Anything that can commandeer your system in such a fashion has the potential to be highly destructive. Rootkits can open backdoors (an entry way into a password-protected system that bypasses the need for the password), enabling intruders to perform such behaviors as recording keystrokes, transmitting confidential files, sending spam from your email accounts, or using your PC as a bot (automated programs that control a PC from a remote location) to attack other systems. Malware writers often bundle rootkits with other destructive pests. Because they control the system, rootkits can tweak settings to conceal detrimental activities of other malware, as well as their own. Some virus experts have adopted the term “rootkit” to describe any malware that has cloaking capabilities, but we will adhere to the definition offered above.

A rootkit may sound like something only a wicked, rogue hacker would write, but rootkits have found their way into mainstream culture. In 2005, the technology world blasted Sony BMG because its digital rights management software (Extended Copy Protection, or XCP) included rootkit software. Designed to modify operating files at the core level so users could not illegally copy CDs, the software hid its presence and left users exposed to intrusion.

Some legitimate developers bundle rootkits with other software for valid purposes. However, no reputable firm should install a rootkit on your PC without your consent (a good argument for reading the license agreements you acknowledge during program installation).

Rootkit Intrusion & Detection

If you have a rootkit, chances are good you installed it yourself. Rootkits typically enter your system by piggybacking on another (often free) software installation or other downloads offered to you through Web browsing, instant messaging, or email. Social engineering, in which individuals or companies design sites, emails, and other information sources specifically to lull the unwary into dropping their guard, is a rootkit writer’s best tool.

Rootkits are becoming increasingly prevalent and sophisticated, as malware writers recognize their potential for hiding malevolent behavior. Furthermore, sites such as Rootkit (www.rootkit.com) offer freely available rootkit code, making it easier for even inexperienced malware writers to incorporate these nasties into their products. According to a 2006 report by McAfee, rootkits and other stealth components increased 900% from the first quarter of 2005 to the first quarter of 2006.

Malware writers code rootkits to avoid OS security measures by concealing processes, files, and other signs of their presence, making them hard to detect. Many rootkits modify the OS kernel (core operating files) or application files to facilitate their evil intentions. Some rootkits install at the firmware layer, the level between your hardware and software where initial booting takes place.

With a rootkit in place, your PC is like a newly created vampire in an old horror movie—it has been completely subverted and cannot be trusted to tell you the truth. Rootkits modify the very processes, toolkits, and programs upon which your OS relies to operate correctly and securely. Not only can it be difficult for virus detection programs to find running rootkits, but Windows’ internal security measures—including the protections in Windows Vista—will also likely not respond to their presence.

Antivirus programs generally look for rootkits by examining signatures (traits of files) for their likelihood of being rootkits. However, malware writers have become increasingly wily, often coding rootkits to become polymorphic, which means they mutate as they move through the system, making identification much harder. Rootkit detection systems, which look for hidden behaviors often by examining very low-level processes, perform better. But even these specialized programs cannot always find well-written rootkits that have sophisticated cloaking mechanisms in place.

Because detection can be difficult, don’t assume you are rootkit-free if your security program can’t find one. If your system is acting up and you can find no other solution, especially if you have recently installed free software or accepted any download from a source you cannot verify 100%, you may have an entrenched—and undetectable—rootkit. If you can pinpoint the start of the odd behavior, visit a virus news site (www.antirootkit.com is a good place to start) and see if a rootkit entered the wild around that time. For example, in January 2008, the Storm Worm hit the Internet. This email worm, which came with various endearing messages and asked recipients to download a Valentine’s Day ecard, contained a rootkit component that could turn the victim’s PC into a bot.

Rip Out The Root

Fortunately, there are methods for finding rootkits and blasting them into the ozone layer. First, rootkits usually cannot obscure their tracks when they are not running. If you can boot your PC from an emergency virus recovery CD and run an updated virus scanner, your chances of rootkit detection increase significantly. (The CD must have been created before you became infected.) A bootable Windows environment CD, such as the one you can create with BartPE (learn more about this at www.nu2.nu/pebuilder), works even better but requires more effort.

Unfortunately, if you detect a rootkit, you may not be successful eradicating it, although the rootkit detectors mentioned in the “Prevention Tips” sidebar may help. The surest way to cleanse your operating system of a rootkit is to reinstall the OS—period. You’ll also need to reinstall all programs. Rootkits won’t be lurking in your data, so back up your data files before you do the clean installation. It’s possible that other malevolent components could be hiding there, so after your system is clean, scan the backed up data files for malware and then restore them to functionality. If you are confident when the rootkit invaded, you may have an easier option: Restoring your existing OS to an earlier time using System Restore may help.

by Jennifer Farwell