Free PC Security: What is a rootkit?

/Home/Internet Security: Blogs/Internet Security: Free PC Security blog

August 2, 2007

A rootkit is not an exploit - it's the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Panda which I have covered in another post:
http://freepcsecurity.co.uk/2008/10/06/anti-rootkit-from-panda-free/