How to remove rootkit malware

Rootkits are a hazardous type of malware because they attack deep within a computer system, often at the BIOS level, and are very hard to detect. Once installed, there are several ways in which they can cause damage to you and your Mac. 

However, there are anti-rootkit tools that can detect and remove them. This article will explain what a rootkit is, how you can avoid getting one on your Mac, and how to remove it.

What is a rootkit?

As its name suggests, a rootkit is a set of tools installed at the root level on a computer to hack into the system, cause damage, or steal data. Rootkits come in different types and attack Macs as well as PCs.

Root level gives the highest administrator privileges on a computer. 

Types of rootkit

1. Hardware or firmware rootkit

These are installed in the system BIOS of a computer or the firmware of a network router. They can be used to intercept data on a disk or transmitted over a network. One example of such firmware is Thunderstrike discovered in 2014. This malware exploited the Mac’s Thunderbolt port to install code and could install malware on the ROM EFI boot chip on Macs. It was difficult to detect and, once in place, could steal data or spy on activity.

[Image credit: Wikimedia Commons]


2. Bootloader

The bootloader is the part of the system that loads the operating system when a computer starts up. A bootloader replaces the actual bootloader, meaning the malware is activated before the computer has started up.

3. Kernel mode rootkit

    The kernel is the core of your Mac’s operating system. Based on Unix, it’s the software that makes everything else, including macOS, possible. A Kernel rootkit attacks that software and changes it. A hacker can do pretty much anything they want, including spying on you, stealing your data, or locking you out of your Mac altogether.

    is megabackup a virus

    How to avoid a rootkit

    There are two ways a rootkit can find its way onto your Mac: over a network like the internet or via an external peripheral. Thunderstrike used the latter mode — a device connected to the Thunderbolt port on a target Mac could exploit the firmware in the port and install malware. However, most such malware is transferred over the internet in exactly the same way as other malware. Follow these guidelines to avoid a rootkit being installed on your Mac.

    1. Don’t leave your Mac unattended in a public place. If you’re staying in a hotel, lock it in the safe when you’re out of the room.
    2. Don’t click on a link in an email or instant message unless you are 100% sure it’s safe.
    3. Don’t download attachments in email messages unless you know what they are.
    4. Don’t click on links in pop-up adverts that tell you Flash Player or any other piece of software is out of date.
    5. Keep your operating system up to date.
    6. Don’t ignore warnings from your web browser when it tells you a website you are trying to visit is unsafe. 


    How to remove a rootkit virus

    Rootkits are notoriously tricky to detect, and it’s possible to have one on your computer and not know about it. If it doesn’t directly impact the performance of your Mac or display adware or have some other visible effect, there may be no way to spot it. It will just sit there silently, stealing your data and monitoring your activity.

    There are rootkit scanner tools available for Unix that will run on macOS. However, you’ll need to be comfortable with Terminal to use one, so they are not the best choice as a rootkit removal tool for most people. Fortunately, there are other ways. Lots of these viruses are known and can be detected by anti-malware software. 

    Delete it with a dedicated macOS antivirus

    CleanMyMac X is a relatively new antivirus for Mac, but it’s quickly gaining popularity among Mac users. This solution is notarized by Apple, meaning that it is safe to install and run on a Mac. CleanMyMac X has a rootkit detector and remover. 

    If it finds anything, it will alert you and allow you to remove it with a couple of clicks. Here’s how to use it:

    1. Install and launch CleanMyMac X — download a free version here.
    2. Choose Malware Removal in the sidebar.
    3. Press Scan.
    4. If CleanMyMac finds anything, press Remove to get rid of it. 

    To enable real-time protection, you can visit the CleanMyMac X menu and choose Preferences. It is an additional level of protection scanning your Mac in the background and notifying you about any suspicious processes and apps. 

    If your Mac has been attacked by rootkit malware, it’s likely that it came from something you downloaded from the internet. And if you downloaded malware, you could have downloaded files that will infiltrate your web browser and intercept future browsing sessions. CleanMyMac X has a tool to clean up data downloaded by browsers, like cache files and cookies. It’s a good idea to run it after removing malware.

    CleanMyMac X - Firefox in Privacy module

    1. In CleanMyMac X, choose Privacy in the sidebar. 
    2. Click on the browser you use (like Safari) and check the box next to it.
    3. Press Remove.
    4. This app will remove your browsing history, download history, open tabs, and cookies. If there’s anything you don’t want to delete, uncheck the box next to it before pressing Remove.

    Rootkit malware is so-called because it attacks the root of a computer system. That could be the BIOS, the bootloader, or even the RAM. The macOS rootkit Thunderstrike exploited a vulnerability in Thunderbolt firmware to install itself. Once installed, rootlets can do all sorts of damage. 

    Remember, scanning your Mac regularly for malware and using privacy cleaning tools minimizes the chances of being caught in a rootkit malware attack. To delete it, you can try either Malwarebytes or CleanMyMac X, both recognized Mac antiviruses.

    Laptop with CleanMyMac
    CleanMyMac X

    Your Mac. As good as new.