<aside> <img src="/icons/compressed-document_gray.svg" alt="/icons/compressed-document_gray.svg" width="40px" /> A Rootkit is a type of software that is designed to gain administrative-level control over a given system without being detected

</aside>

The account with the highest level of permissions is called the administrator account:

A computer system has several different rings of permissions throughout the system

• Ring 3 (Outermost Ring)
• Ring 0 (Innermost or Highest Permission Levels)
• [click here](https://en.wikipedia.org/wiki/Protection_ring#:~:text=Programs that run in Ring,with different levels of access.) to read more on Wikipedia

Remember, the closer the malicious code is to the kernel, the more permissions it will have and the more damage it can cause on your system

When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection

One technique used by rootkits to gain this deeper level of access is a DLL injection

• A DLL Injection is a technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
• Dynamic Link Library (DLL) is a collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development

Rootkits are extremely powerful, and they are very difficult to detect because the operating system is essentially blinded to them

To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect these rootkits using a good anti-malware scanning solution from a live boot Linux distribution