subverting system behavior,<sup id="cite_ref-64" class="reference"><a href="#cite_note-64"><span class="cite-bracket">[</span>64<span class="cite-bracket">]</span></a></sup> as well as <a href="/wiki/Forensic" class="mw-redirect" title="Forensic">forensic</a> scanning of memory for patterns that indicate hidden processes. Unix rootkit detection offerings include Zeppoo,<sup id="cite_ref-65" class="reference"><a href="#cite_note-65"><span class="cite-bracket">[</span>65<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Chkrootkit" title="Chkrootkit">chkrootkit</a>, <a href="/wiki/Rkhunter" title="Rkhunter">rkhunter</a> and <a href="/wiki/OSSEC" title="OSSEC">OSSEC</a>. For Windows, detection tools include Microsoft Sysinternals <a href="/wiki/RootkitRevealer" title="RootkitRevealer">RootkitRevealer</a>,<sup id="cite_ref-66" class="reference"><a href="#cite_note-66"><span class="cite-bracket">[</span>66<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Avast_Software" class="mw-redirect" title="Avast Software">Avast Antivirus</a>,<sup id="cite_ref-67" class="reference"><a href="#cite_note-67"><span class="cite-bracket">[</span>67<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Sophos" title="Sophos">Sophos</a> Anti-Rootkit,<sup id="cite_ref-68" class="reference"><a href="#cite_note-68"><span class="cite-bracket">[</span>68<span class="cite-bracket">]</span></a></sup> <a href="/wiki/F-Secure" title="F-Secure">F-Secure</a>,<sup id="cite_ref-69" class="reference"><a href="#cite_note-69"><span class="cite-bracket">[</span>69<span class="cite-bracket">]</span></a></sup> Radix,<sup id="cite_ref-70" class="reference"><a href="#cite_note-70"><span class="cite-bracket">[</span>70<span class="cite-bracket">]</span></a></sup> <a href="/wiki/GMER" title="GMER">GMER</a>,<sup id="cite_ref-71" class="reference"><a href="#cite_note-71"><span class="cite-bracket">[</span>71<span class="cite-bracket">]</span></a></sup> and <a href="/wiki/WindowsSCOPE" title="WindowsSCOPE">WindowsSCOPE</a>. Any rootkit detectors that prove effective ultimately contribute to their own ineffectiveness, as malware authors adapt and test their code to escape detection by well-used tools.<sup id="cite_ref-72" class="reference"><a href="#cite_note-72"><span class="cite-bracket">[</span>Notes 1<span class="cite-bracket">]</span></a></sup> Detection by examining storage while the suspect operating system is not operational can miss rootkits not recognised by the checking software, as the rootkit is not active and suspicious behavior is suppressed; conventional anti-malware software running with the rootkit operational may fail if the rootkit hides itself effectively. </p> <div class="mw-heading mw-heading3"><h3 id="Alternative_trusted_medium">Alternative trusted medium</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=13" title="Edit section: Alternative trusted medium"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The best and most reliable method for operating-system-level rootkit detection is to shut down the computer suspected of infection, and then to check its <a href="/wiki/Computer_data_storage" title="Computer data storage">storage</a> by <a href="/wiki/Booting" title="Booting">booting</a> from an alternative trusted medium (e.g. a "rescue" <a href="/wiki/CD-ROM" title="CD-ROM">CD-ROM</a> or <a href="/wiki/USB_flash_drive" title="USB flash drive">USB flash drive</a>).<sup id="cite_ref-73" class="reference"><a href="#cite_note-73"><span class="cite-bracket">[</span>72<span class="cite-bracket">]</span></a></sup> The technique is effective because a rootkit cannot actively hide its presence if it is not running. </p> <div class="mw-heading mw-heading3"><h3 id="Behavioral-based">Behavioral-based</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=14" title="Edit section: Behavioral-based"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The behavioral-based approach to detecting rootkits attempts to infer the presence of a rootkit by looking for rootkit-like behavior. For example, by <a href="/wiki/Profiling_(computer_programming)" title="Profiling (computer programming)">profiling</a> a system, differences in the timing and frequency of API calls or in overall CPU utilization can be attributed to a rootkit. The method is complex and is hampered by a high incidence of <a href="/wiki/Type_I_and_type_II_errors" title="Type I and type II errors">false positives</a>. Defective rootkits can sometimes introduce very obvious changes to a system: the <a href="/wiki/Alureon" title="Alureon">Alureon</a> rootkit crashed Windows systems after a security update exposed a design flaw in its code.<sup id="cite_ref-74" class="reference"><a href="#cite_note-74"><span class="cite-bracket">[</span>73<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-75" class="reference"><a href="#cite_note-75"><span class="cite-bracket">[</span>74<span class="cite-bracket">]</span></a></sup> Logs from a <a href="/wiki/Packet_analyzer" title="Packet analyzer">packet analyzer</a>, <a href="/wiki/Firewall_(computing)" title="Firewall (computing)">firewall</a>, or <a href="/wiki/Intrusion_prevention_system" class="mw-redirect" title="Intrusion prevention system">intrusion prevention system</a> may present evidence of rootkit behaviour in a networked environment.<sup id="cite_ref-anson-forensics_26-1" class="reference"><a href="#cite_note-anson-forensics-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Signature-based">Signature-based</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=15" title="Edit section: Signature-based"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Antivirus products rarely catch all viruses in public tests (depending on what is used and to what extent), even though security software vendors incorporate rootkit detection into their products. Should a rootkit attempt to hide during an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload itself from the system, signature detection (or "fingerprinting") can still find it.<sup id="cite_ref-76" class="reference"><a href="#cite_note-76"><span class="cite-bracket">[</span>75<span class="cite-bracket">]</span></a></sup> This combined approach forces attackers to implement counterattack mechanisms, or "retro" routines, that attempt to terminate antivirus programs. Signature-based detection methods can be effective against well-published rootkits, but less so against specially crafted, custom-root rootkits.<sup id="cite_ref-MIT_62-3" class="reference"><a href="#cite_note-MIT-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Difference-based">Difference-based</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=16" title="Edit section: Difference-based"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Another method that can detect rootkits compares "trusted" raw data with "tainted" content returned by an <a href="/wiki/API" title="API">API</a>. For example, <a href="/wiki/Binaries" class="mw-redirect" title="Binaries">binaries</a> present on disk can be compared with their copies within <a href="/w/index.php?title=Operating_memory&action=edit&redlink=1" class="new" title="Operating memory (page does not exist)">operating memory</a> (in some operating systems, the in-memory image should be identical to the on-disk image), or the results returned from <a href="/wiki/File_system" title="File system">file system</a> or <a href="/wiki/Windows_Registry" title="Windows Registry">Windows Registry</a> APIs can be checked against raw structures on the underlying physical disks<sup id="cite_ref-MIT_62-4" class="reference"><a href="#cite_note-MIT-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-77" class="reference"><a href="#cite_note-77"><span class="cite-bracket">[</span>76<span class="cite-bracket">]</span></a></sup>—however, in the case of the former, some valid differences can be introduced by operating system mechanisms like memory relocation or <a href="/wiki/Shim_(computing)" title="Shim (computing)">shimming</a>. A rootkit may detect the presence of such a difference-based scanner or <a href="/wiki/Virtual_machine" title="Virtual machine">virtual machine</a> (the latter being commonly used to perform forensic analysis), and adjust its behaviour so that no differences can be detected. Difference-based detection was used by <a href="/wiki/Russinovich" class="mw-redirect" title="Russinovich">Russinovich</a>'s <i>RootkitRevealer</i> tool to find the Sony DRM rootkit.<sup id="cite_ref-McAfee1_1-7" class="reference"><a href="#cite_note-McAfee1-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Integrity_checking">Integrity checking</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=17" title="Edit section: Integrity checking"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <figure class="mw-default-size mw-halign-right" typeof="mw:File/Thumb"><a href="/wiki/File:Rkhunter_on_Mac_OS_X.png" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/c/c0/Rkhunter_on_Mac_OS_X.png/250px-Rkhunter_on_Mac_OS_X.png" decoding="async" width="220" height="267" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/c/c0/Rkhunter_on_Mac_OS_X.png/330px-Rkhunter_on_Mac_OS_X.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/c/c0/Rkhunter_on_Mac_OS_X.png/500px-Rkhunter_on_Mac_OS_X.png 2x" data-file-width="599" data-file-height="728" /></a><figcaption>The <a href="/wiki/Rkhunter" title="Rkhunter">rkhunter</a> utility uses <a href="/wiki/SHA-1" title="SHA-1">SHA-1</a> hashes to verify the integrity of system files.</figcaption></figure> <p><a href="/wiki/Code_signing" title="Code signing">Code signing</a> uses <a href="/wiki/Public-key_infrastructure" class="mw-redirect" title="Public-key infrastructure">public-key infrastructure</a> to check if a file has been modified since being <a href="/wiki/Digital_signature" title="Digital signature">digitally signed</a> by its publisher. Alternatively, a system owner or administrator can use a <a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">cryptographic hash function</a> to compute a "fingerprint" at installation time that can help to detect subsequent unauthorized changes to on-disk code libraries.<sup id="cite_ref-78" class="reference"><a href="#cite_note-78"><span class="cite-bracket">[</span>77<span class="cite-bracket">]</span></a></sup> However, unsophisticated schemes check only whether the code has been modified since installation time; subversion prior to that time is not detectable. The fingerprint must be re-established each time changes are made to the system: for example, after installing security updates or a <a href="/wiki/Service_pack" title="Service pack">service pack</a>. The hash function creates a <i>message digest</i>, a relatively short code calculated from each bit in the file using an algorithm that creates large changes in the message digest with even smaller changes to the original file. By recalculating and comparing the message digest of the installed files at regular intervals against a trusted list of message digests, changes in the system can be detected and monitored—as long as the original baseline was created before the malware was added. </p><p>More-sophisticated rootkits are able to subvert the verification process by presenting an unmodified copy of the file for inspection, or by making code modifications only in memory, reconfiguration registers, which are later compared to a white list of expected values.<sup id="cite_ref-79" class="reference"><a href="#cite_note-79"><span class="cite-bracket">[</span>78<span class="cite-bracket">]</span></a></sup> The code that performs hash, compare, or extend operations must also be protected—in this context, the notion of an <i>immutable root-of-trust</i> holds that the very first code to measure security properties of a system must itself be trusted to ensure that a rootkit or bootkit does not compromise the system at its most fundamental level.<sup id="cite_ref-80" class="reference"><a href="#cite_note-80"><span class="cite-bracket">[</span>79<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Memory_dumps">Memory dumps</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=18" title="Edit section: Memory dumps"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Forcing a complete dump of <a href="/wiki/Virtual_memory" title="Virtual memory">virtual memory</a> will capture an active rootkit (or a <a href="/wiki/Core_dump" title="Core dump">kernel dump</a> in the case of a kernel-mode rootkit), allowing offline <a href="/wiki/Forensic_analysis" class="mw-redirect" title="Forensic analysis">forensic analysis</a> to be performed with a <a href="/wiki/Debugger" title="Debugger">debugger</a> against the resulting <a href="/wiki/Dump_file" class="mw-redirect" title="Dump file">dump file</a>, without the rootkit being able to take any measures to cloak itself. This technique is highly specialized, and may require access to non-public <a href="/wiki/Source_code" title="Source code">source code</a> or <a href="/wiki/Debug_symbol" title="Debug symbol">debugging symbols</a>. Memory dumps initiated by the operating system cannot always be used to detect a hypervisor-based rootkit, which is able to intercept and subvert the lowest-level attempts to read memory<sup id="cite_ref-Harris_6-4" class="reference"><a href="#cite_note-Harris-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup>—a hardware device, such as one that implements a <a href="/wiki/Non-maskable_interrupt" title="Non-maskable interrupt">non-maskable interrupt</a>, may be required to dump memory in this scenario.<sup id="cite_ref-81" class="reference"><a href="#cite_note-81"><span class="cite-bracket">[</span>80<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-82" class="reference"><a href="#cite_note-82"><span class="cite-bracket">[</span>81<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Virtual_machine" title="Virtual machine">Virtual machines</a> also make it easier to analyze the memory of a compromised machine from the underlying hypervisor, so some rootkits will avoid infecting virtual machines for this reason. </p> <div class="mw-heading mw-heading2"><h2 id="Removal">Removal</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=19" title="Edit section: Removal"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Manual removal of a rootkit is often extremely difficult for a typical computer user,<sup id="cite_ref-McAfee2_27-3" class="reference"><a href="#cite_note-McAfee2-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> but a number of security-software vendors offer tools to automatically detect and remove some rootkits, typically as part of an <a href="/wiki/Antivirus_software" title="Antivirus software">antivirus suite</a>. As of 2005<sup class="plainlinks noexcerpt noprint asof-tag update" style="display:none;"><a class="external text" href="https://en.wikipedia.org/w/index.php?title=Rootkit&action=edit">[update]</a></sup>, Microsoft's monthly <a href="/wiki/Windows_Malicious_Software_Removal_Tool" class="mw-redirect" title="Windows Malicious Software Removal Tool">Windows Malicious Software Removal Tool</a> is able to detect and remove some classes of rootkits.<sup id="cite_ref-83" class="reference"><a href="#cite_note-83"><span class="cite-bracket">[</span>82<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-84" class="reference"><a href="#cite_note-84"><span class="cite-bracket">[</span>83<span class="cite-bracket">]</span></a></sup> Also, Windows Defender Offline can remove rootkits, as it runs from a trusted environment before the operating system starts.<sup id="cite_ref-85" class="reference"><a href="#cite_note-85"><span class="cite-bracket">[</span>84<span class="cite-bracket">]</span></a></sup> Some antivirus scanners can bypass <a href="/wiki/File_system" title="File system">file system</a> APIs, which are vulnerable to manipulation by a rootkit. Instead, they access raw file system structures directly, and use this information to validate the results from the system APIs to identify any differences that may be caused by a rootkit.<sup id="cite_ref-86" class="reference"><a href="#cite_note-86"><span class="cite-bracket">[</span>Notes 2<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-87" class="reference"><a href="#cite_note-87"><span class="cite-bracket">[</span>85<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-88" class="reference"><a href="#cite_note-88"><span class="cite-bracket">[</span>86<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-89" class="reference"><a href="#cite_note-89"><span class="cite-bracket">[</span>87<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-90" class="reference"><a href="#cite_note-90"><span class="cite-bracket">[</span>88<span class="cite-bracket">]</span></a></sup> There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.<sup id="cite_ref-ms-obscure-hacker_91-0" class="reference"><a href="#cite_note-ms-obscure-hacker-91"><span class="cite-bracket">[</span>89<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-92" class="reference"><a href="#cite_note-92"><span class="cite-bracket">[</span>90<span class="cite-bracket">]</span></a></sup> This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternative operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned and critical data to be copied off—or, alternatively, a forensic examination performed.<sup id="cite_ref-anson-forensics_26-2" class="reference"><a href="#cite_note-anson-forensics-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup> Lightweight operating systems such as <a href="/wiki/Windows_PE" class="mw-redirect" title="Windows PE">Windows PE</a>, <a href="/wiki/Recovery_Console" title="Recovery Console">Windows Recovery Console</a>, <a href="/wiki/Windows_Recovery_Environment" class="mw-redirect" title="Windows Recovery Environment">Windows Recovery Environment</a>, <a href="/wiki/BartPE" title="BartPE">BartPE</a>, or <a href="/wiki/Live_CD" title="Live CD">Live Distros</a> can be used for this purpose, allowing the system to be "cleaned". Even if the type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating system and applications is safer, simpler and quicker.<sup id="cite_ref-ms-obscure-hacker_91-1" class="reference"><a href="#cite_note-ms-obscure-hacker-91"><span class="cite-bracket">[</span>89<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Defenses">Defenses</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=20" title="Edit section: Defenses"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>System <a href="/wiki/Hardening_(computing)" title="Hardening (computing)">hardening</a> represents one of the first layers of defence against a rootkit, to prevent it from being able to install.<sup id="cite_ref-93" class="reference"><a href="#cite_note-93"><span class="cite-bracket">[</span>91<span class="cite-bracket">]</span></a></sup> Applying <a href="/wiki/Security_patches" class="mw-redirect" title="Security patches">security patches</a>, implementing the <a href="/wiki/Principle_of_least_privilege" title="Principle of least privilege">principle of least privilege</a>, reducing the <a href="/wiki/Attack_surface" title="Attack surface">attack surface</a> and installing antivirus software are some standard security best practices that are effective against all classes of malware.<sup id="cite_ref-94" class="reference"><a href="#cite_note-94"><span class="cite-bracket">[</span>92<span class="cite-bracket">]</span></a></sup> New secure boot specifications like <a href="/wiki/UEFI" title="UEFI">UEFI</a> have been designed to address the threat of bootkits, but even these are vulnerable if the security features they offer are not utilized.<sup id="cite_ref-blog.trendmicro.com_50-1" class="reference"><a href="#cite_note-blog.trendmicro.com-50"><span class="cite-bracket">[</span>50<span class="cite-bracket">]</span></a></sup> For server systems, remote server attestation using technologies such as Intel <a href="/wiki/Trusted_Execution_Technology" title="Trusted Execution Technology">Trusted Execution Technology</a> (TXT) provide a way of verifying that servers remain in a known good state. For example, <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a> <a href="/wiki/Bitlocker" class="mw-redirect" title="Bitlocker">Bitlocker</a>'s encryption of data-at-rest verifies that servers are in a known "good state" on bootup. <a href="/wiki/PrivateCore" title="PrivateCore">PrivateCore</a> vCage is a software offering that secures data-in-use (memory) to avoid bootkits and rootkits by verifying servers are in a known "good" state on bootup. The PrivateCore implementation works in concert with Intel TXT and locks down server system interfaces to avoid potential bootkits and rootkits. </p><p>Another defense mechanism called the Virtual Wall (VTW) approach, serves as a lightweight hypervisor with rootkit detection and event tracing capabilities. In normal operation (guest mode), Linux runs, and when a loaded LKM violates security policies, the system switches to host mode. The VTW in host mode detects, traces, and classifies rootkit events based on memory access control and event injection mechanisms. Experimental results demonstrate the VTW's effectiveness in timely detection and defense against kernel rootkits with minimal CPU overhead (less than 2%). The VTW is compared favorably to other defense schemes, emphasizing its simplicity in implementation and potential performance gains on Linux servers.<sup id="cite_ref-95" class="reference"><a href="#cite_note-95"><span class="cite-bracket">[</span>93<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=21" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Computer_security_conference" title="Computer security conference">Computer security conference</a></li> <li><a href="/wiki/Host-based_intrusion_detection_system" title="Host-based intrusion detection system">Host-based intrusion detection system</a></li> <li><a href="/wiki/Man-in-the-middle_attack" title="Man-in-the-middle attack">Man-in-the-middle attack</a></li> <li><i><a href="/wiki/The_Rootkit_Arsenal:_Escape_and_Evasion_in_the_Dark_Corners_of_the_System" class="mw-redirect" title="The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System">The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System</a></i></li></ul> <div class="mw-heading mw-heading2"><h2 id="Notes">Notes</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=22" title="Edit section: Notes"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist"> <div class="mw-references-wrap"><ol class="references"> <li id="cite_note-72"><span class="mw-cite-backlink"><b><a href="#cite_ref-72">^</a></b></span> <span class="reference-text">The process name of Sysinternals RootkitRevealer was targeted by malware; in an attempt to counter this countermeasure, the tool now uses a randomly generated process name.</span> </li> <li id="cite_note-86"><span class="mw-cite-backlink"><b><a href="#cite_ref-86">^</a></b></span> <span class="reference-text">In theory, a sufficiently sophisticated kernel-level rootkit could subvert read operations against raw file system data structures as well, so that they match the results returned by APIs.</span> </li> </ol></div></div> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=23" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239543626" /><div class="reflist reflist-columns references-column-width" style="column-width: 30em;"> <ol class="references"> <li id="cite_note-McAfee1-1"><span class="mw-cite-backlink">^ <a href="#cite_ref-McAfee1_1-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-McAfee1_1-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-McAfee1_1-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-McAfee1_1-3"><sup><i><b>d</b></i></sup></a> <a href="#cite_ref-McAfee1_1-4"><sup><i><b>e</b></i></sup></a> <a href="#cite_ref-McAfee1_1-5"><sup><i><b>f</b></i></sup></a> <a href="#cite_ref-McAfee1_1-6"><sup><i><b>g</b></i></sup></a> <a href="#cite_ref-McAfee1_1-7"><sup><i><b>h</b></i></sup></a></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf">"Rootkits, Part 1 of 3: The Growing Threat"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/McAfee" title="McAfee">McAfee</a>. 2006-04-17. Archived from <a rel="nofollow" class="external text" href="http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2006-08-23.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Rootkits%2C+Part+1+of+3%3A+The+Growing+Threat&rft.pub=McAfee&rft.date=2006-04-17&rft_id=http%3A%2F%2Fwww.mcafee.com%2Fus%2Flocal_content%2Fwhite_papers%2Fthreat_center%2Fwp_akapoor_rootkits1_en.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFEvancichLi2016" class="citation book cs1">Evancich, N.; Li, J. (2016-08-23). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=4ZTlDAAAQBAJ&pg=PA100">"6.2.3 Rootkits"</a>. In Colbert, Edward J. M.; Kott, Alexander (eds.). <i>Cyber-security of SCADA and Other Industrial Control Systems</i>. Springer. p. 100. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/9783319321257" title="Special:BookSources/9783319321257"><bdi>9783319321257</bdi></a> – via <a href="/wiki/Google_Books" title="Google Books">Google Books</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=6.2.3+Rootkits&rft.btitle=Cyber-security+of+SCADA+and+Other+Industrial+Control+Systems&rft.pages=100&rft.pub=Springer&rft.date=2016-08-23&rft.isbn=9783319321257&rft.aulast=Evancich&rft.aufirst=N.&rft.au=Li%2C+J.&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3D4ZTlDAAAQBAJ%26pg%3DPA100&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.kaspersky.com/resource-center/definitions/what-is-rootkit">"What is Rootkit – Definition and Explanation"</a>. <i>www.kaspersky.com</i>. 2021-04-09<span class="reference-accessdate">. Retrieved <span class="nowrap">2021-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.kaspersky.com&rft.atitle=What+is+Rootkit+%E2%80%93+Definition+and+Explanation&rft.date=2021-04-09&rft_id=https%3A%2F%2Fwww.kaspersky.com%2Fresource-center%2Fdefinitions%2Fwhat-is-rootkit&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Symantec-4"><span class="mw-cite-backlink">^ <a href="#cite_ref-Symantec_4-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-Symantec_4-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-Symantec_4-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-Symantec_4-3"><sup><i><b>d</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20101214100124/http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf">"Windows Rootkit Overview"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a>. 2006-03-26. Archived from <a rel="nofollow" class="external text" href="http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2010-12-14<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Windows+Rootkit+Overview&rft.pub=Symantec&rft.date=2006-03-26&rft_id=http%3A%2F%2Fwww.symantec.com%2Favcenter%2Freference%2Fwindows.rootkit.overview.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Sparks-Bar-5"><span class="mw-cite-backlink"><b><a href="#cite_ref-Sparks-Bar_5-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSparksButler2005" class="citation journal cs1">Sparks, Sherri; Butler, Jamie (2005-08-01). "Raising The Bar For Windows Rootkit Detection". <i><a href="/wiki/Phrack" title="Phrack">Phrack</a></i>. <b>0xb</b> (x3d).</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Phrack&rft.atitle=Raising+The+Bar+For+Windows+Rootkit+Detection&rft.volume=0xb&rft.issue=x3d&rft.date=2005-08-01&rft.aulast=Sparks&rft.aufirst=Sherri&rft.au=Butler%2C+Jamie&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Harris-6"><span class="mw-cite-backlink">^ <a href="#cite_ref-Harris_6-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-Harris_6-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-Harris_6-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-Harris_6-3"><sup><i><b>d</b></i></sup></a> <a href="#cite_ref-Harris_6-4"><sup><i><b>e</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMyersYoundt2007" class="citation report cs1">Myers, Michael; Youndt, Stephen (2007-08-07). An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits (Report). Crucial Security. <a href="/wiki/CiteSeerX_(identifier)" class="mw-redirect" title="CiteSeerX (identifier)">CiteSeerX</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.90.8832">10.1.1.90.8832</a></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=report&rft.btitle=An+Introduction+to+Hardware-Assisted+Virtual+Machine+%28HVM%29+Rootkits&rft.pub=Crucial+Security&rft.date=2007-08-07&rft_id=https%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fsummary%3Fdoi%3D10.1.1.90.8832%23id-name%3DCiteSeerX&rft.aulast=Myers&rft.aufirst=Michael&rft.au=Youndt%2C+Stephen&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-7">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFAndrew_HayDaniel_CidRory_Bray2008" class="citation book cs1">Andrew Hay; Daniel Cid; Rory Bray (2008). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=h37q2q3wvcUC&pg=PA276"><i>OSSEC Host-Based Intrusion Detection Guide</i></a>. Syngress. p. 276. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59749-240-9" title="Special:BookSources/978-1-59749-240-9"><bdi>978-1-59749-240-9</bdi></a> – via <a href="/wiki/Google_Books" title="Google Books">Google Books</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=OSSEC+Host-Based+Intrusion+Detection+Guide&rft.pages=276&rft.pub=Syngress&rft.date=2008&rft.isbn=978-1-59749-240-9&rft.au=Andrew+Hay&rft.au=Daniel+Cid&rft.au=Rory+Bray&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3Dh37q2q3wvcUC%26pg%3DPA276&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Turing_Award_Lecture-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-Turing_Award_Lecture_8-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFThompson1984" class="citation journal cs1">Thompson, Ken (August 1984). <a rel="nofollow" class="external text" href="http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf">"Reflections on Trusting Trust"</a> <span class="cs1-format">(PDF)</span>. <i>Communications of the ACM</i>. <b>27</b> (8): 761. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F358198.358210">10.1145/358198.358210</a></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Communications+of+the+ACM&rft.atitle=Reflections+on+Trusting+Trust&rft.volume=27&rft.issue=8&rft.pages=761&rft.date=1984-08&rft_id=info%3Adoi%2F10.1145%2F358198.358210&rft.aulast=Thompson&rft.aufirst=Ken&rft_id=http%3A%2F%2Fwww.ece.cmu.edu%2F~ganger%2F712.fall02%2Fpapers%2Fp761-thompson.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Hoglund-9"><span class="mw-cite-backlink">^ <a href="#cite_ref-Hoglund_9-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-Hoglund_9-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGreg_HoglundJames_Butler2006" class="citation book cs1">Greg Hoglund; James Butler (2006). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=fDxg1W3eT2gC"><i>Rootkits: Subverting the Windows kernel</i></a>. Addison-Wesley. p. 4. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-321-29431-9" title="Special:BookSources/978-0-321-29431-9"><bdi>978-0-321-29431-9</bdi></a> – via <a href="/wiki/Google_Books" title="Google Books">Google Books</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Rootkits%3A+Subverting+the+Windows+kernel&rft.pages=4&rft.pub=Addison-Wesley&rft.date=2006&rft.isbn=978-0-321-29431-9&rft.au=Greg+Hoglund&rft.au=James+Butler&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3DfDxg1W3eT2gC&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-10">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDai_Zovi2009" class="citation conference cs1">Dai Zovi, Dino (2009-07-26). <a rel="nofollow" class="external text" href="https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf"><i>Advanced Mac OS X Rootkits</i></a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Black_Hat_Briefings" title="Black Hat Briefings">Blackhat</a>. Endgame Systems<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-23</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Advanced+Mac+OS+X+Rootkits&rft.pub=Endgame+Systems&rft.date=2009-07-26&rft.aulast=Dai+Zovi&rft.aufirst=Dino&rft_id=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-usa-09%2FDAIZOVI%2FBHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-11"><span class="mw-cite-backlink"><b><a href="#cite_ref-11">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100820034513/http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices">"Stuxnet Introduces the First Known Rootkit for Industrial Control Systems"</a>. <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a>. 2010-08-06. Archived from <a rel="nofollow" class="external text" href="http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices">the original</a> on August 20, 2010<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-12-04</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Stuxnet+Introduces+the+First+Known+Rootkit+for+Industrial+Control+Systems&rft.pub=Symantec&rft.date=2010-08-06&rft_id=http%3A%2F%2Fwww.symantec.com%2Fconnect%2Fblogs%2Fstuxnet-introduces-first-known-rootkit-scada-devices&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-CA-XCP-12"><span class="mw-cite-backlink"><b><a href="#cite_ref-CA-XCP_12-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100818202245/http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453096362">"Spyware Detail: XCP.Sony.Rootkit"</a>. <a href="/wiki/Computer_Associates" class="mw-redirect" title="Computer Associates">Computer Associates</a>. 2005-11-05. Archived from <a rel="nofollow" class="external text" href="http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453096362">the original</a> on 2010-08-18<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-19</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Spyware+Detail%3A+XCP.Sony.Rootkit&rft.pub=Computer+Associates&rft.date=2005-11-05&rft_id=http%3A%2F%2Fwww.ca.com%2Fus%2Fsecurityadvisor%2Fpest%2Fpest.aspx%3Fid%3D453096362&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-markrussinovich-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-markrussinovich_13-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFRussinovich2005" class="citation web cs1"><a href="/wiki/Mark_Russinovich" title="Mark Russinovich">Russinovich, Mark</a> (2005-10-31). <a rel="nofollow" class="external text" href="https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far/">"Sony, Rootkits and Digital Rights Management Gone Too Far"</a>. <i><a href="/wiki/Microsoft_Technet#Blogs" class="mw-redirect" title="Microsoft Technet">TechNet Blogs</a></i>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=TechNet+Blogs&rft.atitle=Sony%2C+Rootkits+and+Digital+Rights+Management+Gone+Too+Far&rft.date=2005-10-31&rft.aulast=Russinovich&rft.aufirst=Mark&rft_id=https%3A%2F%2Fblogs.technet.microsoft.com%2Fmarkrussinovich%2F2005%2F10%2F31%2Fsony-rootkits-and-digital-rights-management-gone-too-far%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-14">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation news cs1"><a rel="nofollow" class="external text" href="http://news.bbc.co.uk/2/hi/technology/4456970.stm">"Sony's long-term rootkit CD woes"</a>. <i><a href="/wiki/BBC_News" title="BBC News">BBC News</a></i>. 2005-11-21<span class="reference-accessdate">. Retrieved <span class="nowrap">2008-09-15</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=BBC+News&rft.atitle=Sony%27s+long-term+rootkit+CD+woes&rft.date=2005-11-21&rft_id=http%3A%2F%2Fnews.bbc.co.uk%2F2%2Fhi%2Ftechnology%2F4456970.stm&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-felton-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-felton_15-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFFelton2005" class="citation web cs1">Felton, Ed (2005-11-15). <a rel="nofollow" class="external text" href="https://freedom-to-tinker.com/blog/felten/sonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs/">"Sony's Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Sony%27s+Web-Based+Uninstaller+Opens+a+Big+Security+Hole%3B+Sony+to+Recall+Discs&rft.date=2005-11-15&rft.aulast=Felton&rft.aufirst=Ed&rft_id=https%3A%2F%2Ffreedom-to-tinker.com%2Fblog%2Ffelten%2Fsonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKnight2005" class="citation journal cs1">Knight, Will (2005-11-11). <a rel="nofollow" class="external text" href="https://www.newscientist.com/article/dn8307">"Sony BMG sued over cloaking software on music CD"</a>. <i><a href="/wiki/New_Scientist" title="New Scientist">New Scientist</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=New+Scientist&rft.atitle=Sony+BMG+sued+over+cloaking+software+on+music+CD&rft.date=2005-11-11&rft.aulast=Knight&rft.aufirst=Will&rft_id=https%3A%2F%2Fwww.newscientist.com%2Farticle%2Fdn8307&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-17">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKyriakidou2006" class="citation news cs1">Kyriakidou, Dina (March 2, 2006). <a rel="nofollow" class="external text" href="http://www.tiscali.co.uk/news/newswire.php/news/reuters/2006/02/03/odd/34greekwatergate34scandalsendspoliticalshockwaves.html">"<span class="cs1-kern-left"></span>"Greek Watergate" Scandal Sends Political Shockwaves"</a>. <a href="/wiki/Reuters" title="Reuters">Reuters</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2007-11-24</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=%22Greek+Watergate%22+Scandal+Sends+Political+Shockwaves&rft.date=2006-03-02&rft.aulast=Kyriakidou&rft.aufirst=Dina&rft_id=http%3A%2F%2Fwww.tiscali.co.uk%2Fnews%2Fnewswire.php%2Fnews%2Freuters%2F2006%2F02%2F03%2Fodd%2F34greekwatergate34scandalsendspoliticalshockwaves.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span> <sup class="noprint Inline-Template"><span style="white-space: nowrap;">[<i><a rel="nofollow" class="external text" href="https://web.archive.org/web/*/http://www.tiscali.co.uk/news/newswire.php/news/reuters/2006/02/03/odd/34greekwatergate34scandalsendspoliticalshockwaves.html"><span title=" tagged September 2012">dead link</span></a></i><span style="visibility:hidden; color:transparent; padding-left:2px">‍</span>]</span></sup></span> </li> <li id="cite_note-ieee-18"><span class="mw-cite-backlink">^ <a href="#cite_ref-ieee_18-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-ieee_18-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFVassilis_PrevelakisDiomidis_Spinellis2007" class="citation news cs1">Vassilis Prevelakis; Diomidis Spinellis (July 2007). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20090801085606/http://www.spectrum.ieee.org/telecom/security/the-athens-affair/0">"The Athens Affair"</a>. Archived from <a rel="nofollow" class="external text" href="https://spectrum.ieee.org/telecom/security/the-athens-affair/0">the original</a> on August 1, 2009.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=The+Athens+Affair&rft.date=2007-07&rft.au=Vassilis+Prevelakis&rft.au=Diomidis+Spinellis&rft_id=https%3A%2F%2Fspectrum.ieee.org%2Ftelecom%2Fsecurity%2Fthe-athens-affair%2F0&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFRussinovich2005" class="citation journal cs1"><a href="/wiki/Mark_Russinovich" title="Mark Russinovich">Russinovich, Mark</a> (June 2005). <a rel="nofollow" class="external text" href="https://archive.today/20120918/http://www.windowsitpro.com/Article/ArticleID/46266/46266.html">"Unearthing Root Kits"</a>. <i>Windows IT Pro</i>. Archived from <a rel="nofollow" class="external text" href="http://www.windowsitpro.com/Article/ArticleID/46266/46266.html">the original</a> on 2012-09-18<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-12-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Windows+IT+Pro&rft.atitle=Unearthing+Root+Kits&rft.date=2005-06&rft.aulast=Russinovich&rft.aufirst=Mark&rft_id=http%3A%2F%2Fwww.windowsitpro.com%2FArticle%2FArticleID%2F46266%2F46266.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-20">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMarks2021" class="citation web cs1">Marks, Joseph (July 1, 2021). <a rel="nofollow" class="external text" href="https://www.washingtonpost.com/politics/2021/07/01/cybersecurity-202-dojs-future-is-disrupting-hackers-not-just-indicting-them/">"The Cybersecurity 202: DOJ's future is in disrupting hackers, not just indicting them"</a>. <i><a href="/wiki/The_Washington_Post" title="The Washington Post">The Washington Post</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 24,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Washington+Post&rft.atitle=The+Cybersecurity+202%3A+DOJ%27s+future+is+in+disrupting+hackers%2C+not+just+indicting+them&rft.date=2021-07-01&rft.aulast=Marks&rft.aufirst=Joseph&rft_id=https%3A%2F%2Fwww.washingtonpost.com%2Fpolitics%2F2021%2F07%2F01%2Fcybersecurity-202-dojs-future-is-disrupting-hackers-not-just-indicting-them%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-21"><span class="mw-cite-backlink"><b><a href="#cite_ref-21">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSteve_Hanna2007" class="citation web cs1">Steve Hanna (September 2007). <a rel="nofollow" class="external text" href="http://www.vividmachines.com/download/icsicceid.pdf">"Using Rootkit Technology for Honeypot-Based Malware Detection"</a> <span class="cs1-format">(PDF)</span>. CCEID Meeting.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Using+Rootkit+Technology+for+Honeypot-Based+Malware+Detection&rft.pub=CCEID+Meeting&rft.date=2007-09&rft.au=Steve+Hanna&rft_id=http%3A%2F%2Fwww.vividmachines.com%2Fdownload%2Ficsicceid.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-22">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFRussinovich2006" class="citation web cs1"><a href="/wiki/Mark_Russinovich" title="Mark Russinovich">Russinovich, Mark</a> (6 February 2006). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20060814225723/http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html">"Using Rootkits to Defeat Digital Rights Management"</a>. <i>Winternals</i>. SysInternals. Archived from <a rel="nofollow" class="external text" href="http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html">the original</a> on 14 August 2006<span class="reference-accessdate">. Retrieved <span class="nowrap">2006-08-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Winternals&rft.atitle=Using+Rootkits+to+Defeat+Digital+Rights+Management&rft.date=2006-02-06&rft.aulast=Russinovich&rft.aufirst=Mark&rft_id=http%3A%2F%2Fwww.sysinternals.com%2Fblog%2F2006%2F02%2Fusing-rootkits-to-defeat-digital.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-23">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation journal cs1"><a rel="nofollow" class="external text" href="https://books.google.com/books?id=5-oDAAAAMBAJ&pg=PA89">"Symantec Releases Update for its Own Rootkit"</a>. <i>HWM</i> (March): 89. 2006 – via <a href="/wiki/Google_Books" title="Google Books">Google Books</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=HWM&rft.atitle=Symantec+Releases+Update+for+its+Own+Rootkit&rft.issue=March&rft.pages=89&rft.date=2006&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3D5-oDAAAAMBAJ%26pg%3DPA89&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-Ortega-24"><span class="mw-cite-backlink">^ <a href="#cite_ref-Ortega_24-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-Ortega_24-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFOrtegaSacco2009" class="citation conference cs1">Ortega, Alfredo; Sacco, Anibal (2009-07-24). <a rel="nofollow" class="external text" href="https://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf"><i>Deactivate the Rootkit: Attacks on BIOS anti-theft technologies</i></a> <span class="cs1-format">(PDF)</span>. <a rel="nofollow" class="external text" href="https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html">Black Hat USA 2009</a> (PDF). Boston, MA: Core Security Technologies<span class="reference-accessdate">. Retrieved <span class="nowrap">2014-06-12</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Deactivate+the+Rootkit%3A+Attacks+on+BIOS+anti-theft+technologies&rft.place=Boston%2C+MA&rft.pub=Core+Security+Technologies&rft.date=2009-07-24&rft.aulast=Ortega&rft.aufirst=Alfredo&rft.au=Sacco%2C+Anibal&rft_id=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-usa-09%2FORTEGA%2FBHUSA09-Ortega-DeactivateRootkit-PAPER.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-25">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKleissner2009" class="citation web cs1">Kleissner, Peter (2009-09-02). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110716145530/http://www.stoned-vienna.com/downloads/The%20Rise%20of%20MBR%20Rootkits%20%26%20Bootkits%20in%20the%20Wild.pdf">"Stoned Bootkit: The Rise of MBR Rootkits & Bootkits in the Wild"</a> <span class="cs1-format">(PDF)</span>. Archived from <a rel="nofollow" class="external text" href="http://www.stoned-vienna.com/downloads/The%20Rise%20of%20MBR%20Rootkits%20&%20Bootkits%20in%20the%20Wild.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2011-07-16<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-23</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Stoned+Bootkit%3A+The+Rise+of+MBR+Rootkits+%26+Bootkits+in+the+Wild&rft.date=2009-09-02&rft.aulast=Kleissner&rft.aufirst=Peter&rft_id=http%3A%2F%2Fwww.stoned-vienna.com%2Fdownloads%2FThe%2520Rise%2520of%2520MBR%2520Rootkits%2520%26%2520Bootkits%2520in%2520the%2520Wild.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-anson-forensics-26"><span class="mw-cite-backlink">^ <a href="#cite_ref-anson-forensics_26-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-anson-forensics_26-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-anson-forensics_26-2"><sup><i><b>c</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFAnsonBunting2007" class="citation book cs1">Anson, Steve; Bunting, Steve (2007). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=BhdP2PZy6SoC"><i>Mastering Windows Network Forensics and Investigation</i></a>. John Wiley and Sons. pp. <span class="nowrap">73–</span>74. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-470-09762-5" title="Special:BookSources/978-0-470-09762-5"><bdi>978-0-470-09762-5</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Mastering+Windows+Network+Forensics+and+Investigation&rft.pages=%3Cspan+class%3D%22nowrap%22%3E73-%3C%2Fspan%3E74&rft.pub=John+Wiley+and+Sons&rft.date=2007&rft.isbn=978-0-470-09762-5&rft.aulast=Anson&rft.aufirst=Steve&rft.au=Bunting%2C+Steve&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3DBhdP2PZy6SoC&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-McAfee2-27"><span class="mw-cite-backlink">^ <a href="#cite_ref-McAfee2_27-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-McAfee2_27-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-McAfee2_27-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-McAfee2_27-3"><sup><i><b>d</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20081205031526/http://www.mcafee.com/us/local_content/white_papers/wp_rootkits_0407.pdf">"Rootkits Part 2: A Technical Primer"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/McAfee" title="McAfee">McAfee</a>. 2007-04-03. Archived from <a rel="nofollow" class="external text" href="http://www.mcafee.com/us/local_content/white_papers/wp_rootkits_0407.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2008-12-05<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Rootkits+Part+2%3A+A+Technical+Primer&rft.pub=McAfee&rft.date=2007-04-03&rft_id=http%3A%2F%2Fwww.mcafee.com%2Fus%2Flocal_content%2Fwhite_papers%2Fwp_rootkits_0407.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKdm" class="citation journal cs1">Kdm. <a rel="nofollow" class="external text" href="http://www.phrack.org/issues.html?issue=62&id=12">"NTIllusion: A portable Win32 userland rootkit"</a>. <i><a href="/wiki/Phrack" title="Phrack">Phrack</a></i>. <b>62</b> (12).</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Phrack&rft.atitle=NTIllusion%3A+A+portable+Win32+userland+rootkit&rft.volume=62&rft.issue=12&rft.au=Kdm&rft_id=http%3A%2F%2Fwww.phrack.org%2Fissues.html%3Fissue%3D62%26id%3D12&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-UAMT-29"><span class="mw-cite-backlink">^ <a href="#cite_ref-UAMT_29-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-UAMT_29-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-UAMT_29-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-UAMT_29-3"><sup><i><b>d</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100911033147/http://download.microsoft.com/download/a/b/e/abefdf1c-96bd-40d6-a138-e320b6b25bd3/understandingantimalwaretechnologies.pdf">"Understanding Anti-Malware Technologies"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a>. 2007-02-21. Archived from <a rel="nofollow" class="external text" href="http://download.microsoft.com/download/a/b/e/abefdf1c-96bd-40d6-a138-e320b6b25bd3/understandingantimalwaretechnologies.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2010-09-11<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Understanding+Anti-Malware+Technologies&rft.pub=Microsoft&rft.date=2007-02-21&rft_id=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fa%2Fb%2Fe%2Fabefdf1c-96bd-40d6-a138-e320b6b25bd3%2Funderstandingantimalwaretechnologies.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-30">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHoglund1999" class="citation journal cs1">Hoglund, Greg (1999-09-09). <a rel="nofollow" class="external text" href="http://phrack.org/issues.html?issue=55&id=5">"A *REAL* NT Rootkit, Patching the NT Kernel"</a>. <i><a href="/wiki/Phrack" title="Phrack">Phrack</a></i>. <b>9</b> (55)<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Phrack&rft.atitle=A+%2AREAL%2A+NT+Rootkit%2C+Patching+the+NT+Kernel&rft.volume=9&rft.issue=55&rft.date=1999-09-09&rft.aulast=Hoglund&rft.aufirst=Greg&rft_id=http%3A%2F%2Fphrack.org%2Fissues.html%3Fissue%3D55%26id%3D5&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFChuvakin2003" class="citation report cs1"><a href="/wiki/Anton_Chuvakin" title="Anton Chuvakin">Chuvakin, Anton</a> (2003-02-02). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110725214743/http://www.megasecurity.org/papers/Rootkits.pdf">An Overview of Unix Rootkits</a> <span class="cs1-format">(PDF)</span> (Report). Chantilly, Virginia: iDEFENSE. Archived from <a rel="nofollow" class="external text" href="http://www.megasecurity.org/papers/Rootkits.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2011-07-25<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=report&rft.btitle=An+Overview+of+Unix+Rootkits&rft.place=Chantilly%2C+Virginia&rft.pub=iDEFENSE&rft.date=2003-02-02&rft.aulast=Chuvakin&rft.aufirst=Anton&rft_id=http%3A%2F%2Fwww.megasecurity.org%2Fpapers%2FRootkits.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFButlerSparks2005" class="citation web cs1">Butler, James; Sparks, Sherri (2005-11-16). <a rel="nofollow" class="external text" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce6da5e2-974c-4ffb-9e44-8c4f97bc5fdb&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments">"Windows Rootkits of 2005, Part Two"</a>. <i>Symantec Connect</i>. Symantec<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Symantec+Connect&rft.atitle=Windows+Rootkits+of+2005%2C+Part+Two&rft.date=2005-11-16&rft.aulast=Butler&rft.aufirst=James&rft.au=Sparks%2C+Sherri&rft_id=https%3A%2F%2Fcommunity.broadcom.com%2Fsymantecenterprise%2Fcommunities%2Fcommunity-home%2Flibrarydocuments%2Fviewdocument%3FDocumentKey%3Dce6da5e2-974c-4ffb-9e44-8c4f97bc5fdb%26CommunityKey%3D1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68%26tab%3Dlibrarydocuments&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-33">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFButlerSparks2005" class="citation web cs1">Butler, James; Sparks, Sherri (2005-11-03). <a rel="nofollow" class="external text" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments">"Windows Rootkits of 2005, Part One"</a>. <i>Symantec Connect</i>. Symantec<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-12</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Symantec+Connect&rft.atitle=Windows+Rootkits+of+2005%2C+Part+One&rft.date=2005-11-03&rft.aulast=Butler&rft.aufirst=James&rft.au=Sparks%2C+Sherri&rft_id=https%3A%2F%2Fcommunity.broadcom.com%2Fsymantecenterprise%2Fcommunities%2Fcommunity-home%2Flibrarydocuments%2Fviewdocument%3FDocumentKey%3Da3624787-b8a3-42f6-b33a-3f30181c4ce6%26CommunityKey%3D1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68%26tab%3Dlibrarydocuments&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBurdach2004" class="citation web cs1">Burdach, Mariusz (2004-11-17). <a rel="nofollow" class="external text" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=c06510cf-8199-4bc4-9323-1af7e2f2fe04&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments">"Detecting Rootkits And Kernel-level Compromises In Linux"</a>. <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-23</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Detecting+Rootkits+And+Kernel-level+Compromises+In+Linux&rft.pub=Symantec&rft.date=2004-11-17&rft.aulast=Burdach&rft.aufirst=Mariusz&rft_id=https%3A%2F%2Fcommunity.broadcom.com%2Fsymantecenterprise%2Fcommunities%2Fcommunity-home%2Flibrarydocuments%2Fviewdocument%3FDocumentKey%3Dc06510cf-8199-4bc4-9323-1af7e2f2fe04%26CommunityKey%3D1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68%26tab%3Dlibrarydocuments&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-35">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFOsborne2019" class="citation web cs1">Osborne, Charlie (September 17, 2019). <a rel="nofollow" class="external text" href="https://www.zdnet.com/article/skidmap-malware-buries-into-the-kernel-to-hide-cryptocurrency-mining/">"Skidmap malware buries into the kernel to hide illicit cryptocurrency mining"</a>. <i><a href="/wiki/ZDNet" class="mw-redirect" title="ZDNet">ZDNet</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 24,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=ZDNet&rft.atitle=Skidmap+malware+buries+into+the+kernel+to+hide+illicit+cryptocurrency+mining&rft.date=2019-09-17&rft.aulast=Osborne&rft.aufirst=Charlie&rft_id=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fskidmap-malware-buries-into-the-kernel-to-hide-cryptocurrency-mining%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-36"><span class="mw-cite-backlink"><b><a href="#cite_ref-36">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMarco_Giuliani2011" class="citation web cs1">Marco Giuliani (11 April 2011). <a rel="nofollow" class="external text" href="http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf">"ZeroAccess – An Advanced Kernel Mode Rootkit"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Webroot_Software" class="mw-redirect" title="Webroot Software">Webroot Software</a><span class="reference-accessdate">. Retrieved <span class="nowrap">10 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=ZeroAccess+%E2%80%93+An+Advanced+Kernel+Mode+Rootkit&rft.pub=Webroot+Software&rft.date=2011-04-11&rft.au=Marco+Giuliani&rft_id=http%3A%2F%2Fpxnow.prevx.com%2Fcontent%2Fblog%2Fzeroaccess_analysis.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-37">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx">"Driver Signing Requirements for Windows"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2008-07-06</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Driver+Signing+Requirements+for+Windows&rft.pub=Microsoft&rft_id=http%3A%2F%2Fwww.microsoft.com%2Fwhdc%2Fwinlogo%2Fdrvsign%2Fdrvsign.mspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSalter2020" class="citation web cs1">Salter, Jim (July 31, 2020). <a rel="nofollow" class="external text" href="https://arstechnica.com/gadgets/2020/07/red-hat-and-centos-systems-arent-booting-due-to-boothole-patches/">"Red Hat and CentOS systems aren't booting due to BootHole patches"</a>. <i><a href="/wiki/Ars_Technica" title="Ars Technica">Ars Technica</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 24,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Ars+Technica&rft.atitle=Red+Hat+and+CentOS+systems+aren%27t+booting+due+to+BootHole+patches&rft.date=2020-07-31&rft.aulast=Salter&rft.aufirst=Jim&rft_id=https%3A%2F%2Farstechnica.com%2Fgadgets%2F2020%2F07%2Fred-hat-and-centos-systems-arent-booting-due-to-boothole-patches%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-39"><span class="mw-cite-backlink"><b><a href="#cite_ref-39">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSchneier2009" class="citation web cs1"><a href="/wiki/Bruce_Schneier" title="Bruce Schneier">Schneier, Bruce</a> (2009-10-23). <a rel="nofollow" class="external text" href="http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html">"<span class="cs1-kern-left"></span>'Evil Maid' Attacks on Encrypted Hard Drives"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2009-11-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=%27Evil+Maid%27+Attacks+on+Encrypted+Hard+Drives&rft.date=2009-10-23&rft.aulast=Schneier&rft.aufirst=Bruce&rft_id=http%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2009%2F10%2Fevil_maid_attac.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-40">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSoederPermeh2007" class="citation web cs1">Soeder, Derek; Permeh, Ryan (2007-05-09). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20130817055752/http://www.eeye.com/Resources/Security-Center/Research/Tools/BootRoot">"Bootroot"</a>. eEye Digital Security. Archived from <a rel="nofollow" class="external text" href="http://www.eeye.com/Resources/Security-Center/Research/Tools/BootRoot">the original</a> on 2013-08-17<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-23</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Bootroot&rft.pub=eEye+Digital+Security&rft.date=2007-05-09&rft.aulast=Soeder&rft.aufirst=Derek&rft.au=Permeh%2C+Ryan&rft_id=http%3A%2F%2Fwww.eeye.com%2FResources%2FSecurity-Center%2FResearch%2FTools%2FBootRoot&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-kumar-vbootkit-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-kumar-vbootkit_41-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKumarKumar2007" class="citation conference cs1">Kumar, Nitin; Kumar, Vipin (2007). <a rel="nofollow" class="external text" href="https://www.blackhat.com/presentations/bh-europe-07/Kumar/Whitepaper/bh-eu-07-Kumar-WP-apr19.pdf"><i>Vbootkit: Compromising Windows Vista Security</i></a> <span class="cs1-format">(PDF)</span>. <a rel="nofollow" class="external text" href="https://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html#eu_07">Black Hat Europe 2007</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Vbootkit%3A+Compromising+Windows+Vista+Security&rft.date=2007&rft.aulast=Kumar&rft.aufirst=Nitin&rft.au=Kumar%2C+Vipin&rft_id=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-07%2FKumar%2FWhitepaper%2Fbh-eu-07-Kumar-WP-apr19.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100610194454/http://www.nvlabs.in/archives/5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html">"BOOT KIT: Custom boot sector based Windows 2000/XP/2003 Subversion"</a>. <i>NVlabs</i>. 2007-02-04. Archived from <a rel="nofollow" class="external text" href="http://www.nvlabs.in/archives/5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html">the original</a> on June 10, 2010<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=NVlabs&rft.atitle=BOOT+KIT%3A+Custom+boot+sector+based+Windows+2000%2FXP%2F2003+Subversion&rft.date=2007-02-04&rft_id=http%3A%2F%2Fwww.nvlabs.in%2Farchives%2F5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKleissner2009" class="citation web cs1">Kleissner, Peter (2009-10-19). <a rel="nofollow" class="external text" href="http://www.stoned-vienna.com/">"Stoned Bootkit"</a>. Peter Kleissner<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-11-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Stoned+Bootkit&rft.pub=Peter+Kleissner&rft.date=2009-10-19&rft.aulast=Kleissner&rft.aufirst=Peter&rft_id=http%3A%2F%2Fwww.stoned-vienna.com%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span><sup class="noprint Inline-Template" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Verifiability#Self-published_sources" title="Wikipedia:Verifiability"><span title="This reference citation appears to be to a self-published source. (November 2010)">self-published source</span></a></i>]</sup></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGoodin2010" class="citation web cs1">Goodin, Dan (2010-11-16). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/">"World's Most Advanced Rootkit Penetrates 64-bit Windows"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-22</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Register&rft.atitle=World%27s+Most+Advanced+Rootkit+Penetrates+64-bit+Windows&rft.date=2010-11-16&rft.aulast=Goodin&rft.aufirst=Dan&rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2010%2F11%2F16%2Ftdl_rootkit_does_64_bit_windows%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-45"><span class="mw-cite-backlink"><b><a href="#cite_ref-45">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFFrancisco" class="citation web cs1">Francisco, Neil McAllister in San. <a rel="nofollow" class="external text" href="https://www.theregister.com/2012/08/03/windows_oem_activation_30/">"Microsoft tightens grip on OEM Windows 8 licensing"</a>. <i>www.theregister.com</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.theregister.com&rft.atitle=Microsoft+tightens+grip+on+OEM+Windows+8+licensing&rft.aulast=Francisco&rft.aufirst=Neil+McAllister+in+San&rft_id=https%3A%2F%2Fwww.theregister.com%2F2012%2F08%2F03%2Fwindows_oem_activation_30%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-46"><span class="mw-cite-backlink"><b><a href="#cite_ref-46">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKingChenWangVerbowski2006" class="citation book cs1">King, Samuel T.; Chen, Peter M.; Wang, Yi-Min; Verbowski, Chad; Wang, Helen J.; Lorch, Jacob R. (2006-04-03). <a rel="nofollow" class="external text" href="http://www.eecs.umich.edu/virtual/papers/king06.pdf">"SubVirt: Implementing malware with virtual machines"</a> <span class="cs1-format">(PDF)</span>. <i>2006 IEEE Symposium on Security and Privacy (S&P'06)</i>. <a href="/wiki/Institute_of_Electrical_and_Electronics_Engineers" title="Institute of Electrical and Electronics Engineers">Institute of Electrical and Electronics Engineers</a>. pp. 14 pp.-327. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2FSP.2006.38">10.1109/SP.2006.38</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/0-7695-2574-1" title="Special:BookSources/0-7695-2574-1"><bdi>0-7695-2574-1</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:1349303">1349303</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2008-09-15</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=SubVirt%3A+Implementing+malware+with+virtual+machines&rft.btitle=2006+IEEE+Symposium+on+Security+and+Privacy+%28S%26P%2706%29&rft.pages=14+pp.-327&rft.pub=Institute+of+Electrical+and+Electronics+Engineers&rft.date=2006-04-03&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A1349303%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1109%2FSP.2006.38&rft.isbn=0-7695-2574-1&rft.aulast=King&rft.aufirst=Samuel+T.&rft.au=Chen%2C+Peter+M.&rft.au=Wang%2C+Yi-Min&rft.au=Verbowski%2C+Chad&rft.au=Wang%2C+Helen+J.&rft.au=Lorch%2C+Jacob+R.&rft_id=http%3A%2F%2Fwww.eecs.umich.edu%2Fvirtual%2Fpapers%2Fking06.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-47"><span class="mw-cite-backlink"><b><a href="#cite_ref-47">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFWangJiangCuiNing2009" class="citation conference cs1">Wang, Zhi; Jiang, Xuxian; Cui, Weidong; Ning, Peng (2009-08-11). <a rel="nofollow" class="external text" href="http://research.microsoft.com/en-us/um/people/wdcui/papers/hooksafe-ccs09.pdf">"Countering Kernel Rootkits with Lightweight Hook Protection"</a> <span class="cs1-format">(PDF)</span>. In Al-Shaer, Ehab (General Chair) (ed.). <i>Proceedings of the 16th ACM Conference on Computer and Communications Security</i>. <a rel="nofollow" class="external text" href="http://www.sigsac.org/ccs/CCS2009/">CCS 2009: 16th ACM Conference on Computer and Communications Security</a>. Jha, Somesh; Keromytis, Angelos D. (Program Chairs). New York: ACM New York. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F1653662.1653728">10.1145/1653662.1653728</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-60558-894-0" title="Special:BookSources/978-1-60558-894-0"><bdi>978-1-60558-894-0</bdi></a><span class="reference-accessdate">. Retrieved <span class="nowrap">2009-11-11</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.atitle=Countering+Kernel+Rootkits+with+Lightweight+Hook+Protection&rft.btitle=Proceedings+of+the+16th+ACM+Conference+on+Computer+and+Communications+Security&rft.place=New+York&rft.pub=ACM+New+York&rft.date=2009-08-11&rft_id=info%3Adoi%2F10.1145%2F1653662.1653728&rft.isbn=978-1-60558-894-0&rft.aulast=Wang&rft.aufirst=Zhi&rft.au=Jiang%2C+Xuxian&rft.au=Cui%2C+Weidong&rft.au=Ning%2C+Peng&rft_id=http%3A%2F%2Fresearch.microsoft.com%2Fen-us%2Fum%2Fpeople%2Fwdcui%2Fpapers%2Fhooksafe-ccs09.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-48"><span class="mw-cite-backlink"><b><a href="#cite_ref-48">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://msdn.microsoft.com/en-us/library/dn986865(v=vs.85).aspx">"Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)"</a>. 11 July 2023.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Device+Guard+is+the+combination+of+Windows+Defender+Application+Control+and+virtualization-based+protection+of+code+integrity+%28Windows+10%29&rft.date=2023-07-11&rft_id=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fdn986865%28v%3Dvs.85%29.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-49"><span class="mw-cite-backlink"><b><a href="#cite_ref-49">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDelugré2010" class="citation conference cs1">Delugré, Guillaume (2010-11-21). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120425194643/http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf"><i>Reversing the Broacom NetExtreme's Firmware</i></a> <span class="cs1-format">(PDF)</span>. hack.lu. Sogeti. Archived from <a rel="nofollow" class="external text" href="http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2012-04-25<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-25</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Reversing+the+Broacom+NetExtreme%27s+Firmware&rft.pub=Sogeti&rft.date=2010-11-21&rft.aulast=Delugr%C3%A9&rft.aufirst=Guillaume&rft_id=http%3A%2F%2Fesec-lab.sogeti.com%2Fdotclear%2Fpublic%2Fpublications%2F10-hack.lu-nicreverse_slides.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-blog.trendmicro.com-50"><span class="mw-cite-backlink">^ <a href="#cite_ref-blog.trendmicro.com_50-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-blog.trendmicro.com_50-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/">"Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems - TrendLabs Security Intelligence Blog"</a>. 2015-07-13.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Hacking+Team+Uses+UEFI+BIOS+Rootkit+to+Keep+RCS+9+Agent+in+Target+Systems+-+TrendLabs+Security+Intelligence+Blog&rft.date=2015-07-13&rft_id=http%3A%2F%2Fblog.trendmicro.com%2Ftrendlabs-security-intelligence%2Fhacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-51"><span class="mw-cite-backlink"><b><a href="#cite_ref-51">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHeasman2006" class="citation conference cs1">Heasman, John (2006-01-25). <a rel="nofollow" class="external text" href="https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdf"><i>Implementing and Detecting an ACPI BIOS Rootkit</i></a> <span class="cs1-format">(PDF)</span>. <a rel="nofollow" class="external text" href="https://www.blackhat.com/html/bh-federal-06/bh-fed-06-index.html">Black Hat Federal 2006</a>. NGS Consulting<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Implementing+and+Detecting+an+ACPI+BIOS+Rootkit&rft.pub=NGS+Consulting&rft.date=2006-01-25&rft.aulast=Heasman&rft.aufirst=John&rft_id=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-06%2Fbh-eu-06-Heasman.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-52"><span class="mw-cite-backlink"><b><a href="#cite_ref-52">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHeasman2006" class="citation web cs1">Heasman, John (2006-11-15). <a rel="nofollow" class="external text" href="http://www.ngsconsulting.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf">"Implementing and Detecting a PCI Rootkit"</a> <span class="cs1-format">(PDF)</span>. Next Generation Security Software. <a href="/wiki/CiteSeerX" title="CiteSeerX">CiteSeerX</a>: <span class="url"><a rel="nofollow" class="external text" href="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.89.7305">10.1.1.89.7305</a></span><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Implementing+and+Detecting+a+PCI+Rootkit&rft.pub=Next+Generation+Security+Software&rft.date=2006-11-15&rft.aulast=Heasman&rft.aufirst=John&rft_id=http%3A%2F%2Fwww.ngsconsulting.com%2Fresearch%2Fpapers%2FImplementing_And_Detecting_A_PCI_Rootkit.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-53"><span class="mw-cite-backlink"><b><a href="#cite_ref-53">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFModine2008" class="citation web cs1">Modine, Austin (2008-10-10). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/">"Organized crime tampers with European card swipe devices: Customer data beamed overseas"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i>. Situation Publishing<span class="reference-accessdate">. Retrieved <span class="nowrap">2008-10-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Register&rft.atitle=Organized+crime+tampers+with+European+card+swipe+devices%3A+Customer+data+beamed+overseas&rft.date=2008-10-10&rft.aulast=Modine&rft.aufirst=Austin&rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2008%2F10%2F10%2Forganized_crime_doctors_chip_and_pin_machines%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-54"><span class="mw-cite-backlink"><b><a href="#cite_ref-54">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSaccoOrtéga2009" class="citation conference cs1">Sacco, Anibal; Ortéga, Alfredo (2009). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110708114942/http://cansecwest.com/csw09/csw09-sacco-ortega.pdf"><i>Persistent BIOS infection</i></a> <span class="cs1-format">(PDF)</span>. <a rel="nofollow" class="external text" href="http://cansecwest.com/csw09archive.html">CanSecWest 2009</a>. Core Security Technologies. Archived from <a rel="nofollow" class="external text" href="http://cansecwest.com/csw09/csw09-sacco-ortega.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2011-07-08<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.btitle=Persistent+BIOS+infection&rft.pub=Core+Security+Technologies&rft.date=2009&rft.aulast=Sacco&rft.aufirst=Anibal&rft.au=Ort%C3%A9ga%2C+Alfredo&rft_id=http%3A%2F%2Fcansecwest.com%2Fcsw09%2Fcsw09-sacco-ortega.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-55"><span class="mw-cite-backlink"><b><a href="#cite_ref-55">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGoodin2009" class="citation web cs1">Goodin, Dan (2009-03-24). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/">"Newfangled rootkits survive hard disk wiping"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i>. Situation Publishing<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-03-25</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Register&rft.atitle=Newfangled+rootkits+survive+hard+disk+wiping&rft.date=2009-03-24&rft.aulast=Goodin&rft.aufirst=Dan&rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2009%2F03%2F24%2Fpersistent_bios_rootkits%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-56"><span class="mw-cite-backlink"><b><a href="#cite_ref-56">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSaccoOrtéga2009" class="citation journal cs1">Sacco, Anibal; Ortéga, Alfredo (2009-06-01). <a rel="nofollow" class="external text" href="http://phrack.org/issues.html?issue=66&id=7">"Persistent BIOS Infection: The Early Bird Catches the Worm"</a>. <i><a href="/wiki/Phrack" title="Phrack">Phrack</a></i>. <b>66</b> (7)<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Phrack&rft.atitle=Persistent+BIOS+Infection%3A+The+Early+Bird+Catches+the+Worm&rft.volume=66&rft.issue=7&rft.date=2009-06-01&rft.aulast=Sacco&rft.aufirst=Anibal&rft.au=Ort%C3%A9ga%2C+Alfredo&rft_id=http%3A%2F%2Fphrack.org%2Fissues.html%3Fissue%3D66%26id%3D7&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-57"><span class="mw-cite-backlink"><b><a href="#cite_ref-57">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFRic_Vieler2007" class="citation book cs1">Ric Vieler (2007). <i>Professional Rootkits</i>. John Wiley & Sons. p. 244. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/9780470149546" title="Special:BookSources/9780470149546"><bdi>9780470149546</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Professional+Rootkits&rft.pages=244&rft.pub=John+Wiley+%26+Sons&rft.date=2007&rft.isbn=9780470149546&rft.au=Ric+Vieler&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-58"><span class="mw-cite-backlink"><b><a href="#cite_ref-58">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMatrosovRodionov2010" class="citation web cs1">Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110513194348/http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf">"TDL3: The Rootkit of All Evil?"</a> <span class="cs1-format">(PDF)</span>. Moscow: <a href="/wiki/ESET" title="ESET">ESET</a>. p. 3. Archived from <a rel="nofollow" class="external text" href="http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2011-05-13<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=TDL3%3A+The+Rootkit+of+All+Evil%3F&rft.place=Moscow&rft.pages=3&rft.pub=ESET&rft.date=2010-06-25&rft.aulast=Matrosov&rft.aufirst=Aleksandr&rft.au=Rodionov%2C+Eugene&rft_id=http%3A%2F%2Fwww.eset.com%2Fresources%2Fwhite-papers%2FTDL3-Analysis.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-59"><span class="mw-cite-backlink"><b><a href="#cite_ref-59">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMatrosovRodionov2011" class="citation web cs1">Matrosov, Aleksandr; Rodionov, Eugene (2011-06-27). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20150729043339/http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf">"The Evolution of TDL: Conquering x64"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/ESET" title="ESET">ESET</a>. Archived from <a rel="nofollow" class="external text" href="http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2015-07-29<span class="reference-accessdate">. Retrieved <span class="nowrap">2011-08-08</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=The+Evolution+of+TDL%3A+Conquering+x64&rft.pub=ESET&rft.date=2011-06-27&rft.aulast=Matrosov&rft.aufirst=Aleksandr&rft.au=Rodionov%2C+Eugene&rft_id=http%3A%2F%2Fwww.eset.com%2Fus%2Fresources%2Fwhite-papers%2FThe_Evolution_of_TDL.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-60"><span class="mw-cite-backlink"><b><a href="#cite_ref-60">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGatlan2021" class="citation web cs1">Gatlan, Sergiu (May 6, 2021). <a rel="nofollow" class="external text" href="https://www.bleepingcomputer.com/news/security/new-moriya-rootkit-used-in-the-wild-to-backdoor-windows-systems/">"New Moriya rootkit used in the wild to backdoor Windows systems"</a>. <i><a href="/wiki/Bleeping_Computer" title="Bleeping Computer">Bleeping Computer</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 24,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Bleeping+Computer&rft.atitle=New+Moriya+rootkit+used+in+the+wild+to+backdoor+Windows+systems&rft.date=2021-05-06&rft.aulast=Gatlan&rft.aufirst=Sergiu&rft_id=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fnew-moriya-rootkit-used-in-the-wild-to-backdoor-windows-systems%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-61"><span class="mw-cite-backlink"><b><a href="#cite_ref-61">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBrumley1999" class="citation web cs1">Brumley, David (1999-11-16). <a rel="nofollow" class="external text" href="http://www.usenix.org/publications/login/1999-9/features/rootkits.html">"Invisible Intruders: rootkits in practice"</a>. <i>USENIX</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=USENIX&rft.atitle=Invisible+Intruders%3A+rootkits+in+practice&rft.date=1999-11-16&rft.aulast=Brumley&rft.aufirst=David&rft_id=http%3A%2F%2Fwww.usenix.org%2Fpublications%2Flogin%2F1999-9%2Ffeatures%2Frootkits.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-MIT-62"><span class="mw-cite-backlink">^ <a href="#cite_ref-MIT_62-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-MIT_62-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-MIT_62-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-MIT_62-3"><sup><i><b>d</b></i></sup></a> <a href="#cite_ref-MIT_62-4"><sup><i><b>e</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDavisBodmerLeMasters2009" class="citation book cs1">Davis, Michael A.; Bodmer, Sean; LeMasters, Aaron (2009-09-03). <a rel="nofollow" class="external text" href="http://www.mhprofessional.com/downloads/products/0071591184/0071591184_chap10.pdf">"Chapter 10: Rootkit Detection"</a> <span class="cs1-format">(PDF)</span>. <i>Hacking Exposed Malware & Rootkits: Malware & rootkits security secrets & solutions</i>. New York: McGraw Hill Professional. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-07-159118-8" title="Special:BookSources/978-0-07-159118-8"><bdi>978-0-07-159118-8</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Chapter+10%3A+Rootkit+Detection&rft.btitle=Hacking+Exposed+Malware+%26+Rootkits%3A+Malware+%26+rootkits+security+secrets+%26+solutions&rft.place=New+York&rft.pub=McGraw+Hill+Professional&rft.date=2009-09-03&rft.isbn=978-0-07-159118-8&rft.aulast=Davis&rft.aufirst=Michael+A.&rft.au=Bodmer%2C+Sean&rft.au=LeMasters%2C+Aaron&rft_id=http%3A%2F%2Fwww.mhprofessional.com%2Fdownloads%2Fproducts%2F0071591184%2F0071591184_chap10.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-trlokom-63"><span class="mw-cite-backlink"><b><a href="#cite_ref-trlokom_63-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFTrlokom2006" class="citation web cs1">Trlokom (2006-07-05). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110717104243/http://www.trlokom.com/pdf/TrlokomRootkitDefenseWhitePaper.pdf">"Defeating Rootkits and Keyloggers"</a> <span class="cs1-format">(PDF)</span>. Trlokom. Archived from <a rel="nofollow" class="external text" href="http://www.trlokom.com/pdf/TrlokomRootkitDefenseWhitePaper.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2011-07-17<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Defeating+Rootkits+and+Keyloggers&rft.pub=Trlokom&rft.date=2006-07-05&rft.au=Trlokom&rft_id=http%3A%2F%2Fwww.trlokom.com%2Fpdf%2FTrlokomRootkitDefenseWhitePaper.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-64"><span class="mw-cite-backlink"><b><a href="#cite_ref-64">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDai_Zovi2011" class="citation web cs1">Dai Zovi, Dino (2011). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120910164327/http://www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449">"Kernel Rootkits"</a>. Archived from <a rel="nofollow" class="external text" href="http://www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449">the original</a> on September 10, 2012<span class="reference-accessdate">. Retrieved <span class="nowrap">13 Sep</span> 2012</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Kernel+Rootkits&rft.date=2011&rft.aulast=Dai+Zovi&rft.aufirst=Dino&rft_id=http%3A%2F%2Fwww.sans.org%2Freading_room%2Fwhitepapers%2Fthreats%2Fkernel-rootkits_449&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-65"><span class="mw-cite-backlink"><b><a href="#cite_ref-65">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://sourceforge.net/projects/zeppoo/">"Zeppoo"</a>. <a href="/wiki/SourceForge" title="SourceForge">SourceForge</a>. 18 July 2009<span class="reference-accessdate">. Retrieved <span class="nowrap">8 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Zeppoo&rft.pub=SourceForge&rft.date=2009-07-18&rft_id=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fzeppoo%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-66"><span class="mw-cite-backlink"><b><a href="#cite_ref-66">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFCogswellRussinovich2006" class="citation web cs1">Cogswell, Bryce; Russinovich, Mark (2006-11-01). <a rel="nofollow" class="external text" href="https://technet.microsoft.com/en-us/sysinternals/bb897445.aspx">"RootkitRevealer v1.71"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=RootkitRevealer+v1.71&rft.pub=Microsoft&rft.date=2006-11-01&rft.aulast=Cogswell&rft.aufirst=Bryce&rft.au=Russinovich%2C+Mark&rft_id=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fsysinternals%2Fbb897445.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-67"><span class="mw-cite-backlink"><b><a href="#cite_ref-67">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.avast.com/c-rootkit">"Rootkit & Anti-rootkit"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">13 September</span> 2017</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Rootkit+%26+Anti-rootkit&rft_id=https%3A%2F%2Fwww.avast.com%2Fc-rootkit&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-68"><span class="mw-cite-backlink"><b><a href="#cite_ref-68">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.sophos.com/products/free-tools/sophos-anti-rootkit.html">"Sophos Anti-Rootkit"</a>. <a href="/wiki/Sophos" title="Sophos">Sophos</a><span class="reference-accessdate">. Retrieved <span class="nowrap">8 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Sophos+Anti-Rootkit&rft.pub=Sophos&rft_id=http%3A%2F%2Fwww.sophos.com%2Fproducts%2Ffree-tools%2Fsophos-anti-rootkit.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-69"><span class="mw-cite-backlink"><b><a href="#cite_ref-69">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://archive.today/20120921/http://www.f-secure.com/en_UK/security/security-lab/tools-and-services/blacklight/index.html">"BlackLight"</a>. <a href="/wiki/F-Secure" title="F-Secure">F-Secure</a>. Archived from <a rel="nofollow" class="external text" href="http://www.f-secure.com/en_UK/security/security-lab/tools-and-services/blacklight/index.html">the original</a> on 21 September 2012<span class="reference-accessdate">. Retrieved <span class="nowrap">8 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=BlackLight&rft.pub=F-Secure&rft_id=http%3A%2F%2Fwww.f-secure.com%2Fen_UK%2Fsecurity%2Fsecurity-lab%2Ftools-and-services%2Fblacklight%2Findex.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-70"><span class="mw-cite-backlink"><b><a href="#cite_ref-70">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://archive.today/20120921/http://www.usec.at/rootkit.html">"Radix Anti-Rootkit"</a>. usec.at. Archived from <a rel="nofollow" class="external text" href="http://www.usec.at/rootkit.html">the original</a> on 21 September 2012<span class="reference-accessdate">. Retrieved <span class="nowrap">8 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Radix+Anti-Rootkit&rft.pub=usec.at&rft_id=http%3A%2F%2Fwww.usec.at%2Frootkit.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-71"><span class="mw-cite-backlink"><b><a href="#cite_ref-71">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.gmer.net/">"GMER"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">8 August</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=GMER&rft_id=http%3A%2F%2Fwww.gmer.net%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-73"><span class="mw-cite-backlink"><b><a href="#cite_ref-73">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHarriman2007" class="citation web cs1">Harriman, Josh (2007-10-19). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20091007031103/http://www.symantec.com/avcenter/reference/testing_methodology_for_rootkit_removal.pdf">"A Testing Methodology for Rootkit Removal Effectiveness"</a> <span class="cs1-format">(PDF)</span>. Dublin, Ireland: Symantec Security Response. Archived from <a rel="nofollow" class="external text" href="http://www.symantec.com/avcenter/reference/testing_methodology_for_rootkit_removal.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2009-10-07<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=A+Testing+Methodology+for+Rootkit+Removal+Effectiveness&rft.place=Dublin%2C+Ireland&rft.pub=Symantec+Security+Response&rft.date=2007-10-19&rft.aulast=Harriman&rft.aufirst=Josh&rft_id=http%3A%2F%2Fwww.symantec.com%2Favcenter%2Freference%2Ftesting_methodology_for_rootkit_removal.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-74"><span class="mw-cite-backlink"><b><a href="#cite_ref-74">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFCuibotariu2010" class="citation web cs1">Cuibotariu, Mircea (2010-02-12). <a rel="nofollow" class="external text" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8b82b8ef-5a0e-4e1d-94aa-4b45fbd4c1b3&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments">"Tidserv and MS10-015"</a>. <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-19</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Tidserv+and+MS10-015&rft.pub=Symantec&rft.date=2010-02-12&rft.aulast=Cuibotariu&rft.aufirst=Mircea&rft_id=https%3A%2F%2Fcommunity.broadcom.com%2Fsymantecenterprise%2Fcommunities%2Fcommunity-home%2Flibrarydocuments%2Fviewdocument%3FDocumentKey%3D8b82b8ef-5a0e-4e1d-94aa-4b45fbd4c1b3%26CommunityKey%3D1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68%26tab%3Dlibrarydocuments&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-75"><span class="mw-cite-backlink"><b><a href="#cite_ref-75">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://blogs.technet.microsoft.com/msrc/2010/02/11/restart-issues-after-installing-ms10-015/">"Restart Issues After Installing MS10-015"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a>. 2010-02-11<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-10-05</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Restart+Issues+After+Installing+MS10-015&rft.pub=Microsoft&rft.date=2010-02-11&rft_id=https%3A%2F%2Fblogs.technet.microsoft.com%2Fmsrc%2F2010%2F02%2F11%2Frestart-issues-after-installing-ms10-015%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-76"><span class="mw-cite-backlink"><b><a href="#cite_ref-76">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSteinberg2021" class="citation web cs1">Steinberg, Joseph (June 9, 2021). <a rel="nofollow" class="external text" href="https://bestantivirus.com/blog/keyloggers.html">"What You Need To Know About Keyloggers"</a>. <i>bestantivirus.com</i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 24,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=bestantivirus.com&rft.atitle=What+You+Need+To+Know+About+Keyloggers&rft.date=2021-06-09&rft.aulast=Steinberg&rft.aufirst=Joseph&rft_id=https%3A%2F%2Fbestantivirus.com%2Fblog%2Fkeyloggers.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-77"><span class="mw-cite-backlink"><b><a href="#cite_ref-77">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://archive.today/20120729/http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/">"Strider GhostBuster Rootkit Detection"</a>. Microsoft Research. 2010-01-28. Archived from <a rel="nofollow" class="external text" href="http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/">the original</a> on 2012-07-29<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-14</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Strider+GhostBuster+Rootkit+Detection&rft.pub=Microsoft+Research&rft.date=2010-01-28&rft_id=http%3A%2F%2Fresearch.microsoft.com%2Fen-us%2Fum%2Fredmond%2Fprojects%2Fstrider%2Frootkit%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-78"><span class="mw-cite-backlink"><b><a href="#cite_ref-78">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://msdn.microsoft.com/en-us/library/ms537364(VS.85).aspx">"Signing and Checking Code with Authenticode"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2008-09-15</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Signing+and+Checking+Code+with+Authenticode&rft.pub=Microsoft&rft_id=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms537364%28VS.85%29.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-79"><span class="mw-cite-backlink"><b><a href="#cite_ref-79">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.trustedcomputinggroup.org/files/resource_files/C2426F48-1D09-3519-AD02D13C71B888A6/Whitepaper_Rootkit_Strom_v3.pdf">"Stopping Rootkits at the Network Edge"</a> <span class="cs1-format">(PDF)</span>. Beaverton, Oregon: <a href="/wiki/Trusted_Computing_Group" title="Trusted Computing Group">Trusted Computing Group</a>. January 2017<span class="reference-accessdate">. Retrieved <span class="nowrap">2008-07-11</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Stopping+Rootkits+at+the+Network+Edge&rft.place=Beaverton%2C+Oregon&rft.pub=Trusted+Computing+Group&rft.date=2017-01&rft_id=http%3A%2F%2Fwww.trustedcomputinggroup.org%2Ffiles%2Fresource_files%2FC2426F48-1D09-3519-AD02D13C71B888A6%2FWhitepaper_Rootkit_Strom_v3.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-80"><span class="mw-cite-backlink"><b><a href="#cite_ref-80">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.trustedcomputinggroup.org/files/resource_files/87B92DAF-1D09-3519-AD80984BBE62D62D/TCG_PCSpecificSpecification_v1_1.pdf">"TCG PC Specific Implementation Specification, Version 1.1"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Trusted_Computing_Group" title="Trusted Computing Group">Trusted Computing Group</a>. 2003-08-18<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-22</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=TCG+PC+Specific+Implementation+Specification%2C+Version+1.1&rft.pub=Trusted+Computing+Group&rft.date=2003-08-18&rft_id=http%3A%2F%2Fwww.trustedcomputinggroup.org%2Ffiles%2Fresource_files%2F87B92DAF-1D09-3519-AD80984BBE62D62D%2FTCG_PCSpecificSpecification_v1_1.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-81"><span class="mw-cite-backlink"><b><a href="#cite_ref-81">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://support.microsoft.com/en-us/kb/927069">"How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=How+to+generate+a+complete+crash+dump+file+or+a+kernel+crash+dump+file+by+using+an+NMI+on+a+Windows-based+system&rft.pub=Microsoft&rft_id=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F927069&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-82"><span class="mw-cite-backlink"><b><a href="#cite_ref-82">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSeshadri,_Arvind2005" class="citation book cs1">Seshadri, Arvind; et al. (2005). "Pioneer". <i>Proceedings of the twentieth ACM symposium on Operating systems principles</i>. <a href="/wiki/Carnegie_Mellon_University" title="Carnegie Mellon University">Carnegie Mellon University</a>. pp. <span class="nowrap">1–</span>16. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F1095810.1095812">10.1145/1095810.1095812</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/1595930795" title="Special:BookSources/1595930795"><bdi>1595930795</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:9960430">9960430</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Pioneer&rft.btitle=Proceedings+of+the+twentieth+ACM+symposium+on+Operating+systems+principles&rft.pages=%3Cspan+class%3D%22nowrap%22%3E1-%3C%2Fspan%3E16&rft.pub=Carnegie+Mellon+University&rft.date=2005&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A9960430%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1145%2F1095810.1095812&rft.isbn=1595930795&rft.au=Seshadri%2C+Arvind&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-83"><span class="mw-cite-backlink"><b><a href="#cite_ref-83">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDillard2005" class="citation web cs1">Dillard, Kurt (2005-08-03). <a rel="nofollow" class="external text" href="http://searchenterprisedesktop.techtarget.com/news/column/0,294698,sid192_gci1112754,00.html">"Rootkit battle: Rootkit Revealer vs. Hacker Defender"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Rootkit+battle%3A+Rootkit+Revealer+vs.+Hacker+Defender&rft.date=2005-08-03&rft.aulast=Dillard&rft.aufirst=Kurt&rft_id=http%3A%2F%2Fsearchenterprisedesktop.techtarget.com%2Fnews%2Fcolumn%2F0%2C294698%2Csid192_gci1112754%2C00.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-84"><span class="mw-cite-backlink"><b><a href="#cite_ref-84">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://support.microsoft.com/en-us/kb/890830">"The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a>. 2010-09-14.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=The+Microsoft+Windows+Malicious+Software+Removal+Tool+helps+remove+specific%2C+prevalent+malicious+software+from+computers+that+are+running+Windows+7%2C+Windows+Vista%2C+Windows+Server+2003%2C+Windows+Server+2008%2C+or+Windows+XP&rft.pub=Microsoft&rft.date=2010-09-14&rft_id=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F890830&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-85"><span class="mw-cite-backlink"><b><a href="#cite_ref-85">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBettanyHalsey2017" class="citation book cs1">Bettany, Andrew; Halsey, Mike (2017). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=s8FCDgAAQBAJ&pg=PA17"><i>Windows Virus and Malware Troubleshooting</i></a>. Apress. p. 17. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/9781484226070" title="Special:BookSources/9781484226070"><bdi>9781484226070</bdi></a> – via <a href="/wiki/Google_Books" title="Google Books">Google Books</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Windows+Virus+and+Malware+Troubleshooting&rft.pages=17&rft.pub=Apress&rft.date=2017&rft.isbn=9781484226070&rft.aulast=Bettany&rft.aufirst=Andrew&rft.au=Halsey%2C+Mike&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3Ds8FCDgAAQBAJ%26pg%3DPA17&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-87"><span class="mw-cite-backlink"><b><a href="#cite_ref-87">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHultquist2007" class="citation journal cs1">Hultquist, Steve (2007-04-30). <a rel="nofollow" class="external text" href="http://www.infoworld.com/article/2663426/security/rootkits--the-next-big-enterprise-threat-.html">"Rootkits: The next big enterprise threat?"</a>. <i><a href="/wiki/InfoWorld" title="InfoWorld">InfoWorld</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=InfoWorld&rft.atitle=Rootkits%3A+The+next+big+enterprise+threat%3F&rft.date=2007-04-30&rft.aulast=Hultquist&rft.aufirst=Steve&rft_id=http%3A%2F%2Fwww.infoworld.com%2Farticle%2F2663426%2Fsecurity%2Frootkits--the-next-big-enterprise-threat-.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-88"><span class="mw-cite-backlink"><b><a href="#cite_ref-88">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20121008233927/http://reviews.cnet.com/4520-3513_7-6686763-1.html">"Security Watch: Rootkits for fun and profit"</a>. CNET Reviews. 2007-01-19. Archived from <a rel="nofollow" class="external text" href="http://reviews.cnet.com/4520-3513_7-6686763-1.html">the original</a> on 2012-10-08<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-04-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Security+Watch%3A+Rootkits+for+fun+and+profit&rft.pub=CNET+Reviews&rft.date=2007-01-19&rft_id=http%3A%2F%2Freviews.cnet.com%2F4520-3513_7-6686763-1.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-89"><span class="mw-cite-backlink"><b><a href="#cite_ref-89">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBort2007" class="citation magazine cs1">Bort, Julie (2007-09-29). <a rel="nofollow" class="external text" href="http://www.pcworld.com/article/137821/article.html">"Six ways to fight back against botnets"</a>. <i><a href="/wiki/PC_World_(magazine)" class="mw-redirect" title="PC World (magazine)">PCWorld</a></i>. San Francisco: PCWorld Communications<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-04-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=PCWorld&rft.atitle=Six+ways+to+fight+back+against+botnets&rft.date=2007-09-29&rft.aulast=Bort&rft.aufirst=Julie&rft_id=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F137821%2Farticle.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-90"><span class="mw-cite-backlink"><b><a href="#cite_ref-90">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHoang2006" class="citation web cs1">Hoang, Mimi (2006-11-02). <a rel="nofollow" class="external text" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ec586a87-54ac-4b1d-92ca-8cb0dbb66984&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments">"Handling Today's Tough Security Threats: Rootkits"</a>. <i>Symantec Connect</i>. <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-21</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Symantec+Connect&rft.atitle=Handling+Today%27s+Tough+Security+Threats%3A+Rootkits&rft.date=2006-11-02&rft.aulast=Hoang&rft.aufirst=Mimi&rft_id=https%3A%2F%2Fcommunity.broadcom.com%2Fsymantecenterprise%2Fcommunities%2Fcommunity-home%2Flibrarydocuments%2Fviewdocument%3FDocumentKey%3Dec586a87-54ac-4b1d-92ca-8cb0dbb66984%26CommunityKey%3D1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68%26tab%3Dlibrarydocuments&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-ms-obscure-hacker-91"><span class="mw-cite-backlink">^ <a href="#cite_ref-ms-obscure-hacker_91-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-ms-obscure-hacker_91-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDanseglioBailey2005" class="citation web cs1">Danseglio, Mike; Bailey, Tony (2005-10-06). <a rel="nofollow" class="external text" href="https://technet.microsoft.com/en-us/library/cc512642.aspx">"Rootkits: The Obscure Hacker Attack"</a>. Microsoft.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Rootkits%3A+The+Obscure+Hacker+Attack&rft.pub=Microsoft&rft.date=2005-10-06&rft.aulast=Danseglio&rft.aufirst=Mike&rft.au=Bailey%2C+Tony&rft_id=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc512642.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-92"><span class="mw-cite-backlink"><b><a href="#cite_ref-92">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFMessmer2006" class="citation news cs1">Messmer, Ellen (2006-08-26). <a rel="nofollow" class="external text" href="https://www.networkworld.com/article/842371/lan-wan-experts-divided-over-rootkit-detection-and-removal.html">"Experts Divided Over Rootkit Detection and Removal"</a>. <i>NetworkWorld.com</i>. Framingham, Mass.: IDG<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-08-15</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=NetworkWorld.com&rft.atitle=Experts+Divided+Over+Rootkit+Detection+and+Removal&rft.date=2006-08-26&rft.aulast=Messmer&rft.aufirst=Ellen&rft_id=https%3A%2F%2Fwww.networkworld.com%2Farticle%2F842371%2Flan-wan-experts-divided-over-rootkit-detection-and-removal.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-93"><span class="mw-cite-backlink"><b><a href="#cite_ref-93">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFSkoudisZeltser2004" class="citation book cs1">Skoudis, Ed; Zeltser, Lenny (2004). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=JHgX8_pVPpEC"><i>Malware: Fighting Malicious Code</i></a>. Prentice Hall PTR. p. 335. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-13-101405-3" title="Special:BookSources/978-0-13-101405-3"><bdi>978-0-13-101405-3</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Malware%3A+Fighting+Malicious+Code&rft.pages=335&rft.pub=Prentice+Hall+PTR&rft.date=2004&rft.isbn=978-0-13-101405-3&rft.aulast=Skoudis&rft.aufirst=Ed&rft.au=Zeltser%2C+Lenny&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3DJHgX8_pVPpEC&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-94"><span class="mw-cite-backlink"><b><a href="#cite_ref-94">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHannel2003" class="citation web cs1">Hannel, Jeromey (2003-01-23). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20101024164136/http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901">"Linux RootKits For Beginners - From Prevention to Removal"</a>. <a href="/wiki/SANS_Institute" title="SANS Institute">SANS Institute</a>. Archived from <a rel="nofollow" class="external text" href="http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901">the original</a> <span class="cs1-format">(PDF)</span> on October 24, 2010<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-22</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Linux+RootKits+For+Beginners+-+From+Prevention+to+Removal&rft.pub=SANS+Institute&rft.date=2003-01-23&rft.aulast=Hannel&rft.aufirst=Jeromey&rft_id=http%3A%2F%2Fwww.sans.org%2Freading_room%2Fwhitepapers%2Flinux%2Flinux-rootkits-beginners-prevention-removal_901&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> <li id="cite_note-95"><span class="mw-cite-backlink"><b><a href="#cite_ref-95">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFLiChungHwangLi2021" class="citation journal cs1">Li, Yong-Gang; Chung, Yeh-Ching; Hwang, Kai; Li, Yue-Jin (2021). <a rel="nofollow" class="external text" href="https://ieeexplore.ieee.org/document/9186825">"Virtual Wall: Filtering Rootkit Attacks to Protect Linux Kernel Functions"</a>. <i>IEEE Transactions on Computers</i>. <b>70</b> (10): <span class="nowrap">1640–</span>1653. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2FTC.2020.3022023">10.1109/TC.2020.3022023</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:226480878">226480878</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=IEEE+Transactions+on+Computers&rft.atitle=Virtual+Wall%3A+Filtering+Rootkit+Attacks+to+Protect+Linux+Kernel+Functions&rft.volume=70&rft.issue=10&rft.pages=%3Cspan+class%3D%22nowrap%22%3E1640-%3C%2Fspan%3E1653&rft.date=2021&rft_id=info%3Adoi%2F10.1109%2FTC.2020.3022023&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A226480878%23id-name%3DS2CID&rft.aulast=Li&rft.aufirst=Yong-Gang&rft.au=Chung%2C+Yeh-Ching&rft.au=Hwang%2C+Kai&rft.au=Li%2C+Yue-Jin&rft_id=https%3A%2F%2Fieeexplore.ieee.org%2Fdocument%2F9186825&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></span> </li> </ol></div> <div class="mw-heading mw-heading2"><h2 id="Further_reading">Further reading</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=24" title="Edit section: Further reading"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBlunden2009" class="citation book cs1">Blunden, Bill (2009). <i>The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System</i>. Wordware. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59822-061-2" title="Special:BookSources/978-1-59822-061-2"><bdi>978-1-59822-061-2</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=The+Rootkit+Arsenal%3A+Escape+and+Evasion+in+the+Dark+Corners+of+the+System&rft.pub=Wordware&rft.date=2009&rft.isbn=978-1-59822-061-2&rft.aulast=Blunden&rft.aufirst=Bill&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHoglundButler2005" class="citation book cs1">Hoglund, Greg; Butler, James (2005). <i>Rootkits: Subverting the Windows Kernel</i>. Addison-Wesley Professional. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-321-29431-9" title="Special:BookSources/978-0-321-29431-9"><bdi>978-0-321-29431-9</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Rootkits%3A+Subverting+the+Windows+Kernel&rft.pub=Addison-Wesley+Professional&rft.date=2005&rft.isbn=978-0-321-29431-9&rft.aulast=Hoglund&rft.aufirst=Greg&rft.au=Butler%2C+James&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGramppMorris1984" class="citation journal cs1">Grampp, F. T.; Morris, Robert H. Sr. (October 1984). "The UNIX System: UNIX Operating System Security". <i>AT&T Bell Laboratories Technical Journal</i>. <b>62</b> (8): <span class="nowrap">1649–</span>1672. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1002%2Fj.1538-7305.1984.tb00058.x">10.1002/j.1538-7305.1984.tb00058.x</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:26877484">26877484</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=AT%26T+Bell+Laboratories+Technical+Journal&rft.atitle=The+UNIX+System%3A+UNIX+Operating+System+Security&rft.volume=62&rft.issue=8&rft.pages=%3Cspan+class%3D%22nowrap%22%3E1649-%3C%2Fspan%3E1672&rft.date=1984-10&rft_id=info%3Adoi%2F10.1002%2Fj.1538-7305.1984.tb00058.x&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A26877484%23id-name%3DS2CID&rft.aulast=Grampp&rft.aufirst=F.+T.&rft.au=Morris%2C+Robert+H.+Sr.&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFKong2007" class="citation book cs1">Kong, Joseph (2007). <i>Designing BSD Rootkits</i>. No Starch Press. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59327-142-8" title="Special:BookSources/978-1-59327-142-8"><bdi>978-1-59327-142-8</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Designing+BSD+Rootkits&rft.pub=No+Starch+Press&rft.date=2007&rft.isbn=978-1-59327-142-8&rft.aulast=Kong&rft.aufirst=Joseph&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFVeiler2007" class="citation book cs1">Veiler, Ric (2007). <i>Professional Rootkits</i>. Wrox. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-470-10154-4" title="Special:BookSources/978-0-470-10154-4"><bdi>978-0-470-10154-4</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Professional+Rootkits&rft.pub=Wrox&rft.date=2007&rft.isbn=978-0-470-10154-4&rft.aulast=Veiler&rft.aufirst=Ric&rfr_id=info%3Asid%2Fen.wikipedia.org%3ARootkit" class="Z3988"></span></li></ul> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Rootkit&action=edit&section=25" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><span class="noviewer" typeof="mw:File"><a href="/wiki/File:Commons-logo.svg" class="mw-file-description"><img alt="" src="//upload.wikimedia.org/wikipedia/en/thumb/4/4a/Commons-logo.svg/20px-Commons-logo.svg.png" decoding="async" width="12" height="16" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/4/4a/Commons-logo.svg/40px-Commons-logo.svg.png 2x" data-file-width="1024" data-file-height="1376" /></a></span> Media related to <a href="https://commons.wikimedia.org/wiki/Category:Rootkits" class="extiw" title="commons:Category:Rootkits">Rootkits</a> at Wikimedia Commons</li></ul> <div class="navbox-styles"><style data-mw-deduplicate="TemplateStyles:r1129693374">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist.inline,.mw-parser-output .hlist.inline dl,.mw-parser-output .hlist.inline ol,.mw-parser-output .hlist.inline ul,.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li{display:none}.mw-parser-output .hlist dt::after{content:": "}.mw-parser-output .hlist dd::after,.mw-parser-output .hlist li::after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child::after,.mw-parser-output .hlist dt:last-child::after,.mw-parser-output .hlist li:last-child::after{content:none}.mw-parser-output .hlist dd dd:first-child::before,.mw-parser-output .hlist dd dt:first-child::before,.mw-parser-output .hlist dd li:first-child::before,.mw-parser-output .hlist dt dd:first-child::before,.mw-parser-output .hlist dt dt:first-child::before,.mw-parser-output .hlist dt li:first-child::before,.mw-parser-output .hlist li dd:first-child::before,.mw-parser-output .hlist li dt:first-child::before,.mw-parser-output .hlist li li:first-child::before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child::after,.mw-parser-output .hlist dd dt:last-child::after,.mw-parser-output .hlist dd li:last-child::after,.mw-parser-output .hlist dt dd:last-child::after,.mw-parser-output .hlist dt dt:last-child::after,.mw-parser-output .hlist dt li:last-child::after,.mw-parser-output .hlist li dd:last-child::after,.mw-parser-output .hlist li dt:last-child::after,.mw-parser-output .hlist li li:last-child::after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li::before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child::before,.mw-parser-output .hlist dt ol>li:first-child::before,.mw-parser-output .hlist li ol>li:first-child::before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r1236075235">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}body.skin--responsive .mw-parser-output .navbox-image img{max-width:none!important}@media print{body.ns-0 .mw-parser-output .navbox{display:none!important}}</style></div><div role="navigation" class="navbox" aria-labelledby="Information_security88" style="padding:3px"><table class="nowraplinks mw-collapsible autocollapse navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="3"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><style data-mw-deduplicate="TemplateStyles:r1239400231">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar-collapse{float:left;text-align:left}.mw-parser-output .navbar-boxtext{word-spacing:0}.mw-parser-output .navbar ul{display:inline-block;white-space:nowrap;line-height:inherit}.mw-parser-output .navbar-brackets::before{margin-right:-0.125em;content:"[ "}.mw-parser-output .navbar-brackets::after{margin-left:-0.125em;content:" ]"}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbar a>span,.mw-parser-output .navbar a>abbr{text-decoration:inherit}.mw-parser-output .navbar-mini abbr{font-variant:small-caps;border-bottom:none;text-decoration:none;cursor:inherit}.mw-parser-output .navbar-ct-full{font-size:114%;margin:0 7em}.mw-parser-output .navbar-ct-mini{font-size:114%;margin:0 4em}html.skin-theme-clientpref-night .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}@media(prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}}@media print{.mw-parser-output .navbar{display:none!important}}</style><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Information_security" title="Template:Information security"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Information_security" title="Template talk:Information security"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Information_security" title="Special:EditPage/Template:Information security"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Information_security88" style="font-size:114%;margin:0 4em"><a href="/wiki/Information_security" title="Information security">Information security</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">Related security categories</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Computer_security" title="Computer security">Computer security</a></li> <li><a href="/wiki/Automotive_security" title="Automotive security">Automotive security</a></li> <li><a href="/wiki/Cybercrime" title="Cybercrime">Cybercrime</a> <ul><li><a href="/wiki/Cybersex_trafficking" title="Cybersex trafficking">Cybersex trafficking</a></li> <li><a href="/wiki/Computer_fraud" title="Computer fraud">Computer fraud</a></li></ul></li> <li><a href="/wiki/Cybergeddon" title="Cybergeddon">Cybergeddon</a></li> <li><a href="/wiki/Cyberterrorism" title="Cyberterrorism">Cyberterrorism</a></li> <li><a href="/wiki/Cyberwarfare" title="Cyberwarfare">Cyberwarfare</a></li> <li><a href="/wiki/Electronic_warfare" title="Electronic warfare">Electronic warfare</a></li> <li><a href="/wiki/Information_warfare" title="Information warfare">Information warfare</a></li> <li><a href="/wiki/Internet_security" title="Internet security">Internet security</a></li> <li><a href="/wiki/Mobile_security" title="Mobile security">Mobile security</a></li> <li><a href="/wiki/Network_security" title="Network security">Network security</a></li> <li><a href="/wiki/Copy_protection" title="Copy protection">Copy protection</a></li> <li><a href="/wiki/Digital_rights_management" title="Digital rights management">Digital rights management</a></li></ul> </div></td><td class="noviewer navbox-image" rowspan="3" style="width:1px;padding:0 0 0 2px"><div><figure class="mw-halign-center" typeof="mw:File"><a href="/wiki/File:CIAJMK1209-en.svg" class="mw-file-description" title="vectorial version"><img alt="vectorial version" src="//upload.wikimedia.org/wikipedia/commons/thumb/c/c5/CIAJMK1209-en.svg/250px-CIAJMK1209-en.svg.png" decoding="async" width="150" height="150" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/c/c5/CIAJMK1209-en.svg/330px-CIAJMK1209-en.svg.png 2x" data-file-width="496" data-file-height="496" /></a><figcaption>vectorial version</figcaption></figure></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Threat_(computer)" class="mw-redirect" title="Threat (computer)">Threats</a></th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Adware" title="Adware">Adware</a></li> <li><a href="/wiki/Advanced_persistent_threat" title="Advanced persistent threat">Advanced persistent threat</a></li> <li><a href="/wiki/Arbitrary_code_execution" title="Arbitrary code execution">Arbitrary code execution</a></li> <li><a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">Backdoors</a></li> <li>Bombs <ul><li><a href="/wiki/Fork_bomb" title="Fork bomb">Fork</a></li> <li><a href="/wiki/Logic_bomb" title="Logic bomb">Logic</a></li> <li><a href="/wiki/Time_bomb_(software)" title="Time bomb (software)">Time</a></li> <li><a href="/wiki/Zip_bomb" title="Zip bomb">Zip</a></li></ul></li> <li><a href="/wiki/Hardware_backdoor" title="Hardware backdoor">Hardware backdoors</a></li> <li><a href="/wiki/Code_injection" title="Code injection">Code injection</a></li> <li><a href="/wiki/Crimeware" title="Crimeware">Crimeware</a></li> <li><a href="/wiki/Cross-site_scripting" title="Cross-site scripting">Cross-site scripting</a></li> <li><a href="/wiki/Cross-site_leaks" title="Cross-site leaks">Cross-site leaks</a></li> <li><a href="/wiki/DOM_clobbering" title="DOM clobbering">DOM clobbering</a></li> <li><a href="/wiki/History_sniffing" title="History sniffing">History sniffing</a></li> <li><a href="/wiki/Cryptojacking" title="Cryptojacking">Cryptojacking</a></li> <li><a href="/wiki/Botnet" title="Botnet">Botnets</a></li> <li><a href="/wiki/Data_breach" title="Data breach">Data breach</a></li> <li><a href="/wiki/Drive-by_download" title="Drive-by download">Drive-by download</a></li> <li><a href="/wiki/Browser_Helper_Object" title="Browser Helper Object">Browser Helper Objects</a></li> <li><a href="/wiki/Computer_virus" title="Computer virus">Viruses</a></li> <li><a href="/wiki/Data_scraping" title="Data scraping">Data scraping</a></li> <li><a href="/wiki/Denial-of-service_attack" title="Denial-of-service attack">Denial-of-service attack</a></li> <li><a href="/wiki/Eavesdropping" title="Eavesdropping">Eavesdropping</a></li> <li><a href="/wiki/Email_fraud" title="Email fraud">Email fraud</a></li> <li><a href="/wiki/Email_spoofing" title="Email spoofing">Email spoofing</a></li> <li><a href="/wiki/Exploit_(computer_security)" title="Exploit (computer security)">Exploits</a></li> <li><a href="/wiki/Dialer#Fraudulent_dialer" title="Dialer">Fraudulent dialers</a></li> <li><a href="/wiki/Hacktivism" title="Hacktivism">Hacktivism</a></li> <li><a href="/wiki/Infostealer" title="Infostealer">Infostealer</a></li> <li><a href="/wiki/Insecure_direct_object_reference" title="Insecure direct object reference">Insecure direct object reference</a></li> <li><a href="/wiki/Keystroke_logging" title="Keystroke logging">Keystroke loggers</a></li> <li><a href="/wiki/Malware" title="Malware">Malware</a></li> <li><a href="/wiki/Payload_(computing)" title="Payload (computing)">Payload</a></li> <li><a href="/wiki/Phishing" title="Phishing">Phishing</a> <ul><li><a href="/wiki/Voice_phishing" title="Voice phishing">Voice</a></li></ul></li> <li><a href="/wiki/Polymorphic_engine" title="Polymorphic engine">Polymorphic engine</a></li> <li><a href="/wiki/Privilege_escalation" title="Privilege escalation">Privilege escalation</a></li> <li><a href="/wiki/Ransomware" title="Ransomware">Ransomware</a></li> <li><a class="mw-selflink selflink">Rootkits</a></li> <li><a href="/wiki/Scareware" title="Scareware">Scareware</a></li> <li><a href="/wiki/Shellcode" title="Shellcode">Shellcode</a></li> <li><a href="/wiki/Spamming" title="Spamming">Spamming</a></li> <li><a href="/wiki/Social_engineering_(security)" title="Social engineering (security)">Social engineering</a></li> <li><a href="/wiki/Spyware" title="Spyware">Spyware</a></li> <li><a href="/wiki/Software_bug" title="Software bug">Software bugs</a></li> <li><a href="/wiki/Trojan_horse_(computing)" title="Trojan horse (computing)">Trojan horses</a></li> <li><a href="/wiki/Hardware_Trojan" title="Hardware Trojan">Hardware Trojans</a></li> <li><a href="/wiki/Remote_access_trojan" class="mw-redirect" title="Remote access trojan">Remote access trojans</a></li> <li><a href="/wiki/Vulnerability_(computer_security)" title="Vulnerability (computer security)">Vulnerability</a></li> <li><a href="/wiki/Web_shell" title="Web shell">Web shells</a></li> <li><a href="/wiki/Wiper_(malware)" title="Wiper (malware)">Wiper</a></li> <li><a href="/wiki/Computer_worm" title="Computer worm">Worms</a></li> <li><a href="/wiki/SQL_injection" title="SQL injection">SQL injection</a></li> <li><a href="/wiki/Rogue_security_software" title="Rogue security software">Rogue security software</a></li> <li><a href="/wiki/Zombie_(computing)" title="Zombie (computing)">Zombie</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Defenses</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Application_security" title="Application security">Application security</a> <ul><li><a href="/wiki/Secure_coding" title="Secure coding">Secure coding</a></li> <li>Secure by default</li> <li><a href="/wiki/Secure_by_design" title="Secure by design">Secure by design</a> <ul><li><a href="/wiki/Misuse_case" title="Misuse case">Misuse case</a></li></ul></li></ul></li> <li><a href="/wiki/Computer_access_control" title="Computer access control">Computer access control</a> <ul><li><a href="/wiki/Authentication" title="Authentication">Authentication</a> <ul><li><a href="/wiki/Multi-factor_authentication" title="Multi-factor authentication">Multi-factor authentication</a></li></ul></li> <li><a href="/wiki/Authorization" title="Authorization">Authorization</a></li></ul></li> <li><a href="/wiki/Computer_security_software" title="Computer security software">Computer security software</a> <ul><li><a href="/wiki/Antivirus_software" title="Antivirus software">Antivirus software</a></li> <li><a href="/wiki/Security-focused_operating_system" title="Security-focused operating system">Security-focused operating system</a></li></ul></li> <li><a href="/wiki/Data-centric_security" title="Data-centric security">Data-centric security</a></li> <li><a href="/wiki/Obfuscation_(software)" title="Obfuscation (software)">Software obfuscation</a></li> <li><a href="/wiki/Data_masking" title="Data masking">Data masking</a></li> <li><a href="/wiki/Encryption" title="Encryption">Encryption</a></li> <li><a href="/wiki/Firewall_(computing)" title="Firewall (computing)">Firewall</a></li> <li><a href="/wiki/Intrusion_detection_system" title="Intrusion detection system">Intrusion detection system</a> <ul><li><a href="/wiki/Host-based_intrusion_detection_system" title="Host-based intrusion detection system">Host-based intrusion detection system</a> (HIDS)</li> <li><a href="/wiki/Anomaly_detection" title="Anomaly detection">Anomaly detection</a></li></ul></li> <li><a href="/wiki/Information_security_management" title="Information security management">Information security management</a> <ul><li><a href="/wiki/Information_risk_management" class="mw-redirect" title="Information risk management">Information risk management</a></li> <li><a href="/wiki/Security_information_and_event_management" title="Security information and event management">Security information and event management</a> (SIEM)</li></ul></li> <li><a href="/wiki/Runtime_application_self-protection" title="Runtime application self-protection">Runtime application self-protection</a></li> <li><a href="/wiki/Site_isolation" title="Site isolation">Site isolation</a></li></ul> </div></td></tr></tbody></table></div> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236075235" /></div><div role="navigation" class="navbox" aria-labelledby="Malware_topics109" style="padding:3px"><table class="nowraplinks mw-collapsible autocollapse navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239400231" /><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Malware" title="Template:Malware"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Malware" title="Template talk:Malware"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Malware" title="Special:EditPage/Template:Malware"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Malware_topics109" style="font-size:114%;margin:0 4em"><a href="/wiki/Malware" title="Malware">Malware</a> topics</div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">Infectious malware</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Comparison_of_computer_viruses" title="Comparison of computer viruses">Comparison of computer viruses</a></li> <li><a href="/wiki/Computer_virus" title="Computer virus">Computer virus</a></li> <li><a href="/wiki/Computer_worm" title="Computer worm">Computer worm</a></li> <li><a href="/wiki/List_of_computer_worms" title="List of computer worms">List of computer worms</a></li> <li><a href="/wiki/Timeline_of_computer_viruses_and_worms" title="Timeline of computer viruses and worms">Timeline of computer viruses and worms</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Concealment</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">Backdoor</a></li> <li><a href="/wiki/Clickjacking" title="Clickjacking">Clickjacking</a></li> <li><a href="/wiki/Man-in-the-browser" title="Man-in-the-browser">Man-in-the-browser</a></li> <li><a href="/wiki/Man-in-the-middle_attack" title="Man-in-the-middle attack">Man-in-the-middle</a></li> <li><a class="mw-selflink selflink">Rootkit</a></li> <li><a href="/wiki/Trojan_horse_(computing)" title="Trojan horse (computing)">Trojan horse</a></li> <li><a href="/wiki/Zombie_(computing)" title="Zombie (computing)">Zombie computer</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Malware for profit</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Adware" title="Adware">Adware</a></li> <li><a href="/wiki/Botnet" title="Botnet">Botnet</a></li> <li><a href="/wiki/Crimeware" title="Crimeware">Crimeware</a></li> <li><a href="/wiki/Fleeceware" title="Fleeceware">Fleeceware</a></li> <li><a href="/wiki/Form_grabbing" title="Form grabbing">Form grabbing</a></li> <li><a href="/wiki/Dialer#Fraudulent_dialer" title="Dialer">Fraudulent dialer</a></li> <li><a href="/wiki/Infostealer" title="Infostealer">Infostealer</a></li> <li><a href="/wiki/Keystroke_logging" title="Keystroke logging">Keystroke logging</a></li> <li><a href="/wiki/Internet_bot#Malicious_purposes" title="Internet bot">Malbot</a></li> <li><a href="/wiki/Privacy-invasive_software" title="Privacy-invasive software">Privacy-invasive software</a></li> <li><a href="/wiki/Ransomware" title="Ransomware">Ransomware</a></li> <li><a href="/wiki/Rogue_security_software" title="Rogue security software">Rogue security software</a></li> <li><a href="/wiki/Scareware" title="Scareware">Scareware</a></li> <li><a href="/wiki/Spyware" title="Spyware">Spyware</a></li> <li><a href="/wiki/Web_threat" title="Web threat">Web threats</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">By operating system</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Category:Android_(operating_system)_malware" title="Category:Android (operating system) malware">Android malware</a></li> <li><a href="/wiki/Category:Classic_Mac_OS_viruses" title="Category:Classic Mac OS viruses">Classic Mac OS viruses</a></li> <li><a href="/wiki/Category:IOS_malware" title="Category:IOS malware">iOS malware</a></li> <li><a href="/wiki/Linux_malware" title="Linux malware">Linux malware</a></li> <li><a href="/wiki/Category:MacOS_malware" title="Category:MacOS malware">MacOS malware</a></li> <li><a href="/wiki/Macro_virus" title="Macro virus">Macro virus</a></li> <li><a href="/wiki/Mobile_malware" title="Mobile malware">Mobile malware</a></li> <li><a href="/wiki/Palm_OS_viruses" title="Palm OS viruses">Palm OS viruses</a></li> <li><a href="/wiki/HyperCard_viruses" class="mw-redirect" title="HyperCard viruses">HyperCard viruses</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Protection</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Anti-keylogger" title="Anti-keylogger">Anti-keylogger</a></li> <li><a href="/wiki/Antivirus_software" title="Antivirus software">Antivirus software</a></li> <li><a href="/wiki/Browser_security" title="Browser security">Browser security</a></li> <li><a href="/wiki/Data_loss_prevention_software" title="Data loss prevention software">Data loss prevention software</a></li> <li><a href="/wiki/Defensive_computing" title="Defensive computing">Defensive computing</a></li> <li><a href="/wiki/Firewall_(computing)" title="Firewall (computing)">Firewall</a></li> <li><a href="/wiki/Internet_security" title="Internet security">Internet security</a></li> <li><a href="/wiki/Intrusion_detection_system" title="Intrusion detection system">Intrusion detection system</a></li> <li><a href="/wiki/Mobile_security" title="Mobile security">Mobile security</a></li> <li><a href="/wiki/Network_security" title="Network security">Network security</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Countermeasures</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Computer_and_network_surveillance" title="Computer and network surveillance">Computer and network surveillance</a></li> <li><a href="/wiki/Honeypot_(computing)" title="Honeypot (computing)">Honeypot</a></li> <li><a href="/wiki/Operation:_Bot_Roast" title="Operation: Bot Roast">Operation: Bot Roast</a></li></ul> </div></td></tr></tbody></table></div> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236075235" /></div><div role="navigation" class="navbox authority-control" aria-label="Navbox581" style="padding:3px"><table class="nowraplinks hlist navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Help:Authority_control" title="Help:Authority control">Authority control databases</a>: National <span class="mw-valign-text-top noprint" typeof="mw:File/Frameless"><a href="https://www.wikidata.org/wiki/Q14645#identifiers" title="Edit this at Wikidata"><img alt="Edit this at Wikidata" src="//upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/10px-OOjs_UI_icon_edit-ltr-progressive.svg.png" decoding="async" width="10" height="10" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/15px-OOjs_UI_icon_edit-ltr-progressive.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/20px-OOjs_UI_icon_edit-ltr-progressive.svg.png 2x" data-file-width="20" data-file-height="20" /></a></span></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"><ul><li><span class="uid"><a rel="nofollow" class="external text" href="https://d-nb.info/gnd/7518179-4">Germany</a></span></li><li><span class="uid"><a rel="nofollow" class="external text" href="https://id.loc.gov/authorities/sh2010013739">United States</a></span></li><li><span class="uid"><a rel="nofollow" class="external text" href="https://www.nli.org.il/en/authorities/987007602116905171">Israel</a></span></li></ul></div></td></tr></tbody></table></div> <!-- NewPP limit report Parsed by mw‐web.codfw.main‐7dbbdd594f‐slmlq Cached time: 20250405212521 Cache expiry: 2592000 Reduced expiry: false Complications: [vary‐revision‐sha1, show‐toc] CPU time usage: 0.813 seconds Real time usage: 0.958 seconds Preprocessor visited node count: 6550/1000000 Post‐expand include size: 212714/2097152 bytes Template argument size: 5269/2097152 bytes Highest expansion depth: 17/100 Expensive parser function count: 9/500 Unstrip recursion depth: 1/20 Unstrip post‐expand size: 368158/5000000 bytes Lua time usage: 0.504/10.000 seconds Lua memory usage: 6708311/52428800 bytes Number of Wikibase entities loaded: 1/400 --> <!-- Transclusion expansion time report (%,ms,calls,template) 100.00% 810.372 1 -total 59.27% 480.276 2 Template:Reflist 32.85% 266.192 59 Template:Cite_web 9.24% 74.852 1 Template:Short_description 8.01% 64.911 2 Template:Navbox 7.84% 63.497 1 Template:Information_security 6.71% 54.382 2 Template:Pagetype 6.47% 52.393 14 Template:Cite_book 5.92% 47.945 11 Template:Cite_journal 5.55% 44.967 5 Template:Fix --> <!-- Saved in parser cache with key enwiki:pcache:223942:|#|:idhash:canonical and timestamp 20250405212521 and revision id 1279240302. Rendering was triggered because: page-view --> </div><!--esi <esi:include src="/esitest-fa8a495983347898/content" /> --><noscript><img src="https://auth.wikimedia.org/loginwiki/wiki/Special:CentralAutoLogin/start?useformat=desktop&type=1x1&usesul3=1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Rootkit&oldid=1279240302">https://en.wikipedia.org/w/index.php?title=Rootkit&oldid=1279240302</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Types_of_malware" title="Category:Types of malware">Types of malware</a></li><li><a href="/wiki/Category:Rootkits" title="Category:Rootkits">Rootkits</a></li><li><a href="/wiki/Category:Privilege_escalation_exploits" title="Category:Privilege escalation exploits">Privilege escalation exploits</a></li><li><a href="/wiki/Category:Cryptographic_attacks" title="Category:Cryptographic attacks">Cryptographic attacks</a></li><li><a href="/wiki/Category:Cyberwarfare" title="Category:Cyberwarfare">Cyberwarfare</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:All_articles_with_dead_external_links" title="Category:All articles with dead external links">All articles with dead external links</a></li><li><a href="/wiki/Category:Articles_with_dead_external_links_from_September_2012" title="Category:Articles with dead external links from September 2012">Articles with dead external links from September 2012</a></li><li><a href="/wiki/Category:All_accuracy_disputes" title="Category:All accuracy disputes">All accuracy disputes</a></li><li><a href="/wiki/Category:Accuracy_disputes_from_November_2010" title="Category:Accuracy disputes from November 2010">Accuracy disputes from November 2010</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:All_articles_with_unsourced_statements" title="Category:All articles with unsourced statements">All articles with unsourced statements</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_July_2021" title="Category:Articles with unsourced statements from July 2021">Articles with unsourced statements from July 2021</a></li><li><a href="/wiki/Category:All_articles_with_self-published_sources" title="Category:All articles with self-published sources">All articles with self-published sources</a></li><li><a href="/wiki/Category:Articles_with_self-published_sources_from_November_2010" title="Category:Articles with self-published sources from November 2010">Articles with self-published sources from November 2010</a></li><li><a href="/wiki/Category:Articles_containing_potentially_dated_statements_from_2005" title="Category:Articles containing potentially dated statements from 2005">Articles containing potentially dated statements from 2005</a></li><li><a href="/wiki/Category:All_articles_containing_potentially_dated_statements" title="Category:All articles containing potentially dated statements">All articles containing potentially dated statements</a></li><li><a href="/wiki/Category:Commons_category_link_is_on_Wikidata" title="Category:Commons category link is on Wikidata">Commons category link is on Wikidata</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 7 March 2025, at 09:41<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Rootkit&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://www.wikimedia.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><picture><source media="(min-width: 500px)" srcset="/static/images/footer/wikimedia-button.svg" width="84" height="29"><img src="/static/images/footer/wikimedia.svg" width="25" height="25" alt="Wikimedia Foundation" lang="en" loading="lazy"></picture></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><picture><source media="(min-width: 500px)" srcset="/w/resources/assets/poweredby_mediawiki.svg" width="88" height="31"><img src="/w/resources/assets/mediawiki_compact.svg" alt="Powered by MediaWiki" lang="en" width="25" height="25" loading="lazy"></picture></a></li> </ul> </footer> </div> </div> </div> <div class="vector-header-container vector-sticky-header-container"> <div id="vector-sticky-header" class="vector-sticky-header"> <div class="vector-sticky-header-start"> <div class="vector-sticky-header-icon-start vector-button-flush-left vector-button-flush-right" aria-hidden="true"> <button class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-sticky-header-search-toggle" tabindex="-1" data-event-name="ui.vector-sticky-search-form.icon"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </button> </div> <div role="search" class="vector-search-box-vue vector-search-box-show-thumbnail vector-search-box"> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail"> <form action="/w/index.php" id="vector-sticky-search-form" class="cdx-search-input cdx-search-input--has-end-button"> <div class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia"> <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <div class="vector-sticky-header-context-bar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-sticky-header-toc" class="vector-dropdown mw-portlet mw-portlet-sticky-header-toc vector-sticky-header-toc vector-button-flush-left" > <input type="checkbox" id="vector-sticky-header-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-sticky-header-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-sticky-header-toc-label" for="vector-sticky-header-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-sticky-header-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div class="vector-sticky-header-context-bar-primary" aria-hidden="true" ><span class="mw-page-title-main">Rootkit</span></div> </div> </div> <div class="vector-sticky-header-end" aria-hidden="true"> <div class="vector-sticky-header-icons"> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-talk-sticky-header" tabindex="-1" data-event-name="talk-sticky-header"><span class="vector-icon mw-ui-icon-speechBubbles mw-ui-icon-wikimedia-speechBubbles"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-subject-sticky-header" tabindex="-1" data-event-name="subject-sticky-header"><span class="vector-icon mw-ui-icon-article mw-ui-icon-wikimedia-article"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-history-sticky-header" tabindex="-1" data-event-name="history-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-history mw-ui-icon-wikimedia-wikimedia-history"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only mw-watchlink" id="ca-watchstar-sticky-header" tabindex="-1" data-event-name="watch-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-star mw-ui-icon-wikimedia-wikimedia-star"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-edit-sticky-header" tabindex="-1" data-event-name="wikitext-edit-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-wikiText mw-ui-icon-wikimedia-wikimedia-wikiText"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-ve-edit-sticky-header" tabindex="-1" data-event-name="ve-edit-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-edit mw-ui-icon-wikimedia-wikimedia-edit"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-viewsource-sticky-header" tabindex="-1" data-event-name="ve-edit-protected-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-editLock mw-ui-icon-wikimedia-wikimedia-editLock"></span> <span></span> </a> </div> <div class="vector-sticky-header-buttons"> <button class="cdx-button cdx-button--weight-quiet mw-interlanguage-selector" id="p-lang-btn-sticky-header" tabindex="-1" data-event-name="ui.dropdown-p-lang-btn-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-language mw-ui-icon-wikimedia-wikimedia-language"></span> <span>46 languages</span> </button> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive" id="ca-addsection-sticky-header" tabindex="-1" data-event-name="addsection-sticky-header"><span class="vector-icon mw-ui-icon-speechBubbleAdd-progressive mw-ui-icon-wikimedia-speechBubbleAdd-progressive"></span> <span>Add topic</span> </a> </div> <div class="vector-sticky-header-icon-end"> <div class="vector-user-links"> </div> </div> </div> </div> </div> <div class="mw-portlet mw-portlet-dock-bottom emptyPortlet" id="p-dock-bottom"> <ul> </ul> </div> <script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-7dbbdd594f-qf8bs","wgBackendResponseTime":209,"wgPageParseReport":{"limitreport":{"cputime":"0.813","walltime":"0.958","ppvisitednodes":{"value":6550,"limit":1000000},"postexpandincludesize":{"value":212714,"limit":2097152},"templateargumentsize":{"value":5269,"limit":2097152},"expansiondepth":{"value":17,"limit":100},"expensivefunctioncount":{"value":9,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":368158,"limit":5000000},"entityaccesscount":{"value":1,"limit":400},"timingprofile":["100.00% 810.372 1 -total"," 59.27% 480.276 2 Template:Reflist"," 32.85% 266.192 59 Template:Cite_web"," 9.24% 74.852 1 Template:Short_description"," 8.01% 64.911 2 Template:Navbox"," 7.84% 63.497 1 Template:Information_security"," 6.71% 54.382 2 Template:Pagetype"," 6.47% 52.393 14 Template:Cite_book"," 5.92% 47.945 11 Template:Cite_journal"," 5.55% 44.967 5 Template:Fix"]},"scribunto":{"limitreport-timeusage":{"value":"0.504","limit":"10.000"},"limitreport-memusage":{"value":6708311,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-7dbbdd594f-slmlq","timestamp":"20250405212521","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Rootkit","url":"https:\/\/en.wikipedia.org\/wiki\/Rootkit","sameAs":"http:\/\/www.wikidata.org\/entity\/Q14645","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q14645","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2003-05-09T03:56:32Z","dateModified":"2025-03-07T09:41:18Z","headline":"computer software, designed to enable access to a computer or system"}</script> </body> </html>