what is a rootkit

Go down

what is a rootkit Empty what is a rootkit

Post  Shadow on Fri Sep 18, 2009 8:28 am


A rootkit is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkit will usually either manipulate the data set the operating system relies on, or alter the execution flow of the operating system.

It is important you realize that rootkits are designed to be very stealth, meaning they are difficult to find or detect by normal means. Many rootkits have been so well written that their presence can go undetected for years. They are written by experienced individuals with an advanced level of programming knowledge far above that of the average virus or malware writer. A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.

It is also important not to confuse a rootkit with a virus, or a worm. The main difference is in propagation and stealth. Like a rootkit, a virus also alters software components of a system. A virus, however, is designed to do damage and possibly provide additional service(s) to the attacker. This usually alerts the user right away that something is wrong, and gives away its existence. A worm is usually designed to scan for vulnerabilities and take advantage of them, as well as spread to other computers connected to a network, thereby doing the same damage to them. Again, this alters computer behavior significantly enough to alert the user to its existence and that there is something wrong. A rootkit, on the other hand, is designed to maintain its own integrity, and remain hidden from the user in order to allow the attacker to use the compromised computer for a long period of time for his or her own nefarious means.

A well written and executed rootkit can easily remain hidden and operate literally for years without giving away its presence to the user, or even a systems administrator or other IT professional. This has already happened many times, especially in companies that maintain large networked systems, and continues today even while you are reading this paper.

A rootkit is designed to hide logins, processes, files, and logs, and may include software to intercept data from terminals, network connections, and the keyboard. They are often considered as Trojan horses and indeed may even contain Trojans and backdoors as part of the rootkit.


There are three basic types of rootkits - library, application and kernel. There are also two subtypes - memory based, and persistent, but more on that later.

Library level rootkits will most commonly patch, hook or replace system calls with versions that hide information so the rootkit is not visible by normal means. That is to say you wont be able to find the files with a normal file search, or by going to the task manager to check what applications are running.

Before discussing the next two, it is important to remember that current versions of Windows were designed with security and stability in mind. Some readers may scoff at this statement in light of the vulnerabilities reported in Windows operating systems, but it is true. No operating system is designed from the beginning with protection from malicious intruders subverting the system in mind. The kernel is protected from user applications while still allowing functionality. Windows currently supports two modes of execution: user mode and kernel mode. Applications will run under user mode, which is unprivileged, thus protecting the kernel.

Application level rootkits usually operate by replacing normal application binaries with Trojan style fakes, or modifying program behavior through the use of hooks, patches, or other injected code. Your first alert to the possible existence of a rootkit hiding in an application is abnormal or different behavior of one of your application programs. The key here is to know your software and pay attention to how in normally runs.

Kernel level rootkits usually add additional code, or replace a section of kernel code with modified code in order to hide the existence of the rootkit, as well as any backdoor(s) that have been added as a way in for the attacker. Remember that kernel mode execution is a mode of execution by a processor that grants access to all system memory and all the processors instructions. Windows will tag specific sections of memory specifying which mode is required to access that section of memory, but it does not protect memory in kernel mode from other threads that are also running in kernel mode. This is what makes kernel level rootkits particularly dangerous. Kernel level rootkits usually do not alter the operation of the computer in a significantly enough fashion to alert the user to their existence. This level of rootkit is virtually impossible to detect without the use of specialized software.


There are two basic categories that modern rootkits in the wild can be divided into: those that are designed to hook, and those that are designed to use DKOM. These will be explained below. Hacker defender is one of the more popular rootkits that works by hooking. It hides processes, services, files, directory keys and ports. FU is a popular rootkit that is designed to use DKOM. Fu can hide processes and device drivers and elevate privileges and groups of any Windows process.

Rootkit Subtypes

As we hinted at earlier in the section on rootkit types, there are two subtype categories memory-bases and persistent. The main difference is that a memory-based rootkit only resides in memory and it will not survive a computer re-boot.

Hiding a rootkits existence:

As we discussed above, a memory-based rootkit is virtually impossible to detect. But, what about the persistent form of rootkit and how does it hide? These kinds of rootkits survive a system re-boot, and remain on the machine for very long time periods, perhaps even years.

In order to hide its existence and remain undetected, a rootkit must be able to conceal the presence of its own executable code. Some do this better than others. The rootkit must also be able to hide the memory-based modifications in the operating system (hooks or DKOM). The rootkit must also be able to hide its code on long-term storage in the system and conceal the permanent hook in the system boot sequence it uses to load itself when the system starts. For these reasons, successful rootkits are designed to often reside at least partially in the boot sector of the hard drive. The main reason for this is to avoid detection from most modern anti-virus scans. Many anti-virus programs are not fully functional until the system boots up, after which the boot sector cannot be properly scanned for vulnerabilities because the system is running. There are a few programs that include boot sector scans before the system boots up, and I recommend you check for this functionality before purchasing an anti-virus product. They do not slow the boot process very much, and the added protection offered is well worth the extra time it takes for the machine to be ready to go.


Let me say at the beginning of this section that rootkit detection is still a work in progress. There are currently a number of methods in use, some of which we will discuss here. As of this writing, all of them have their particular strengths and weaknesses, and none of them have been proven to be completely effective or foolproof.

Rootkits have become very sophisticated over the past two years, and we continue to see new ones spawned almost every month. As the writing skills of rootkit programmers improve, detection becomes more difficult all the time.

Signature based detection

Signature based detection is currently the most common detection method, and it can work to a fair degree against rootkits programmed with publicly available code available on the Internet. Programs with this scanning capability are usually from anti-virus software vendors who have included the capability in their products only recently. They work the same way that they scan for viruses, worms and trojans. They look for a specific or known fingerprint unique to the threat located in the computer. This form of detection is helpful against publicly available rootkit code, but is useless against more advanced rootkits for which a signature does not exist. These include rootkits that hook virtual memory that are capable of controlling the memory threads of the scanning program.

Heuristic detection

Heuristic detection is the next step upwards in detection. Instead of looking for a particular fingerprint, heuristic detection instead looks for deviations from normal system patterns and behavior. This gives the ability to find new and previously unidentified rootkits. This technology is currently emerging and not readily available yet, and uses various heuristics to identify a rootkit based on the execution path hooks it uses. Current examples of this form of technology are VICE and Patchfinder. At this time, they only work with Microsoft .NET Framework installed on the computer, and they are not foolproof either. They can be subverted by some rootkits, and still others will remain undetected. One of the problems is trying to determine which hooks are malicious, and which hooks are legitimate and part of the normal operating system (false positives can be the result).


Another method of detection currently being developed is profiling, or more specifically, profiling the runtime execution path. The only tool currently known to this writer with this technology is a very promising proof of concept tool called Patchfinder. It is discussed and made available on a Website called invisiblethings.org run by rootkit expert Joanna Rutkowska. It is built on the observation that a rootkit adds code to a given execution path, and operates by counting instructions. The technique can still result in false positives, and is vulnerable to rootkits that have the ability to realize they are being traced. Nonetheless, I believe the technology has excellent merit and I hope development continues and is able to eliminate the problems encountered so far.

Cross View

Cross view based detection techniques are both very new and very promising. The detection software works by enumerating data within the system such as files, processes and Registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the systems common APIs (Application Program Interface). A difference between the two results can indicate something hidden. This technology is still being developed and improved to eliminate false positives when the program runs. Current examples of this developing technology are Rootkit Revealer from Sysinternals, Klister by Joanna Rutowsksa, BlackLight by F-Secure, and Strider Ghostbuster from Microsoft.


Integrity based detection is an alternative to either signature based detection or heuristic detection, and works by comparing a snapshot of the filesystem or memory with a known trusted baseline. Differences between the two are taken as an indicator of malicious activity. Examples of this are Tripwire from Sourceforge, and System Virginity Verifier by Joanna Rutowska. Tripwire was effective against early rootkit designs, but virtually useless against the modern rootkit. System Virginity Verifier, on the other hand, is, to me, very promising as it also checks the integrity of data structures and uses advanced heuristics to help deal with false positives stemming from normal system hook operation.

Hardware detection:

Join me in keeping high hopes for this one. It could be absolutely great!

This technology is very new and was born as a project at the University of Maryland. A new company, Komoku of College Park, Md. is currently the owner of this technology. With funding (at around $2.5million) coming from government contracts, specifically DARPA (Defense Advanced Research Projects Agency), the Department of Homeland Security, and the U.S. Navy, they have developed a proprietary, high-assurance PCI card based detection system called Copilot. The PCI card has its own processor and memory allowing it to remain independent of the system it is installed into. It also has its own network interface allowing communications to an outside administrative department or team. The prototype PCI card solution is currently not publicly available and is more than likely pretty pricey at this time, but represents a formidable foe to rootkits. Personally, I have high hopes that the governmental agencies involved will allow mass production after the prototype is finalized so the benefits of this new technology will become both available and affordable to the general computer user like you and me.

By being able to remain independent of the computers processor and memory it is installed in, this PCI card can scan and monitor all processes, memory, files and activity in the computer at the hardware level, looking for any modifications or abnormal behavior, thus making any rootkit design an easy target to find. According to the project designers, instead of looking directly for the rootkit, it looks instead for the side effects of the rootkits activities. Coupled with a software-monitoring and cleanup component that is also being partnered (by guess who Symantec), it could actually be capable of putting and end to the rootkit threat on any machine it is installed in.

Komoku also plans to release a low-assurance software-only clone of this technology called Gamma sometime this summer I can hardly wait to see it. Komoku is currently partnered with Symantec to handle disinfection, cleanup and restoration after a rootkit or other sophisticated malware is found. Symantecs Live State product combined with Copilot and Gamma can restore the system to its original operating state as if nothing had ever happened.

I see some really exciting, commercial software offerings becoming available for us in the hopefully not too distant future, and I really hope the Copilot PCI card becomes a reality for us as well. Rootkit Removal:

For the time being, rootkit removal is rather subjective. There is a large body of opinion that believes it to impractical. The majority seems to recommend copying and saving your data files, wiping the hard drive clean, and re-installing everything from scratch. The feeling is this will take less time than trying to remove the rootkit and restore the system. If it was a truly severe case, and sensitive data and material were at stake, I would tend to agree.

For the average user, however, I would recommend running the Malicious Software Removal Tool from Microsoft, scanning with Windows Defender, and trying a scan with the latest version of SpySweeper from WebRoot. All have some degree of rootkit detection and removal capability built in that I have had good success with in the past. I have also cleaned up and removed some boot sector rootkits with AVG Pro from Grisoft, another product I like a lot. A number of other constituents I am in contact with also have reported good success with BlackLight from F-Secure. BlackLight will be rolled into another F-Secure product this summer as part of a security software suite, but it is still free until June 1, 2006, after which it stops working. One thing to keep in mind BlackLight is currently a Beta program, and you assume all responsibility for its use. If using it breaks your system, its your problem. Final release of the integrated product from F-Secure this summer will come with support.


On final thing to remember a rootkit alters the operating system, and thus needs administrator privilege to install (not that you can expect a warning that it is about to install, and you certainly will not see a Windows Installer screen). You can greatly reduce your exposure to this threat in the first place if you remember to not go on-line with an account on your computer that has administrator privilege. Use a limited account when connecting to the Internet. If you absolutely must be on-line as an administrator for certain programs to work, you might want to look into a protection program like Process Guard (shareware, $29.95) that has the capacity to prevent programs from installing global hooks and performing process injection. If you are a high-risk user, such as a P2P user, and must be on-line as an administrator, then you should definitely consider such a program as mandatory and a must have.

Another possible program to look into is called AntiHook. Of the two, I can only honestly recommend Process Guard for the high-risk user. AntiHook is freeware and is a less powerful program, but it offers good, solid protection for the average home user. Please note that AntiHook is only for home use, and currently (AntiHook v 2.5) does not work properly with Windows XP Home edition. New versions AntiHook 2.6 and AntiHook 3.0 are due out in a few weeks and promise to fix this issue. Both programs (Process Guard and AntiHook) feature real-time kernel mode protection. If you are a home user that downloads a lot and installs downloaded programs, I really would recommend you use one of the two programs.

Either of these programs will be noisy at first as they go through a learning curve of the software on your system, much like what you see with pop-up warnings after installing a new firewall. Dont despair though as things will settle down soon when the program learns your particular system. You can also minimize this if you use AntiHook by initially running it in fingerprint mode for the first few days while it learns. Before doing this, however, you might want to first scan your system if it has been on-line for a while to be sure it is clean in the first place.

I suggest you to use Avast for removing rootkits


what is a rootkit Avast

Posts : 54
Join date : 2009-08-28
Age : 27
Location : Arizona


Back to top Go down

what is a rootkit Empty Re: what is a rootkit

Post  Ali_THE KILLER on Fri Oct 02, 2009 2:34 am

u type all this messege?
wow i will take a week 4 that i think.
anyway.good job

Posts : 120
Join date : 2009-08-28
Age : 24
Location : home


Back to top Go down

Back to top

Permissions in this forum:
You cannot reply to topics in this forum