The name "rootkit" comes from the ability of the program to obtain access to the core or "root" of a computer's operating system. Kit users receive unlimited administrative-level privileges, also known as "root privileges." A rootkit is a double-edged sword. As a security tool for system administrators, it's a key resource. It is typically used to hide files, network connections, memory addresses or registry entries from other programs. However, it's also a favorite tool for malicious hackers, who use it to collect an eye-popping assortment of information about a system, including users and passwords.
Since the program is hidden and runs secretly, victims don't necessarily know that they have been infected. Not to bring up the FUD (fear, uncertainty, doubt) monster, but rootkit use has become more popular among reputable companies. Regardless of the source though, if a rootkit is installed on your system, there is the potential for someone to copy or delete important data, install backdoors entry points or log keystrokes to get your passwords. The list of threats is nearly endless.
Fortunately, the AV/malware security vendors such as Symantec Corp., McAfee Inc., and FRISK Software International (F-PROT) have new products that will search a system for rootkits. In addition, Microsoft has a free tool called RootkitRevealer, used exclusively for finding and removing rootkits from a Windows system.
These rootkit removers work in a similar fashion to all common antivirus/malware scaners. First of all, the scanning program has a small database of known rootkit names. When the program scans a hard drive, it compares what it has found against the list. Secondly, the program contains some algorithms that check the behavior of suspect files. This mechanism tries to catch new rootkits that haven't been added to the database yet. In any case, all removal programs have an update capability that downloads the latest signature list.
Since rootkits are intended to work secretly and try to hide themselves, especially when they are actively running, it's best to quit all active programs prior to running a scan. A word of warning though: In no case should you simply delete files that you suspect of being rootkits. You may delete a file that is a necessary part of your system, or only partially delete the rootkit, leaving harmful files still in place. In either case, you may create more problems and cause headaches for your system. What is needed is a specialist rootkit detector. If you suspect you have a rootkit, try one of the various vendors' free rootkit-scanning tools.
This was first published in January 2008