What Is a Rootkit?
Rootkit... the name sounds innocent enough. Kinda like something your Grandma would use in her garden. Actually, rootkits are a particularly nasty form of malware, created to wreak havoc on computers.
|
|
|
| The Top Five! |
| Check out this week's most popular articles. |
Rootkits: A Silent Enemy
Most computers users today are aware of viruses sent in deceptive emails or spyware creeps in while web browsing. Rootkits however, are more sinister. Because of their ability to hide deep in the operating system, rootkits are hard to detect and remove. Although rootkits may not cause damage when installed, they are often piggy-backed with additional code written for the purpose of taking control of a computer, or spying on the user and reporting activities back to the rootkit creator. In short, a rootkit is a software tool (or a set of programs) designed to conceal files, data or active processes from the operating system.
One very widely publicized example of a rootkit was Sony's Extended Copy Protection (XCP) software that was included on 50 music CDs. This XCP software was automatically installed when customers played the CD on a computer, and although it was intended as a copyright protection measure, it had flaws that affected the way Windows plays CDs, and opened up security holes that could allow viruses or spyware to enter a system. It was described by many people as a rootkit because it was installed in a surreptitious manner, it modified Windows operating system files, and was designed to hide itself so as to avoid detection.
No Longer Just a Unix Problem
In the Unix world, the term rootkit (or "root kit") has been used to refer to a set (or kit) of common Unix commands that have been modified to do something sneaky or malicious in addition to their normal function. They display the correct output or perform the intended function, while operating in a "root" (administrator) capacity, so they are difficult to detect. Although most rootkits are malicious or surreptitious in nature, not all are hostile. One example of a rootkit used for a good purpose is the Alcohol 120% software, which emulates disk drives.
Once limited to the Unix world, writers of rootkits are increasingly targeting Windows-based computers for attacks. These hackers often take advantage of unsecured ports on a computer. A port is essentially a door that allows specific types of network traffic to flow in or out of a computer. Businesses have firewalls in place to secure unauthorized entry to certain ports. But many home users do not have firewalls, so are especially susceptible to rootkit ravages.
How Do I Know I've been "Rootkit-ed"?
This is the tricky part. It's often hard to detect a rootkit attack, even for the pros, because of their ability to hide themselves on a system. Even anti-virus software may not be able to detect some clever rootkit components, because they have the same name and file size as Windows operating system files. Rootkits can be delivered via e-mail attachments, through unsafe web sites (often sites that allow file sharing), or they can sneak in with music or software being copied from a CDROM.
Usually diagnosis is made by symptoms, rather than by the presence or specific files. Some signs that a computer has been infected by a rootkit include: extremely slow performance, hard drive space rapidly decreasing, unexplained high CPU activity, programs opening on their own without user input, the crashing of anti-virus software and system freezes.
Protect Yourself from Rootkits and Other Threats
The time-tested advice for protecting yourself against rootkits applies to any other type of computer threat. Do not open suspicious email, even from an address you recognize. Don't download software from file-sharing sites or other bad neighborhoods. Don't ignore Windows update warnings, and keep your anti-virus and anti-spyware software updated. If you need help with this, see my article on free anti-spyware or anti-virus software
It's not a bad idea either to use a firewall on your home PC. Windows XP service pack level 2 and Windows Vista come bundled with firewall protection. A firewall will help to secure your machine against viruses, spyware and rootkits, but a third-party firewall solution will offer more robust protection. For more information on what kind of firewall you should use, see Do I Need a Firewall?
If You Think You've Already Got a Rootkit...
There are several tools available that are designed to ferret out and rid your system of rootkits. One such tool is Rootkit Revealer, Microsoft's utility to discover rootkits on a PC. This tool helps to discover them, but you'll need to investigate the specific rootkit to find out how to get rid of it. Sophos, a respected software security firm, also has a rootkit detection and remover program available as a free download. And there's Blacklight, another popular free rootkit detection and removal tool.
These utilities are not guaranteed 100%. Because of the stealth-like nature of rootkit programs it is possible that even rootkit removal programs will not detect the most well-hidden rootkits. But, they're a good starting point if you feel that your computer has been compromised. The more aware you are as an end user the less vulnerable you will be against computer threats.
Send this article 
Jump to the 
Buy Bob a 
Check out other articles in this category:Posted by Bob Rankin on May 9, 2007 07:39 PM
| Need More Help? Try the AskBobRankin Updates Newsletter. It's Free! |
 |
Prev Article: Myspace and Copyrights |
|
Next Article: Goodbye to Analog TV |
 |
|
Link to this article from your site or blog. Just copy and paste from this box: Related Keywords: Security rootkit detection removal virus spyware malware |
Most recent comments on "What Is a Rootkit?"
|
Posted by:
|
I'm still looking for a program to scan against the rootkits. So far, I tried your first-listed one -- Sophos -- and they ::require:: company name, size, number of users and market sector, in the registration form. I have no company details to provide. However, the article on rootkits is great, as are at least most articles you've been publishing in your newsletter and on the web (I'm a long-time subscriber). I do understand them much better now. Golly, the picture alone paints a thousand words! EDITOR'S NOTE: Just give your personal details, if you're not a company. Or make it up. :-) |
|
Posted by:
|
I think it would be MORE helpful to your readers, and riders if you noted that all the links to the rootkit killers are for Windoze only....and AGAIN, you ignore your Mac readers. If Windows is so full of holes, and needs all varieties of anti-spyware, anti-virus,and root-kit solvers, then why support it? Come on over to the Light side. |
|
Posted by:
|
Hi great site Your Microsoft Rootkit revealer is pointing here as opposed to here EDITOR'S NOTE: Good catch, I fixed the link. |
|
Posted by:
|
i am using avg anti root kit and it keeps finding a different one every time i start my computer.i keep removing them and a differant one is back. it is always in the sys32/drivers file.but the sophos finds nothing.. is there a problem somewhere? EDITOR'S NOTE: Sounds like there is. What are the names of the suspect files that AVG is reporting? |
|
Posted by:
|
Can rootkits, viruses, malware, etc. be unleashed (activated) by simply opening an e-mail message? Can they be embedded in the message, not the attachment. EDITOR'S NOTE: There was a time when this was true (most notably with MS Outlook Express), several years ago. But as far as I know, these holes have been patched. If you keep current on your security patches and system updates, this should not be a problem. |
Post your Comments, Questions or Suggestions
|
Ask Bob Rankin Home Page
Subscribe to AskBobRankin Updates: Free Newsletter |
|
|
Advertise on This Site!
Copyright © 2005 - Bob Rankin - All Rights Reserved |
||