Everybody has heard of the term Rootkit. Everybody understands that they can be potentially dangerous, but not everybody understands what they are or where they come from.
The term ‘RootKit’ is actually two words, ‘Root’ which refers to the Administrator account on Unix and Linux systems, and ‘Kit’ which refers to a set of programs or utilities that allow someone to maintain root-level access to a computer.
But other aspect of a rootkit, beyond maintaining root-level access, is that the presence of the rootkit should be undetectable.
A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, all well and good if you own the machine, or need to spy on your employees or childrens activities. There are a few products on the market that allow you to monitor a machines activity, these are to all intents and purposes, rootkits. Of course these are nice rootkits because they are working for us the concerning parent or employer.
The other side of the coin is rootkits that are installed with viruses and Trojans.
There are five kinds of rootkits - Firmware, Virtualized, Kernel, Library, and Application Level kits.
Firmware
A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in firmware because firmware is not normally inspected for code integrity.
Virtualized
Virtualised rootkits work by modifying the boot sequence of the machine to load themselves instead of the original virtual machine monitor or operating system. Once loaded into memory, a virtualized rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest operating system.
Kernel level
Kernel level rootkits add additional code and/or replace portions of an operating system, including both the kernel and associated device drivers. Most operating systems don’t enforce any security distinctions between the kernel and device drivers. As such, many kernel mode rootkits are developed as device drivers or loadable modules, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. This class of rootkit is perceived as dangerous simply because of the unrestricted security access the code has obtained.
Library level
Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. They can be found theoretically, by examining the code libraries (DLLs) in Windows.
Application level
Application level rootkits may replace normal application binaries with fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
So what can you do about it?
There are a growing number of tools available now that detect and remove unwanted rootkits, Sophos anti rootkit, F-Secure Backlight and AVG Anti rootkit are to name three.
One way to protect yourself from malicious rootkits is to make sure Windows is patched with the latest security patches and keep your antivirus software up to date. Just like antispyware programs, if you feel it necessary to scan for rootkits, use at least three different scanners.
Rootkit types taken from the Wikipedia database, article written by:
AWW PCSupportForums
