Have you ever heard of rootkits? Do you really understand what a rootkit is? Is a rootkit a type of worm, virus, or Trojan? Are rootkits really dangerous? In this article, we will answer your questions about rootkits and introduce some free software that can help you “quickly take down” rootkits.
Understanding Rootkits
The term rootkit is used to describe mechanisms and techniques employed by malware (malware refers to malicious software that disrupts the normal functioning of application programs, including viruses, spyware, and Trojans) that attempt to hide and evade detection by anti-spyware, antivirus programs, and system utilities. In fact, rootkits themselves are not inherently malicious, but when used in conjunction with destructive programs such as viruses, worms, spyware, and Trojans, they become significantly more dangerous.
How Dangerous are Rootkits?
Rootkits, in essence, do not cause any direct harm. Their sole purpose is to hide and avoid detection. However, when rootkits are used to conceal malicious code, they become very dangerous. Some worms, viruses, Trojans, and spyware can remain operational and undetected when using rootkits. Malware may go undetected even when the system is protected by the best antivirus programs, making rootkits a serious threat.
Currently, only a few spyware and virus programs utilize rootkits for stealth. A notable example of rootkits being used for system infiltration is the theft of the source code for the famous game Half-Life 2.
Rootkits are more commonly found in spyware than in viruses. It is certain that rootkits are still an evolving technique and not widely prevalent in reality, so the current threat level of rootkits is not as significant compared to the potential dangers of this technique.
Types of Rootkits
Rootkits are categorized based on their persistence after a reboot or whether they operate in user mode or kernel mode.
Persistent Rootkits
Persistent rootkits are a type of rootkit that combines with other malware to operate each time the system boots. The malware containing destructive code is executed automatically whenever the system starts up or when the user logs into the system. They need to store executable code in the Registry, system files, and methods that allow them to run silently without user knowledge.
Memory-Based Rootkits
This type of rootkit consists of malware that does not contain “persistent” code—it only resides in memory, which is why this type of rootkit does not exist after a reboot.
User-mode Rootkits
User-mode rootkits use various methods to evade detection. For example, user-mode rootkits will block all system calls to API (Application Programming Interface) functions such as FindFirstFile/FindNextFile. These functions are called by Windows file management programs like Explorer and the command prompt to list all files and directories. When an application attempts to list directories and files that may contain a rootkit, these rootkits will intercept these calls and alter the output data to remove any files containing the rootkit from the list.
The Windows API functions provide an interface between user mode and system services. More complex user-mode rootkits will block access to system files, the Registry, and functions that enumerate processes from the system API functions. Therefore, any detection by file scanning programs that rely on the results from the Windows API enumeration functions will be altered. This is why most antivirus and anti-spyware programs cannot detect rootkits.
Kernel-mode Rootkits
Kernel-mode rootkits are more dangerous than the other types mentioned. They not only block system API functions but can also directly manipulate data structures in kernel mode. A common technique for concealing malware processes is to remove these processes from the list of kernel-mode processes. Because the API functions managing processes rely on the contents of these data structures, when a rootkit alters the contents of the system data structures, tools like Task Manager or Process Explorer cannot detect them either.
Which Malware Use Rootkit Techniques?
Some rootkits that embody the true meaning and nature of rootkits include Hacker Defender and FU. Certain spyware and adware also utilize rootkits, such as EliteToolbar, ProAgent, and Probot SE. Trojans like Berbew/Padodor and Feutel/Hupigon, as well as some worms like Myfip.h and the Maslan family of worms, also employ rootkit techniques.
Predictions About Rootkits
Rootkits have indeed become prevalent in spyware, and they are likely to become more common in viruses and worms as well. Virus authors have become more professional and are also operating with business objectives in mind. Therefore, they possess the necessary skills and expertise to embed complex rootkits into viruses and worms.
Rootkits can hide Trojans and spam longer on infected machines, which is another reason for the potential explosion of rootkits in the future.
Why Don’t Antivirus Programs Detect Rootkits Before They Hide?
This is true, but only in some cases. Rootkits are often distributed as open-source code, which means hackers can rapidly modify rootkit code so that antivirus programs cannot detect them. Some newer antivirus software can detect rootkits, such as F-Secure Internet Security 2005, which features “Manipulation Control.” This feature has a structure that blocks malicious processes from “manipulating” other processes. However, even F-Secure Internet Security 2005 can only block a few rootkits.
Rootkit Removal Software
When combined with malware, rootkits become much more dangerous. So, is there any software that can detect rootkits hiding in the system?
Here are some software options that can detect and remove rootkits:
RootkitRevealer is a highly effective and completely free program for finding and removing rootkits, with a file size of only 190KB. The program has a simple interface; you just need to click the Scan button, and RootkitRevealer will do its job. To learn more about how to use the program effectively, you can read additional information in the manual or visit the website: http://www.sysinternals.com/utilities/rootkitrevealer.html
BlackLight is a rootkit removal tool from F-Secure. Currently, the beta version of BlackLight is free, and you can download it at: http://www.europe.f-secure.com/exclude/blacklight/index.shtml
Minh Phúc
