How to remove rootkit malware

Rootkits are a particularly dangerous type of malware because they attack deep within a computer system, often at BIOS level, and are very hard to detect. Once installed, there are a number of ways in which they can cause damage to you and your Mac. However, there are anti-rootkit tools that can detect and remove them. In this article, we’ll explain what a rootkit is, how you can avoid getting one on your Mac, and how to remove  a rootkit if you’re unfortunate to be attacked by one.

What is a rootkit?

As its name suggests, a rootkit is a set of tools that are installed at root level on a computer, with the purpose of hacking into the system, causing damage or stealing data. Rootkits come in different types, and attack Macs as well as PCs.

Root level gives highest administrator privileges on a computer. 

Types of rootkit

  1. Hardware or firmware rootkit

    These are installed in the system BIOS of a computer, or in the firmware of a network router. They can be used to intercept data on a disk or transmitted over a network. One example of such firmware is Thunderstrike, discovered in 2014. This malware exploited the Mac’s Thunderbolt port to install code and could install malware on the ROM EFI boot chip on Macs. It was difficult to detect and, once in place, could steal data or spy on activity.

    [Image credit: Wikimedia Commons]

  2. Bootloader

    The bootloader is the part of the system that loads the operating system when a computer starts up. A bootloader replaces the real bootloader, meaning the malware is activated before the computer has started up.

  3. Kernel mode rootkit

The kernel is the core of your Mac's operating system. Based on Unix, it’s the software that makes everything else, including macOS, possible. A Kernel rootkit attacks that software and changes it. By doing that, a hacker can do pretty much anything they want, including spying on you, stealing your data, or locking you out of your Mac altogether.

is megabackup a virus

How to avoid a rootkit

There are two ways a rootkit can find its way onto your Mac: over a network like the internet, or via an external peripheral. Thunderstrike used the latter mode – a device connected to the Thunderbolt port on a target Mac could exploit the firmware in the port and install malware. However, most such malware is transferred over the internet, in exactly the same way as other malware. Follow these guidelines to avoid a rootkit being installed on your Mac.

  1. Don’t leave your Mac unattended in a public place. If you’re staying in a hotel, lock it in the safe when you’re out of the room.
  2. Don’t click on a link in an email or instant message unless you are 100% sure it’s safe.
  3. Don’t download attachments in email messages unless you know what they are.
  4. Don’t click on links in pop-up adverts that tell you Flash Player or any other piece of software is out of date.
  5. Keep your operating system up to date.
  6. Don’t ignore warnings from your web browser when it tells you a website you are trying to visit is unsafe. 

How to remove a rootkit virus

Rootkits are notoriously difficult to detect and it’s possible to have one on your computer and not know about it. If it doesn’t directly impact the performance or your Mac or display adware, or have some other visible effect, there may be no way to spot it. It will just sit there silently stealing your data and monitoring your activity.

There are rootkit scanner tools available for Unix, that will run on macOS. However, to use one, you’ll need to be comfortable with Terminal, so they are not the best choice as a rootkit removal tool for most people. Fortunately, there are other ways. Lots of these viruses are known about and can be detected by anti-malware software. 

Delete it with a dedicated macOS antivirus

CleanMyMac X is relatively new antivirus for Mac but it’s quickly getting popularity among Mac users. This solution is notarized by Apple. And OPSWAT (global virus research company) lists CleanMyMac X among its recommended antiviruses. CleanMyMac X has a rootkit detector and remover. 

If it finds anything, it will alert you and allow you to remove it with a couple of clicks. Here’s how to use it.

  1. Install and launch CleanMyMac X — download a free version here
  2. Choose Malware Removal in the sidebar.
  3. Press Scan.
  4. If CleanMyMac finds anything, press Remove to get rid of it. 

To enable real-time protection, you can visit CleanMyMac menu and choose Preferences.

If your Mac has been attacked by rootkit malware, it’s likely that it came from something you downloaded from the internet. And if you downloaded malware, you could have downloaded files that will infiltrate your web browser and intercept future browsing sessions. CleanMyMac X has a tool to clean up data downloaded by browsers, like cache files and cookies. It’s a good idea to run it after you’ve remove malware.

CleanMyMac X - Firefox in Privacy module
  1. In CleanMyMac X, choose Privacy in the sidebar. 
  2. Click on the browser you use eg Safari, and check the box next to it.
  3. Press Remove.
  4. Now this app will now remove your browsing history, download history, open tabs, and cookies. If there’s anything you don’t want to delete, uncheck the box next to it before you press Remove.

Rootkit malware is so-called because it attacks the root of a computer system. That could be the BIOS, the bootloader, or even the RAM. The macOS rootkit Thunderstrike exploited a vulnerability in Thunderbolt firmware to install itself. Once installed, rootlets can do all sorts of damage. However, by scanning your Mac regularly for malware and using privacy cleaning tools you can minimize the chances of being caught in a rootkit malware attack. To delete it, you can try either Malwerbytes or CleanMyMac X which are both recognized Mac antiviruses.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.