how can we detect a root kit?
Learn something new every day More Info... by email
A rootkit is a set of software tools that, when installed on a computer, provides remote access to resources, files and system information without the owner’s knowledge. Law enforcement and parental “nanny programs” utilize various types of rootkits to secretly monitor activity on computers for surveillance purposes, but malicious hackers can also install rootkits on the computers of unsuspecting victims.
The word “rootkit” comes from the UNIX™ operating system (OS) that was prevalent prior to Microsoft™ Windows™. Linux and Berkeley Software Distribution (BSD) are derivatives of UNIX. The “root” level of a UNIX system is akin to Windows’ administrator privileges. The remote-control software bundle was referred to as a “kit,” giving us “rootkit” sometimes written as “root kit.”
Rootkits have been creating a buzz since the early 1990’s. The type of rootkits that attack Windows™ machines embed themselves in the kernel of the OS. From here the rootkit can modify the operating system itself and intercept calls to the system (system requests for information), providing false answers to disguise the presence of the rootkit. Since the rootkit hides its processes from the operating system and system logs, it is difficult to detect.
A malicious hacker can get a rootkit on to a computer through various means. Rootkits can be delivered in a Trojan or even tucked away in a seemingly benign file. This could be a graphic or a silly program distributed through email. Victims have no way of knowing that a rootkit will be installed by clicking on the graphic or program. Rootkits can also be installed by surfing the Web. A popup window might state, for example, that a program is necessary to view the site correctly, disguising a rootkit as a legitimate plugin.
Once a rootkit is installed the hacker can secretly communicate with the targeted computer whenever it is online. The rootkit is typically used to install more hidden programs and create “back doors” to the system. If the hacker wants information, a keylogger program can be installed. This program will secretly record everything the victim types, online and off, delivering the results to the interloper at the next opportunity. Keylogger programs can reveal usernames, passwords, credit card numbers, bank account numbers, and other sensitive data setting up the victim for potential fraud or identity theft.
Other malicious uses for rootkits include compromising several hundred or even hundreds of thousands of computers to form a remote ‘rootkit network’ called a botnet. Botnets are used to send Distributed Denial of Service (DDoS) attacks, spam, viruses and trojans to other computers. This activity, if traced back to the senders, can potentially result in legal seizure of computers from innocent owners that had no idea their computers were being used for illegal purposes.
To help guard against rootkits, experts advise that security software be kept current, including anti-virus and anti-spyware. Install hotfixes (operating system security patches) as they become available, and delete spam without opening it. When surfing the Internet only allow trusted sites to install software, and avoid clicking on unknown banners or popups. Even a “no thanks” button can be a ploy to download a rootkit.
It is also wise to use one or more anti-rootkit software programs to scan for rootkits weekly, then back up the system. Though some rootkits can purportedly be removed safely, the general recommendation is to reformat the drive and rebuild the system to be sure the entire rootkit and all of its processes are gone. Should it come to this, a recent, clean backup will make the job much easier.