June 11, 2010, 5:19 PM — Most malware are like leeches on your computer's software. But, a rootkit can turn your computer's very operating system against you.
If you're a smart Windows user, you probably already know about the basics of protecting your computer from malware. That is to say, you know you need to update your computer with regular patches and to install and keep updated an anti-virus program. That still isn't enough since Windows is inherently unsafe but it's reasonably secure. Isn't it? Well no, you see there's one kind of malware, rootkits that turns your operating system into a zombie and turns off any patches or updates that might threaten it.
Rootkits didn't start with Windows. As the name indicates, they actually date back to Unix. There, the top-level operating system administrator has the user name of 'root.' As root, or super-user, the administrator has far more power over its computer than any ordinary user. As the saying goes in Unix and Linux circles, "To err is human, to really foul up requires the root password."
While rootkit problems still exist in Unix and Linux, they're far more common in Windows. That's in part because the Unix operating family has many built in system monitoring and logging tools. In other words, while Unix and Linux can be attacked this way, it's a lot harder to pull off without leaving tracks.
Windows, especially desktop Windows, like XP and 7, are far easier to infect with a rootkit. And, once infected, your system no longer really belongs to you. It belongs to your attacker.
That's because a rootkit isn't about cracking your security and breaking into your PC. No, rootkits are placed in your computer after it's already been compromised in some other way. Once there, unless you go looking for them, you may never find them. And, even if you look for them they can be hard to see.
As Ryan Smith, principal researcher for Accuvant Labs, a security consulting business said, "Rootkits are tools that attacker use to hide their presence on compromised systems. Originally they started off as replacements for system programs that might show traces of an attacker. These replacements had additional code added into them to prevent the legitimate system owners from seeing these traces an attacker leaves behind."
The reason why they're so hard to find is that, Smith explained, "Software has continued to evolve to meet the needs of rootkit detection by staying up-to-date with the latest trends. Rootkits have continued to evolve by delving deeper into the system. The trend went from modifications of system programs, to modifications of the kernel, all the way to modifications of the system BIOS and leveraging processor virtualization features."
I'm sure you get the picture. An ordinary anti-virus program, if it isn't just turned off or told to ignore the rootkit, it isn't going to dig around your PC's BIOS looking for trouble.
Once in place, a rootkit enables remote attackers administrative access to compromised machines using via a network back-door. They can do anything they want to your machine: Look through your hard drive, set up or delete user accounts, add, delete, or modify files, or wreck your PC. Attackers who use rootkits aren't likely to do any of those things though. No, your PC is more valuable to them as a solider in an Internet-connected botnet army.
The one thing that a rootkit is likely to do directly to you is to install updated versions of itself. Or, perhaps install more malware. I know, I know, you really didn't want to hear that, but it's the truth.
Detecting the Rootkit
So, how do you know if you have one? Some of the most common signs are unexplained network activity or system slowdowns. Let's be frank though. It's not going to be easy. For example, most ordinary firewall programs or devices, which can stop most unauthorized network activity, would never spot Hacker Defender, an old "kernel mode" rootkit, which manipulates data as it is passed to and from the Windows' core programs, communicates with its master by piggybacking on such commonly used TCP ports as 135, which is usually used for a variety of client/server applications.
A better way of addressing the problem is just to assume that if you've ever had a security problem with your PC, or a PC on the network it's on, that there's a good chance you have one. Lucky you.
There are three basic ways of hunting down rootkits. There are:
Signature-based detection: These work like old-style Windows anti-virus and malware detectors.
