Traditionally, a rootkit referred to a type of malware that modified Unix-based operating systems so an intruder...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
could gain complete access, or root access, to a system and remain undetected. Unfortunately, they are becoming more common and more sophisticated in the Windows environment. However, the fact that any program that tries to hide its presence is considered a "rootkit" may be inflating the numbers. Worm writers certainly use them to disguise and hide their invasive software programs. There are even Web sites that host rootkit discussion groups, source code and precompiled rootkits. The biggest users of rootkits however, are authors of keyloggers and other types of spyware, who by definition want to hide their activities.
One way to tell if a security threat is on the rise is by the number of commercial countermeasures being released. For example, Sysinternals released a rootkit detector called RootkitRevealer and F-Secure launched a beta rootkit detector and remover called Blacklight. In February 2005, Microsoft warned about the threat of powerful system-monitoring programs or rootkits and developed a tool called Strider GhostBuster that detects rootkits by comparing clean and suspect versions of Windows and looks for differences that may indicate a kernel rootkit is running.
Rootkit authors are becoming more sophisticated in their ability to hide their creations and are developing "kernel rootkits," which modify the kernel component of an operating system and are invisible to many detection tools. Kernel mode is a trusted mode of operation for system services and device operations. In Windows, all requests by user mode applications are brokered through Windows NT Executive Services within the kernel mode. This includes checking access control lists and allowing access to file I/O and attached devices. Kernel mode rootkits replace commands that all user mode applications would call for information from within the kernel.
This infiltration of the operating system at such a low level means there are few strategies for detecting kernel rootkits. It may be possible to spot them by examining infected systems from another machine on a network. Some Windows XP users use Windows PE (Preinstallation Environment), a version of Windows XP that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system. Unfortunately, the only certain cure for a system infected by a rootkit is to completely erase the infected hard drive and reinstall the operating system from scratch. To minimize the disruption this is likely to cause, it is essential to take a good clean backup of your system before connecting it to a network.
The actual threat from Windows rootkits is still small compared to the potential threat, but they could easily be used to create a new generation of mass-distributed spyware and worms. To find out more on rootkits and the latest developments go to www.rootkit.com/index.php.
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.