Protect Yourself Against Rootkits Software Tools

A Rootkit is a set of software tools so designed to conceal running processes and files thereby helping an intruder to gain access a system without being detected. Rootkits can exist on a variety of operating systems including Windows, Linux and Solaris. They camouflage their existence by installing themselves as drivers or kernel modules.

The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and UNIX operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.

In 2005, Sony BMG CD's surreptitiously placed a rootkit on Microsoft Windows PC's when their music CD was played on the computer. Sony provided no mention of this on the CD or its packaging, referring only to security rights management measures. This software was automatically installed on desktop computers when customers tried to play the CDs. The software interferes with the normal way in which the Windows or Mac OS operating systems play CDs, opens security holes that allow viruses to break in, and causes other problems. This scandal has led to greater public attention on the use of commercially-backed spyware. In January 2006, Symantec Corp. admitted to using a rootkit-type feature in Norton System Works that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a System Works update to eliminate the risk.

What they do

Currently rootkits use two methods to mask themselves - by modifying paths or modifying structures. Using these methods, it masks network activity, registry keys, memory addresses and all those things that could alert a user to the fact that there is a malicious program on their system. Although a rootkit's purpose is to hide files, network connections, memory addresses, or registry entries from other programs, it can also be incorporated with other files which may have other purposes. To give an example a rootkit may hide tools to abuse a system such as sniffers and keyloggers. Another way would be to use the compromised computer as a staging ground for further abuse so as to make it seem that the compromised system is the attacker. A major use of rootkits is for the hacker to see and access user names and log in information.

Like Trojan horse programs, rootkits install themselves by exploiting flaws in your PC's network security or by attaching themselves onto e-mail messages or downloaded programs. Then they open back doors for their remote masters, who may be looking for credit card numbers or such. But unlike standard Trojan horses, rootkits infiltrate the operating system at a deeper level, using security privileges to better hide themselves.

Detection:

Like detecting viruses and worms, trapping rootkits is a cat-and-mouse game. Shortly after F-Secure released Blacklight, the author of a rootkit called Hacker Defender posted a video demonstrating a new version of his rootkit defeating Blacklight and several other defensive tools, including RootkitRevealer.

The basic problem with rootkit detection within an Operating System is that it itself cannot be trusted. In other words actions such as requesting a list of processes or files cannot be trusted because the rootkit masks the results to suit its purposes.

There are several scanners or detectors available now a day to detect rootkits. Hook Explorer for Win XP and Blacklight (http://www.f-secure.com/blacklight/)are free utilities to identify rootkits. Rkdetector(http://www.rkdetector.com/) and RootkitRevealer(originally from Sysinternals but now owned by Microsoft can be downloaded at http://www.softpedia.com/get/Antivirus/RootkitRevealer.shtml) are also good utilities). Others are Saint Jude, Chrootkit, RkScan, Carbonite, Kstat, Rootkithunter, Tripware, Samhain

All the methods for detecting active rootkits depend on the fact that they disrupt system functioning in one way or another. Kaspersky Lab products exploit this, which also makes them able to detect unknown rootkits.

The use of such products requires considerable expertise and users should not properly investigate all data provided by these programs before taking any action.

Removal

Removing rootkits presents two quite separate problems. The first is the removal of the rootkit itself. The second is the removal of the malware that the rootkit was stealthing. Because rootkits work by changing the Windows operating itself, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning. Restoring your drive from a drive image is another possibility providing you are sure the image was created before the rootkit infection and that your imaging program restores the boot sector on your disk.

Avoiding Rootkit Detection

Because rootkits meddle with the operating system itself they require full Administrator rights to install. Hence infection can be avoided by running Windows from an account with lesser privileges, but this isn't practical since one needs administrator privileges to install programs and work efficiently. Using security tools like Process Guard or Anti Hook may help. Both these programs prevent rootkits from establishing their hook.

Some experts say that once you have been infected by a rootkit, your only alternative would be to erase the system and start all over again.