0PricingLogin
Security+ Academy · Lesson

Rootkits, Spyware, and Keyloggers

Discover how rootkits hide malware from the OS, how spyware silently exfiltrates data, and how keyloggers capture credentials in real time.

Stealth Malware: Hiding in Plain Sight

While many malware types announce their presence through visible damage, a class of malicious software is specifically designed to remain hidden from users, administrators, and security tools while silently accomplishing attacker goals. Rootkits, spyware, and keyloggers represent the stealth end of the malware spectrum. Their effectiveness depends on persistence without detection — they may remain active for months or years, quietly exfiltrating credentials and data. Understanding their hiding techniques is essential for forensic investigation and for selecting detection tools that can find what standard scans miss.

Rootkits: Subverting the OS Itself

A rootkit modifies the operating system or low-level software to hide the attacker's presence. The term comes from Unix 'root' (highest privilege) + 'kit' (set of tools). Rootkits intercept OS functions to hide files, registry keys, processes, and network connections from standard system inspection tools. A process running a rootkit might not appear in Task Manager, its network connections won't show in netstat, and its files won't appear in directory listings — because all these tools query the OS through the same APIs the rootkit has compromised. Rootkits are extremely difficult to detect from within the infected OS.

# What rootkits hide:
# - Malicious processes from task manager / ps
# - Files and directories from file system listings
# - Registry keys from regedit
# - Network connections from netstat/ss
# - Kernel modules from lsmod
# - Loaded DLLs from process listings

# Why standard tools fail:
# Task Manager calls NtQuerySystemInformation() -> rootkit intercepts
# Rootkit patches return value to exclude hidden process

All lessons in this course

  1. Viruses, Worms, and Trojans
  2. Ransomware and Cryptolockers
  3. Rootkits, Spyware, and Keyloggers
  4. Fileless Malware and Living-off-the-Land Attacks
← Back to Security+ Academy