Stephen Bowler (Creative Commons BY or BY-SA)
Rootkits are a particularly insidious form of malware because they load before an operating system boots and can hide from ordinary antimalware scans and protection. Their ability to elude detection also makes them extraordinarily difficult to remove and clean up after.
By design, rootkits are difficult to find. For your humble authors, even the slightest hint of possible rootkit infection is reason enough to reinstall from a verified clean and current backup. If we can't pinpoint when the infection occurred, in fact, we treat all available backup images as infected and discard them. This provides added impetus to separate data from OS files and to make regular but separate backups of each as well. Thus, loss of the OS/runtime environment won’t also force disposal of data files.
In this story, we’ll take a look at how rootkits work, some common symptoms of rootkit infection, and tools and resources for detecting and removing rootkits.
Wikipedia defines a rootkit as “a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of ‘root’ (the traditional name of the privileged account on Unix-like operating systems) and the word ‘kit’ (which refers to the software components that implement the tool).” Please note that the term “tool” in the previous sentence refers to the rootkit itself and reflects the increasing tendency for malware creators to make use of code libraries and various other kinds of programming building blocks to construct such things, including rootkits.
Generally, rootkits can be divided in two categories: user mode and kernel mode. (The most renowned rootkit, Hacker Defender, is an example of a user mode rootkit.) In the Windows operating system, ordinary programs run in user mode, which can only make mediated calls on operating system services and resources. Privileged programs and the operating system run in kernel mode, which can make direct access to operating system resources and can interact directly with other operating system services. Thus, kernel mode rootkits essentially operate as if they were part of Windows itself.
That’s what makes any kernel mode rootkit so dangerous and so difficult to detect and remove. Such a rootkit modifies the Windows kernel. It makes itself “persistent,” which means it activates every time a user boots the PC. This means a rootkit can run everything from keyloggers to backdoors. And because it can access the OS kernel and its APIs, a rootkit can hide itself by intercepting any system call that includes a filename or any other data that might reveal its existence. If a call involves any data that might reveal the rootkit to a user, it will be hidden or supressed, so the user sees nothing alarming or out of the ordinary.
Sign up for Computerworld eNewsletters.