RootKit

A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in relatively benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.

  • Firmware:  Firmware rootkit uses device or platform firmware to instantiate a persistent image of rootkit malware. The rootkit can hide in firmware because firmware often is not inspected for code integrity.
  • Virtualized:  Virtualised rootkits are the lowest level of rootkit currently produced. These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original virtual machine monitor or operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS.
  • Kernel Level:  Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. These rootkits often have serious impacts on entire system stability if mistakes are found to be present in the kit's code.
  • Library Level:  Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker.
  • Application Level:  Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

What can be done?
Running an up to date OS, anti-virus with the latest definitions along with a firewall is the first line of defense. User education and good computer usage is the second line of defense.

What about removal?
Removing these nasties from an already infected, compromised system should be left to professionals. You can't realize the extent of the damage with the current off the shelf consumer products. The correct tools, skill and knowledge are nessacary to successfully recover a compromised system and mitigate any damage that's already been done.