Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rooting Out Rootkits

One critical aspect of system building is staying on top of the latest security threats. Another is having the best detection tools available to keep those threats at bay. The last thing you need is to deliver an infected Windows system to a customer—or to become susceptible yourself to some new form of highly undetectable, "stealth," malware.

One of the newest threats in the wild—what security mavens mean by "loose on the net"—is called a "rootkit," or RK for short. While a rootkit by itself causes no damage, it attempts to hide the presence of other malware, such as key-logging Trojans, viruses, and worms.

A rootkit differs from a virus in that it doesn’t seek to reproduce itself. Still, some modern viruses incorporate rootkits into their code libraries, very often to take advantage of a rootkit’s ability to remain hidden and elude detection. Also, rootkits borrow a page from typical virus behavior, in that they may seek to avoid detection by taking over for one or more specific system component files—in essence, adding their own agenda to whatever purpose the original files they replace may have served.

Rootkits often include components to open back doors on systems. Often they do so by incorporating stealthy remote access software that opens a system to unwanted, uninvited outside operations, much as many pieces of spyware do. But here's another way that rootkits differ from most spyware and viruses: They hide everything that might reveal their presence and activity on a system, including logins, processes, files, and logs. So little or no evidence of a rootkit's presence is ever available.

Also, rootkits can insinuate themselves into an operating system’s core components, so they run as part of the kernel with the same unlimited rights and privileges typically granted to such code. Though many rootkits also often include user mode components (necessary for any kind of user interaction or information display), it’s their kernel capabilities combined with their profound stealth that makes them such a nasty species of malware.

  • 1