A rootkit is a program or a set of programs designed to provide priveleged access to the computer system and, at the same time, to hide itself or it’s associated files from detection.
Historically, root kit tools appeared on Unix-like operating systems as programs that provided intruder with most privileged (root) access to the system. Today, rootkits exist for all most popular operating systems from Windows to Linux. Windows rootkits allow the attacker to gain most privileged access to the system.
Rootkits can be divided on kernel-mode and user-mode:
- Kernel-mode rootkits replace or modify parts of the operating system or add code to the operating system. Usually, rootkits of that type are implemented as device drivers (Windows) or loadable kernel modules (Linux). Kernel-level rootkits obtain unrestricted access to all system resources and, as a matter of fact, became a part of an operating system. That is why kernel-mode rootkits are invisible for most anti-spyware and anti-virus applications. This is most dangerous and hard to remove type of rootkits. When you are trying to remove kernel-mode rootkits, you need to operate at the lowest system level. This should be done very carefully, because every wrong action can lead to system crash. Exterminate It! successfully works on this level.
- User-mode rootkits intercept and replace system calls in order to protect themselves from detection and hide information about intruder. Such rootkits are implemented as dynamic link libraries (DLLs) on Windows operating system.
User-mode rootkit hooking can be performed in different ways: - DLLs (libraries with executable code) can be loaded to different processes and could act on their behalf.
- File / process patching can be used on disk or directly in memory.
Such rootkits could change behavior of regular applications.
Rootkits differ from other malicious software in their function. The main function of the rootkit is to maintain control over the infected computer system, hide itself and associated malware files and to provide access for the intruder.
Rootkit do not infect other programs like virus and it do not spread over the local network like worm. It hides from detecting software and keeps “doors open” for a malefactor, who can use infected system for malicious actions such as sending SPAM, DDoS attacks, information stealing, etc. However, a worm spreading over local area network or trojan disguised as legitimate software, may install rootkit on infected computer. Most recent infection sometimes are using combined approach when trojan installs the rootkit and afterward rootkit protects other trojans installed from the Internet.
Technically rootkit software is very complex. It can be developed only by highly qualified specialists, because a bug in such software (especially kernel-mode rootkits) may cause total system crash and make crashed system useless for malefactor’s needs. Also rootkit should effectively resist modern anti-malware scanners.
Due to their nature, rootkits are very hard to detect and even harder to remove. Re-installation of operating system only may help in some complex cases. But all is not so bad. Fortunately, some anti-malware applications already implemented anti-rootkit functionality and Exterminate It! is one of them.
Exterminate It! provides rootkit unhooking, direct disk scanning and removal techniques which are working in most cases. Also custom solutions can be provided in case of difficult rootkit infections. So you won’t be left alone in face of rootkit infection.
Note that this functionality is in beta now, but you already can turn it on on Exterminate It! Options page. Anti-rootkit functionality is available in activated Exterminate It! copies only.
