Rootkits
What is a rootkit?
"Rootkit" is a term used for software which tries to hide the presence of a virus or some other form of malicious software in a user's computer. Note that a rootkit itself is not necessarily considered malicious software (malware). Rootkits may or may not survive a reboot, depending on whether they are memory-based (will not survive a reboot) or persistent (will survive a reboot).
Types of Rootkits
1. Firmware: Firmware is a term sometimes used to denote programs that internally control various electronic devices. Rootkits that hide themselves in firmware may be so powerful that if you were to completely erase your hard drive and reinstall your operating system, the rootkit could be right back where it was before you started.
2. Virtualized/Hypervisor: These rootkits modify the boot sequence of the machine to load themselves as a hypervisor under the original operating system. A hypervisor, also known as a virtual machine monitor (VMM), is a computer software or hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. By exploiting certain hardware features, the rootkit is able to load the original operating system as a virtual machine, enabling it to intercept all hardware calls made by the original operating system (which is now a guest).
3. Kernel-Level: These rootkits intercepts system calls in the kernel, change kernel code or data structures, and modify returned results. In other words, they add additional code to an operating system or replace portions of an operating system, or both.
4. Library-Level: These rootkits intercept library or system calls at the user level and modify returned results. They can be found by examining code libraries (which are located in DLL files in Windows) for changes or against the originally distributed library package (this approach may not succeed if the code is patched only in memory or if the rootkit presents the unmodified version to any utility performing a scan).
5. Application-Level: Application-level rootkits may replace regular application binaries with backdoor, Trojan fakes or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
Summary
Rootkits allow computers to become compromised on a whole new level by actually modifying some of the most trusted components of your system. They are very dangerous, especially considering how much damage they can cause to someone who does not suspect an infection.
Thank you for reading this article. If you have any suggestions or need clarification please do not hesitate to start a thread on my forum or to send me an e-mail. There is no such thing as a stupid question, but there is such a thing as a stupid fear of asking.
