Oneupweb : Rootkits Part 1—What Are They?

Everyone has heard of viruses, worms, spyware, and the many other categories of malevolent software. One of the less commonly known types is rootkits.

So you ask, “what is a rootkit?”

I actually get that question a lot. A rootkit is a type of software that inserts itself at various levels into software, Operating Systems, or even the firmware of hardware devices, and grants “root” or Administrator level access to the computer on which it is running. Wikipedia defines a rootkit as a “software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.” In other words, they utilize stealth to conceal themselves. A rootkit can intercept the APIs used by software and the Operating System to tell the software and Operating System that it doesn’t exist.

As you can imagine, this makes them hard to detect, and therefore, extremely hard to know that you have one.

A rootkit by itself is not malicious. In fact, there are several legitimate uses for rootkits, like Law Enforcement and “spy” software that monitors usage (think kids and employees). eBlaster and Spector Pro are two of the better rated packages on the market. Probably the most publicized rootkit usage was by Sony BMG that had a rootkit built into their CDs for the purpose of Digital Rights Management (DRM) protection. This rootkit protected the usage of their music, but it was installed unbeknownst to the user, and it provided an exploit that could be used for malicious access.

All too commonly, though, rootkits are used for malicious purposes and have become associated with viruses, spyware, and malware.

Because it “hides” itself, many virus scanners and other security software are unable to detect a rootkit. While there are a number of methods of detecting rootkits, because they can be implemented at a number of levels, no single method is capable of detecting all of the different rootkit types.

Some rootkit detectors bypass the file system APIs of the OS, and look directly at the disk and memory themselves, and compare this against what the OS thinks it sees. Some are only noticed because of their behavior—things happen with no visible/obvious reason.

Remember in Star Wars Episode II:  Attack of the Clones, when Obi-Wan is confused because the Archives do not show a planet, but there is evidence of its gravitational effects? With a rootkit, you may see additional network traffic or CPU usage that doesn’t match what your computer says it is doing (because the rootkit is hiding them).

So, now that you have an idea of what a rootkit is, next time we can discuss how you can remove it.