Rootkits - What is a Rootkit
Rootkit Detection and Removal
It is a sad reflection on today's society that malicious programmers and the people who pay them are endlessly
inventive. One of the more recent forms of their evil creativity has surfaced in the form of something called
rootkits But what is a rootkit I hear you ask.
One of the traditional vulnerabilities of viruses, making them easier to detect, is their visibility.
Executables containing viruses had names that were different from the standard programs found on computer systems.
When the virus maliciously renamed a standard file and replaced it, the new version more often than not had a
different date or file size. They might even show up in the Task Manager list of programs on Windows.
Consequently, that made them detectable by anyone diligent enough to check, or by automated software designed to
seek them out. However, rootkits are a lot more dangerous than other types of virus infection methods because they
can easily hide malicious files.
The files do not show up on Windows Explorer, even when Show Hidden Files is enabled. The running process list
displayed by Task Manager does not list them either. A large majority of current antivirus packages do not or
cannot seek out and destroy viruses hidden by rootkits.
In November of 2005, Sony, in their wisdom, began using rootkits on some music CDs in order to hide copy
protection files. However, hackers soon became aware of this and quickly turned Sony's well meaning, but misguided
plans to their own evil advantage. Sony's software unintentionally hid their efforts and any file that began with
'$sys$' became invisible, so hackers named their malware to take advantage of the effect.
Virus creators quickly turned to making their own rootkits. Distributing them, along with a dangerous payload,
is as easy as passing along any other virus. Email attachments, spyware downloads initiated by clicking on ads,
downloading free software and so on - the list is long.
Some even found their way into the boot sector of hard drives. That means the technique of clearing the virus
out of memory by re-booting the hard drive is ineffective. The virus simply gets restarted each time the operating
system is booted. To make matters worse, many automated virus scanning programs are only set to scan regular
programs but not the boot sector.
But it does not end there. Once hidden in boot sectors, it is possible to effectively become the kernel of the
operating system. The kernel is the low level program that controls the most basic functions of the computer
That in turn makes it possible to substitute malware for the authorized low level routines of the legitimate
operating system. Once that level of function is achieved, there is nothing the virus cannot do - including mask
its efforts from the higher level functions of the operating system and any application including virus checking
Users may or may not notice the slowing effect of the technique, and could easily put it down to any one of the
dozens of mysterious behaviors Windows exhibits from time to time. Very few are going to be savvy enough to even
suspect a rootkit at work.
Software is being developed and deployed to combat this latest threat to PC security. Rootkit scanners are
coming onto the market and users interested in protecting their PCs should seek one out. SysInternals' RootKitRevealer is one well known example and is available free.