Traditionally, a rootkit referred to a type of malware that modified Unix-based operating systems so an intruder could gain complete access, or root access, to a system and remain undetected. Unfortunately, they are becoming more common and more sophisticated in the Windows environment. However, the fact that any program that tries to hide its presence is considered a "rootkit" may be inflating the numbers. Worm writers certainly use them to disguise and hide their invasive software programs. There are even Web sites that host rootkit discussion groups, source code and precompiled rootkits. The biggest users of rootkits however, are authors of keyloggers and other types of spyware, who by definition want to hide their activities.
One way to tell if a security threat is on the rise is by the number of commercial countermeasures being released. For example, Sysinternals released a rootkit detector called RootkitRevealer and F-Secure launched a beta rootkit detector and remover called Blacklight. In February 2005, Microsoft warned about the threat of powerful system-monitoring programs or rootkits and developed a tool called Strider GhostBuster that detects rootkits by comparing clean and suspect versions of Windows and looks for differences that may indicate a kernel rootkit is running.
Rootkit authors are becoming more sophisticated in their ability to hide their creations and are developing "kernel rootkits," which modify the kernel component of an operating system and are invisible to many detection tools. Kernel mode is a trusted mode of operation for system services and device operations. In Windows, all requests by user mode applications are brokered through Windows NT Executive Services within the kernel mode. This includes checking access control lists and allowing access to file I/O and attached devices. Kernel mode rootkits replace commands that all user mode applications would call for information from within the kernel.
This infiltration of the operating system at such a low level means there are few strategies for detecting kernel rootkits. It may be possible to spot them by examining infected systems from another machine on a network. Some Windows XP users use Windows PE (Preinstallation Environment), a version of Windows XP that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system. Unfortunately, the only certain cure for a system infected by a rootkit is to completely erase the infected hard drive and reinstall the operating system from scratch. To minimize the disruption this is likely to cause, it is essential to take a good clean backup of your system before connecting it to a network.
The actual threat from Windows rootkits is still small compared to the potential threat, but they could easily be used to create a new generation of mass-distributed spyware and worms. To find out more on rootkits and the latest developments go to www.rootkit.com/index.php.
This was first published in September 2005