Rootkits are a hazardous type of malware because they attack deep within a computer system, often at the BIOS level, and are very hard to detect. Once installed, there are several ways in which they can cause damage to you and your Mac. 

However, there are anti-rootkit tools that can detect and remove them. This article will explain what a rootkit is, how you can avoid getting one on your Mac, and how to remove it.

What is a rootkit?

As its name suggests, a rootkit is a set of tools installed at the root level on a computer to hack into the system, cause damage, or steal data. Rootkits come in different types and attack Macs as well as PCs.

Root level gives the highest administrator privileges on a computer. 

Is a rootkit considered malware, and how does it actually work?

Yes, a rootkit is a form of malware that can be quite destructive if it gets onto your device. This is because it is specifically designed to be stealthy and hide deep inside your MacBook, where it’s hard to detect.

What makes rootkit malware especially dangerous is the depth to which it burrows in and takes over your MacBook. It gets down to the kernel level of your operating system and gives itself access to your device.

Rootkits manage this by modifying your core system files, masking themselves, and making it extremely difficult for antimalware tools to find them. They then go on the hunt for your sensitive and private information by installing keyloggers, as well as copying your files and exfiltrating them through your Wi-Fi connection to their external server.

Types of rootkit

1. Hardware or firmware rootkit

These are installed in the system BIOS of a computer or the firmware of a network router. They can be used to intercept data on a disk or transmitted over a network. One example of such firmware is Thunderstrike discovered in 2014. This malware exploited the Mac’s Thunderbolt port to install code and could install malware on the ROM EFI boot chip on Macs. It was difficult to detect and, once in place, could steal data or spy on activity.

[Image credit: Wikimedia Commons]

2. Bootloader

The bootloader is the part of the system that loads the operating system when a computer starts up. A bootloader replaces the actual bootloader, meaning the malware is activated before the computer has started up.

3. Kernel mode rootkit

The kernel is the core of your Mac’s operating system. Based on Unix, it’s the software that makes everything else, including macOS, possible. A Kernel rootkit attacks that software and changes it. A hacker can do pretty much anything they want, including spying on you, stealing your data, or locking you out of your Mac altogether.

How to detect rootkits on your system

Although it is extremely difficult to detect rootkits inside your operating system, it isn’t impossible. Here is a list of methods you can try:

  1. Use a rootkit remover or other antimalware tool. We will be going into more depth later in the article about CleanMyMac, powered by Moonlock Engine, with its Protection feature. For now, just know this should be your first port of call to remove this type of malware.
  2. Check Activity Monitor. Rootkits run their own scripts and programs. So, the next step is to see if there is anything running that you don’t recognize. If you see a running process you’re not sure about, run a web search for the name and see what comes up. You should also use Activity Monitor to see if any running processes are consuming an inordinate amount of CPU and memory.
  3. Use EtreCheck to troubleshoot macOS problems. If you have a persistent issue, try the free EtreCheck. Choose the type of problem you’re having, and it will attempt to diagnose it, including the possibility of rootkits.
  4. Use KnockKnock to find persistent processes. One of the rootkit symptoms that makes this malware difficult to combat is that it restarts when the MacBook restarts. The Mac rootkit scanner KnockKnock can be used to look for processes that automatically restart when the device does.

How to avoid a rootkit

There are two ways a rootkit can find its way onto your Mac: over a network like the internet or via an external peripheral. Thunderstrike used the latter mode — a device connected to the Thunderbolt port on a target Mac could exploit the firmware in the port and install malware. However, most such malware is transferred over the internet in exactly the same way as other malware. Follow these guidelines to avoid a rootkit being installed on your Mac.

  1. Don’t leave your Mac unattended in a public place. If you’re staying in a hotel, lock it in the safe when you’re out of the room.
  2. Don’t click on a link in an email or instant message unless you are 100% sure it’s safe.
  3. Don’t download attachments in email messages unless you know what they are.
  4. Don’t click on links in pop-up adverts that tell you Flash Player or any other piece of software is out of date.
  5. Keep your operating system up to date.
  6. Don’t ignore warnings from your web browser when it tells you a website you are trying to visit is unsafe. 


How to remove a rootkit virus

Rootkits are notoriously tricky to detect, and it’s possible to have one on your computer and not know about it. If it doesn’t directly impact the performance of your Mac or display adware or have some other visible effect, there may be no way to spot it. It will just sit there silently, stealing your data and monitoring your activity.

There are rootkit scanner tools available for Unix that will run on macOS. However, you’ll need to be comfortable with Terminal to use one, so they are not the best choice as a rootkit removal tool for most people. Fortunately, there are other ways. Lots of these viruses are known and can be detected by anti-malware software. 

Get rid of rootkit malware with a dedicated macOS antivirus tool

As we said previously, an antimalware tool should be your first rootkit detection method. But you need an antimalware app with this function baked in (not all do). The best one on the market to get rid of a rootkit or other malware is CleanMyMac, powered by Moonlock Engine.

CleanMyMac is actually a lightweight, fast, and powerful Mac optimization tool. But it also has a Protection feature, and rootkits are one of the types of malware it is designed to detect.

What’s even better is that new customers get a free trial to try out CleanMyMac before paying any money. So, if you think you have a rootkit on your Mac, give CleanMyMac a try and see if it fixes the problem.

Follow these easy steps to carry out the rootkit removal process:

  1. Sign up for 7 free days with CleanMyMac
  2. Once CleanMyMac is open, click the third icon from the top in the left sidebar. The small raised hand is where you’ll find the rootkits removal feature (and, of course, it will also remove all other forms of malware).
  3. Once you’re in the malware detection module, your next step is to click Configure Scan. This accesses the scan settings. Select all options.
  4. Exit Configure Scan and click the Scan button. CleanMyMac will start methodically searching your Mac, looking for all traces of rootkit viruses, as well as any other malware threats you may be unaware of.
  5. If CleanMyMac finds anything, all infected files will be collected and shown to you in a list. Select them all and click Remove. This should be the end of your rootkit problem.
  6. To be certain that things are clean, click the Cleanup icon feature. This will remove all junk files clogging up your MacBook’s hard drive. It is possible that some of them are linked to the rootkit that was just removed. Deleting them is an extra step to ensure that the rootkit won’t come back again.

Another way to get rid of a rootkit is to wipe and reinstall your Mac entirely. This is normally reserved as a last resort — but in some cases, it may be your only option.

    To enable real-time protection, you can visit the CleanMyMac menu and choose Setting and go to the Protection tab. It is an additional level of protection scanning your Mac in the background and notifying you about any suspicious processes and apps. 

Some manual rootkit removal methods you can try

Manually removing a rootkit is no easy matter. Honestly, the best way to remove a rootkit is to use one of the methods outlined in this article. Or reset your MacBook to factory settings.

If you really want to try it the manual way, keep in mind that there is no guarantee you’ll get all traces of the rootkit. Make sure you’ve disconnected your Wi-Fi connection before doing the following.

Boot into Recovery Mode

First, reboot your computer. Once you see the Apple logo, press the key combination Command (⌘) + R to go into Recovery Mode.

Check if System Integrity Protection has been disabled

System Integrity Protection (SIP) stops any core system files from being altered. In some cases, malware can disable this feature. Your next step is to open Terminal and type the following:

csrutil status

This will tell you if SIP has been disabled. If it has, you can turn it back on by typing the following into Terminal (note: this must be done in macOS Recovery Mode), then restarting your Mac:

csrutil enable

Check for suspicious kernels

Since a rootkit is able to get down to the kernel level, it’s now time to check for any suspicious kernel extensions (KEXTs). In Terminal, type the following:

kextstat | grep -v com.apple

This is where you need some advanced knowledge to recognize a suspicious kernel when you look at it. On newer macOS versions (Big Sur and later), this command may return no results even if third-party system extensions are present, because traditional KEXTs have been largely replaced by System Extensions and DriverKit.

If you are convinced that a kernel has been compromised, you can remove it by typing the following into Terminal.

sudo kextunload /Library/Extensions/BadExtension.kext

sudo rm -rf /Library/Extensions/BadExtension.kext

Now, reboot your Mac.

Important: These commands will only work if System Integrity Protection is disabled or partially disabled. Additionally, make sure you are removing the correct extension — deleting critical files can destabilize your system.

Rootkit malware is so-called because it attacks the root of a computer system. That could be the BIOS, the bootloader, or even the RAM. The macOS rootkit Thunderstrike exploited a vulnerability in Thunderbolt firmware to install itself. Once installed, rootlets can do all sorts of damage. 

Remember, scanning your Mac regularly for malware and using privacy cleaning tools minimizes the chances of being caught in a rootkit malware attack. To delete it, you can try either Malwarebytes or CleanMyMac, both recognized Mac antiviruses.