RootKits | What Are They?

Rootkits are programs that are used to hide the fact that a system’s security has been compromised. Rootkits must be inserted manually by an attacker and will normally replace system files and executables. The rootit will then hide the fact that the attacker has modified files and folders and any other malicious software that the attacker has installed. Rootkits may also provide a backdoor login to the system which will allow attackers to login to the system when a particular login combination is entered.

The first rootkits were developed for Unix systems to allow users to maintain administrative, or root access to a system. If the user could replace some of the system’s login files, they could maintain access to the system. In order to install the rootkit, the attacker must first compromise the physical security of the system in some way.

Common rootkits are used to hide processes, files, blocks of memory, network connections or Windows registry entries from other programs that the system administrator may use to detect those files, for example, from antivirus software. The backdoor entrance generated by the rootkit allows the attacker to connect to the system and control it at any time. For example, a typical rootkit may be one that generates and maintains a command line interface with administrative privileges as soon as an attacker connects to a certain port of the computer. Dangerous tools such as tools for denial-of-service attacks, sniffers and keyloggers which could greatly compromise the integrity and privacy of the user. Virus developers have also made extensive use of rootkits to hide virus applications from the user and from antivirus programs. The hiding capabilities of rootkits may also be used to hide attempted break-ins to the computer, utility programs and system tampering.

Types of rootkits

•    Hardware/Firmware rootkits – These rootkits manifest themselves on hardware such as ROMs or in devices which use firmware such as embedded devices. They can allow attackers to access devices such as credit card machines, ATMs and cause monetary losses.
•    Hypervisor level rootkit – This type of rootkit is designed as a hypervisor to the computer, and any operating system is loaded as a guest on a virtual machine. Thus all hardware calls made by the original operating system are handed to the hypervisor rootkit, making it very easy for it to hide attacks and to allow backdoor access.
•    Boot loader level rootkits – Boot loader rootkits, also known as Bootkits, replace boot sector files and load at startup. This allows the attacker to control the operating system of the computer and extract details of all the user’s actions.
•    Kernel level rootkits – These rootkits replace files from the kernel of the operating system itself, allowing almost unlimited access to attackers. It may also replace kernel-level device drivers, allowing an unprecedented level of device control for the attacker as well.
•    Library level rootkits – These replace patches, hooks and system calls of the operating system, so that the library functions of the operating system can be controlled by the attacker.
•    Application level rootkits – Application level rootkits replace user application files and run along with that application, modifying its behavior.

Rootkit detection can be normally done by antivirus programs that provide rootkit detection. However, once a rootkit is found, there is no sure-fire way to remove it except by backing up all files and formatting the computer. Even though many antivirus programs provide rootkit removal for inexperienced users, system administrators tend to simply format their hard disks whenever a rootkit is detected.



Time and time again, our customers ask us what we think is the best anti-virus program. Our answer to this is the one between your ears. Anti-Virus programs do protect you from viruses, but they come at a heavy cost. First, they all slow your computer down by as much as 50%. Second, most of them can cost as much as $70 per year. Which after several years ads up to the point that you would be money ahead if you just paid to get the virus removed. Finally, some antivirus programs can actually cause more trouble than they solve because they interfere with the system when you are installing new things on your computer such as printers and fax programs. We’ve actually had completely re-install windows after an antivirus interfered with the installation of a program.

If you want to prevent viruses, the first thing you can do, is don’t download attachments from email. Many attachments come with viruses and they are great at tricking you into installing them. You should also use google for search instead of yahoo. The final thing you can do is to not click on advertisements on the internet. These can often come from anyone and they are not safe most of the time.

Now you may be thinking, that We saying don’t get an antivirus. That’s actually not the case. If you feel like you want an anti-Virus We would recommend AVG. It’s great because it doesn’t slow your computer down too bad. And best of all, it’s free!