Rootkits

Sadly, malicious programmers and the people who pay them are endlessly inventive. One of the newer forms of their evil creativity is something called a ‘rootkit’.

One of the traditional vulnerabilities of viruses, making them easier to deal with, has been their visibility. Executables containing viruses had names that were different from the standard programs found on systems. When they maliciously renamed a standard file and replaced it, the new one frequently had a different date or size. They might even show up in the Task Manager list of programs on Windows.

All that made them detectable by anyone diligent enough to check, or by automated software designed to seek them out. But rootkits are more dangerous than other types of virus infection methods precisely because they can easily hide malicious files.

The files don’t show up on Windows Explorer, even when Show Hidden Files is enabled. The running process list displayed by Task Manager doesn’t list them. And many current antivirus packages don’t seek out and destroy viruses hidden by rootkits.

In November of 2005, Sony began using rootkits on some music CDs in order to hide copy protection files. Hackers quickly turned Sony’s well-meaning, but misguided plans to evil advantage. Sony’s software unintentionally hid their efforts. Any file that began with ‘$sys$’ became invisible, so hackers named their malware to take advantage of the effect.

Virus creators quickly turned to making their own rootkits. Distributing them, along with a dangerous payload, is as easy as passing along any other virus. Email attachments, spyware downloads initiated by clicking on ads, downloading free software… the list is long.

Some even found their way into the boot sector of hard drives. That means the technique of clearing one out of memory by re-booting is ineffective. They simply get re-started every time the operating system comes up again. To make matters worse, many automated virus scanning programs aren’t set to scan the boot sector, only regular programs.

Unfortunately, the story gets worse.

Once hidden in boot sectors, it’s possible to effectively become the kernel of the operating system. The kernel is the low-level program that controls the most basic functions, controlling crucial aspects of the hardware itself.

That makes it possible to substitute malware for the authorized low-level routines of the legitimate operating system. Once that level of function is achieved, there’s nothing the virus can’t do – including mask its efforts from the higher level functions of the operating system and any application including virus checking applications.

Users may or may not notice the slowing effect of the technique, and could easily ascribe it to anyone of the dozens of mysterious behaviors Windows exhibits from time to time. Very few are going to be savvy enough to even suspect a rootkit at work.

Software is being developed and deployed to combat this latest threat to PC security. Rootkit scanners are coming onto the market and users interested in protecting their PCs should seek one out. SysInternals’ RootKitRevealer is one well-known example and is available free.

59 queries. 0.485 seconds