Content area

Full Text

Rootkits are a particularly insidious form of malware because they load before an operating system boots and can hide from ordinary antimalware scans and protection. Their ability to elude detection also makes them extraordinarily difficult to remove and clean up after.

By design, rootkits are difficult to find. For your humble authors, even the slightest hint of possible rootkit infection is reason enough to reinstall from a verified clean and current backup. If we can't pinpoint when the infection occurred, in fact, we treat all available backup images as infected and discard them. This provides added impetus to separate data from OS files and to make regular but separate backups of each as well. Thus, loss of the OS/runtime environment won’t also force disposal of data files.

In this story, we’ll take a look at how rootkits work, some common symptoms of rootkit infection, and tools and resources for detecting and removing rootkits.

Generally, rootkits can be divided in two categories: user mode and kernel mode. (The most renowned rootkit, Hacker Defender, is an example of a user mode rootkit.) In the Windows operating system, ordinary programs run in user mode, which can only make mediated calls on operating system services and resources. Privileged programs and the operating system run in kernel mode, which can make direct access to operating system resources and can interact directly with other operating system services. Thus, kernel mode rootkits essentially operate as if they were part of Windows itself.

That’s what makes any kernel mode rootkit so dangerous and so difficult to detect and remove. Such a rootkit modifies the Windows kernel. It makes itself “persistent,” which means it activates every time a user boots the PC. This means a rootkit can run everything from keyloggers to backdoors. And because it can access the OS kernel and its APIs, a rootkit can hide itself by intercepting any system call that includes a filename or any other data that might reveal its existence. If a call involves any data that might reveal the rootkit to a user, it will be hidden or supressed, so the user sees nothing alarming or out of the ordinary.

Rootkit infection

Like any other program, a rootkit requires user interaction or system compromise to take...

Show less