What's a rootkit, and how can I check for rootkits installed on my machine?
November 19, 2005
A. A rootkit is a term used to describe mechanisms that allow malware such as viruses and spyware to hide their existence from tools that are designed to eradicate them. Rootkits commonly open back doors to systems so that malicious intruders can access the system with administrative credentials or intruders use them on the machine to maintain their access. See http://www.rootkit.com/ for more information about rootkits.
There are various types of root kits. There are persistent rootkits, which place commands in the registry or file system so that the rootkit executes at each machine startup, or memory-resident rootkits, which don't survive a reboot. Rootkits can run in either the user-mode or kernel-mode space. Most rootkits run in the user-mode space but with administrative permissions. The user-mode rootkit conceals itself by intercepting calls to API's that might list processes or query the file system, then it filters the returned results to remove any entry that would identify the existence of the rootkit. These rootkits can hide from any user-mode tool but not from a tool running in kernel mode. Kernel-mode rootkits run as part of the OS, which is difficult and will often crash the entire OS and is typically how they're detected. When a machine starts crashing frequently, it often has some kind of kernel-mode rootkit running. There's a great utility, called RootkitRevealer, which you can download at http://www.sysinternals.com/utilities/rootkitrevealer.html . The tool scans a system and highlights any abnormalities that might indicate the presence of a rootkit.
About the Author
You May Also Like