What are Rootkits?
Version: 2.21
Revision: 12 Build 16
What are Rootkits?
Rootkits can be described as programs whose function is to hide themselves from the user and from the system, so they can’t be traced. Generally, they can be useful since they protect computers from hackers. However, rootkits can also be used to terminate our computer and hijack other task.
The word “Root” of rootkits has been borrowed from UNIX, where “Root” is the system administrator’s account. Rootkits are the set of tools and utilities which assist any “hackers” to crack password from an account without administrator knowledge. Nevertheless, they are quite similar to viruses. However, the ways they are deployed are different. For example, Viruses spread faster than rootkits and mutate without warning. They may also transform and spread like ants…
——————————————————————————–
Types of rootkits.
——————————————————————————–
There are seven kinds of rootkits at this point of time and their deployment is completely different…
1. Kernel Level Rootkits: This type of rootkit adds additional code in the Kernel of the OS (core, heart of operating system) and makes it undetectable. They are also cloaked and hidden.
2. Library Level Rootkits: This type of rootkits works higher up in the OS & they generally hack the SYSTEM CALLS to hide their presence. They generally do it by hooking, patching or replacing the System Calls.
3. Application Level Rootkits: This type of rootkits works on the ground (Library Level). However, they work directly inside the application instead of the system. For example, they patch themselves and replace the whole application with a different program (infected program) and work in the background while you are running the application. After that, it becomes difficult to identify that the system is infected with rootkits.
4.] Firmware Rootkit implies the uses of creating a permanent illusion of rootkit + malware. It can remain hidden in firmware and can’t checked for code integrity.
5.] Virtualized Rookit: the lowest level of rootkits produced is “virtualized rootkits.” These rootkits function by the modification of the systems boot sequence to be loaded instead of the original virtual – machine or operating system. A virtualized rootkit is able to intercept all hardware calls made by the guest operating system by loading the original operating system as Virtual Machine.
6.] Persistent Rootkit is associated with “malware” that hooks itself when the system boot (every-time). Because, such malware contains code that must be executed automatically when the system start or when a user logs – in. This will allow any infection to store its code in a persistent location, such as the Registry or System, and executes without user intervention.
7.] User-Mode Rootkits: runs on a computer with administrative privileges. This allows user-mode rootkits to alter or modify security and hide processes, files, system drivers, network ports, and even system services.
User-mode rootkits remain installed on the infected computer by copying required files to the computer’s hard drive – automatically launching with every system boot.
——————————————————————————–
How to detect them?
Well, till this time we’ve learned what rootkits are and how they are difficult to detect and how dangerous they can get. But now we will learn the way of detecting them. The problem is that, it is a bit difficult to cure. Therefore, I would suggest you to take regular backup and reload the whole OS. So, our main function is to detect whether our system is infected from a rootkits or not. There are certain tools available with precautionary steps, which can help us suppress these problems.
1. The best way of detecting rootkits is to boot your computer from a different source because a non-running rootkit cannot hide its presence and may become easy for most anti-virus to detect.
2. Blacklight: Well, this is a program from F-Secure and it is free for personal use and it’s available on F-Secure’s website.
3. Rootkit Revealer: This program is from sysinternals and is one of the best-known programs to fight against Rootkits.
4. IceSword: This program is used to detect special rootkits that is hard to remove. However, this software is for advance user / individual only!
Notes: I would recommend users to download Avira Classic Edition to protect their computer against Rootkits. But, don’t forget to update your database…
——————————————————————————–
Generic symptoms of rootkit infection.
1.] If the computer locks up or failed to respond to any kind of inputs from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
2.] Settings in Windows are modified without permission. The best examples is your screensaver that changes everytime.
3.] Web pages or network activities appear to be intermittent or dis-functional – due to excessive network & traffic.
If a rootkit functions correctly, most of these symptoms aren’t going to be traceable. By definition, good rootkits are stealthy and difficult to remove. The last symptom is “slug – network”. This should be the one which raises the flag. However, rootkits can’t hide internet traffic, especially, if the computer is acting as spam relay or participating in a DDoS attack.
