Rootkit
What is a Rootkit?
A rootkit is a set of software applications intended to conceal running processes, files or system data from the operating system. In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.
The term rootkit is also used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
Different Types of Rootkit
Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade
detection. For example, a user-mode rootkit might intercept all
calls to the Windows FindFirstFile/FindNextFile APIs, which are used
by file system exploration utilities, including Explorer and the
command prompt, to enumerate the contents of file system
directories. When an application performs a directory listing that
would otherwise return results that contain entries identifying the
files associated with the rootkit, the rootkit intercepts and
modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode
clients and kernel-mode services and more sophisticated user-mode
rootkits intercept file system, Registry, and process enumeration
functions of the Native API. This prevents their detection by
scanners that compare the results of a Windows API enumeration with
that returned by a native API enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
Comparison with virus, worm and trojan
The key distinction between a computer virus and a rootkit relates
to propagation. Like a rootkit, a computer virus modifies core
software components of the system, inserting code which attempts to
hide the "infection" and provides some additional feature or service
to the attacker (the "payload" of a virus).
In the case of the rootkit the payload may attempt to maintain the
integrity of the rootkit (the compromise to the system) --- for
example every time one runs the rootkit's command it may check the
system to ensure that they are still compromised, and "re-infecting"
them as necessary. The rest of the payload is there to ensure that
the intruder can continue to control the system. This generally
involves having backdoors in the form of hard-coded
username/password pairs, hidden command-line switches or magic
environment variable settings which subvert the normal access
control policies of the uncompromised versions of the programs.
A computer virus can have any sort of payload. However, the computer
virus also attempts to spread to other systems. In general, a
rootkit limits itself to maintaining control of one system.
A program or suite of programs that attempts to automatically scan a
network for vulnerable systems and to automatically exploit those
vulnerabilities and compromise those systems is referred to as a
computer worm. Other forms of computer worms work more passively,
sniffing for usernames and passwords and using those to compromise
accounts, installing copies of themselves into each such account
(and usually relaying the compromised account information back to
the intruder through some sort of covert channel).
Of course there are hybrids. A worm can install a rootkit, and a
rootkit might include copies of one or more worms, packet sniffers
or port scanners. Also many of the e-mail worms are commonly
referred to as "viruses." So all of these terms have somewhat
overlapping usage and can be easily conflated.