Rootkits are classified based on how close they are to the lower level core system. The closer it is to the core, the harder it is to detect, and the more privilege it has. At the highest level, some rootkits operate alongside the user with currently open applications. Here the root kit might intercept data or manipulate the processes of other open applications. Kernel rootkits operate at the system level with the core operating system, and because of advanced cloaking they are able to subvert the most trusted computer defenses and processes.
Hackers use root kits because it is an incredibly effective type of software. Often, once a rootkit is properly installed it might be near impossible to detect. Worse yet is if the rootkit was deeply installed, like on a kernel level—it may require entire removal of the hardware. Rootkits are packaged and delivered in a variety of ways. They can come via email, file downloads, shared operating systems, broken links, etc.
Once a rootkit is installed it gives the attacker access to your system to use it any way they see fit. Typically the first step of rootkit is to hide, then lower the defenses of the system. This means to disable anti virus software or other defense mechanisms. The next step depends on the motive of the attacker, but a rootkit provides backdoor access for your computer to be used in anyway possible. Some criminals use rootkits to steal sensitive information via key loggers. Others use rootkits to install other malicious software. Another might use a rootkit to hijack your system, turn it into a “zombie” and use it for some nefarious botnet activity.
The best way to prevent rootkits is to be diligent, proactive, and mindful in your computer usage. Sometimes this is not enough. But in the event of infection, there are ways to solve the problem. Before anything else, it must be determined if the rootkit is operating at kernel level, since if it went that deep it’s possible that everything found thereafter has been compromised, since sophisticated rootkits at the core level can sometimes falsify test data. To start, if infected one can remove the system and then boot it on another medium, this way the rootkit can be found since it technically won’t be running. Some rootkits leave tell-tale signs of their behavior, so investigators know what to look for. Other specialized methods are available but often not to the public, and require incredible resources such as source code and advanced computer knowledge, much more than your average user can manage.
Many software vendors provide antivirus software that comes with rootkit removal tools. Some antivirus software is smart enough to even look for clues where rootkits might hide them, but alas it is pointless if the system has already been compromised at the kernel level. Still, all hope is not lost as one can reinstall the OS to an uncompromised build in most cases. The best step is prevention, and being proactive by installing necessary security updates, and being diligent about consumption and usage.