“Rootkit.” is Malwarebytes detection name for a category of malware that provides threat actors the means to remotely access to and gain full control of affected systems without users knowing. To learn more about rootkits, read our related blog content.
Depending on its method of infection, operation, and persistence, rootkits can be divided into the following types:
User mode (Ring 3): A user-mode rootkit is the most common and the easiest to implement. It uses relatively simple techniques, such as the import address table (IAT) and inline hooks, to alter the behavior of called functions.
Kernel mode (Ring 0): A kernel mode rootkit live in the kernel space, altering the behavior of kernel-mode functions. A specific variant of kernel-mode rootkit that attacks a bootloader is called a bootkit.
Hypervisor (Ring -1): A firmware rootkit runs on the lowest level of the computer rings, the hypervisor, which runs virtual machines. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware but with the environment altered by the rootkit.
There is a rule that states that a rootkit running in the lower layer cannot be detected by any rootkit software running on layers above it.
Malwarebytes protects users from rootkits by using real-time protection.
To remove rootkits you will often need a dedicated tool like Malwarebytes Anti-Malware. Download Malwarebytes Anti-Rootkit (MBAR) from here and follow the steps below: