Rootkits - What is a Rootkit - Rootkit Detection and Removal

It is a sad reflection on today's society that malicious programmers and the people who pay them are endlessly inventive. One of the more recent forms of their evil creativity has surfaced in the form of something called rootkits. But what is a rootkit I hear you ask.

One of the traditional vulnerabilities of viruses, making them easier to detect, is their visibility. Executables containing viruses had names that were different from the standard programs found on computer systems. When the virus maliciously renamed a standard file and replaced it, the new version more often than not had a different date or file size. They might even show up in the Task Manager list of programs on Windows.

Consequently, that made them detectable by anyone diligent enough to check, or by automated software designed to seek them out. However, rootkits are a lot more dangerous than other types of virus infection methods because they can easily hide malicious files.

The files do not show up on Windows Explorer, even when Show Hidden Files is enabled. The running process list displayed by Task Manager does not list them either. A large majority of current antivirus packages do not or cannot seek out and destroy viruses hidden by rootkits.

In November of 2005, Sony, in their wisdom, began using rootkits on some music CDs in order to hide copy protection files. However, hackers soon became aware of this and quickly turned Sony's well meaning, but misguided plans to their own evil advantage. Sony's software unintentionally hid their efforts and any file that began with '$sys$' became invisible, so hackers named their malware to take advantage of the effect.

Virus creators quickly turned to making their own rootkits. Distributing them, along with a dangerous payload, is as easy as passing along any other virus. Email attachments, spyware downloads initiated by clicking on ads, downloading free software and so on - the list is long.

Some even found their way into the boot sector of hard drives. That means the technique of clearing the virus out of memory by re-booting the hard drive is ineffective. The virus simply gets restarted each time the operating system is booted. To make matters worse, many automated virus scanning programs are only set to scan regular programs but not the boot sector.

But it does not end there. Once hidden in boot sectors, it is possible to effectively become the kernel of the operating system. The kernel is the low level program that controls the most basic functions of the computer hardware itself.

That in turn makes it possible to substitute malware for the authorized low level routines of the legitimate operating system. Once that level of function is achieved, there is nothing the virus cannot do - including mask its efforts from the higher level functions of the operating system and any application including virus checking applications.

Users may or may not notice the slowing effect of the technique, and could easily put it down to any one of the dozens of mysterious behaviors Windows exhibits from time to time. Very few are going to be savvy enough to even suspect a rootkit at work.

Software is being developed and deployed to combat this latest threat to PC security. Rootkit scanners are coming onto the market and users interested in protecting their PCs should seek one out. SysInternals' RootKitRevealer is one well known example and is available free.