Computerworld - Much like in the movie The Matrix, where the world presented to the computer user is not a true representation of what is really going on, a rootkit is a program that can be used to hide files, registry settings, network connections, processes and other information from computer users.
For example, a rootkit can make processes that run but are hidden from Windows Task Manager, registry keys that can't be seen with Regedit, and network connections that are not viewable by Netstat.
Rootkit technology allows malicious software (malware) to be stealthier, and that in general makes it more effective. This is not about just evading detection by a casual user; rootkit technology allows malware to evade many antivirus and antispyware programs. There are few legitimate uses for this kind of technology, although some companies do market "hidden folders" that enable users to hide sensitive or embarrassing information from other users of the same computer.
All rootkits rely on the ability to manipulate the results of the function calls made by programs. For example, in order for the Task Manager program in Windows to show a list of running processes, it calls a Windows API function (EnumProcesses) that returns a list of identifiers (or process IDs), which are obtained from a data structure in the kernel. A rootkit works by intercepting the call and filtering out the processes that it is trying to hide. They can be implemented either in user space or in the kernel, with the kernel rootkits being the most dangerous.
Files, registry entries and network connections can all be hidden in analogous ways by altering the results of the appropriate function calls. Because most antivirus and antispyware programs rely on these calls (for example, to find files to scan), files hidden by rootkits are invisible to an antivirus program. The machine could be infected, but an antivirus program would be unable to detect it.
Kernel-mode rootkits require some code to be loaded into the kernel (normally a device driver or .sys file). They can do this by following the legitimate route that low-level device drivers use (using the service control manager services .exe), or there are a few undocumented ways to insert code into the kernel. Once inside, the code can modify the results of functions calls made into the kernel or modify kernel structures.
How to spot a rootkit
There are two main ways to detect the presence of a rootkit on an infected machine: scanning and event monitoring. The scanning technique involves comparing a view
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
