Viruses, worms, trojans - it can all be a bit too much for many users. So then add ROOTKITS into the mix and things get even more complicated, but many of the complexities can be ignored if the basics are understood. We hope this brief guide helps.
What on earth is a "rootkit" !?
Rootkits are essentially some of the most difficult forms of malicious software (malware) to detect, and some make most viruses/worms/trojans look like childsplay. In many ways they are the "lowest of the low", often embedding themselves deep in the operating system where even most viruses don't go.
The book "Rootkits: Subverting The Windows Kernel" by Greg Hoglund and James Butler (one of the few books to touch the subject) describes a rootkit in its most simple form as the following:
"A rootkit is a set of programs and code that allows
a permanent and undetectable presence on a computer."
Wikipedia's article on rootkits describes a rootkit as follows:
"A rootkit is a program (or combination of several programs) designed to take fundamental
control (in Unix terms "root" access, in Windows terms "Administrator" access) of a
computer system, without authorization by the system's owners and legitimate managers.
Todays modern rootkits represent some of the most advanced malware ever created and also some of the hardest to detect. As time goes on, rootkit developers discover more and more ways to subvert the operating system kernel, and in turn anti-rootkit developers must develop ways to detect them.
Rootkits often modify the operating system or other processes in order to modify the way the system behaves - usually in an attempt to hide itself so that even anti-virus scanners can't detect them.
Will my anti-virus scanner detect rootkits?
Yes and no. Most good anti-virus scanners can detect rootkits when they rootkit is NOT running - for example if you get sent a rootkit in your email and try to run it your anti-virus scanner should scan it before it allows to run, and therefore should be able to detect it. However, that is only the case if the anti-virus scanner has a signature for that particular rootkit in its database. If it doesn't then the rootkit will not be detected.
HOWEVER, if the rootkit is alive then there's a very good chance that the anti-virus scanner may not be able to even detect the presence of the rootkit let alone attempt to scan it. This is where specialty tools such as Deep System Explorer play a crucial role in system security, filling that void.
How do rootkits hide?
Usually either by hooking, or code & data modifications (which can also be a type of hook). For example, a rootkit may hook NtQuerySystemInformation (a function that can be used to enumerate processes), so that whenever the function is called the rootkit is invoked and is able to then modify the results of the function call, allowing it to remove itself from the process list.
The Detections page shows many examples of rootkits being detected in a variety of different ways.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.