Pane Relief: Rooting Around for Rootkits
Rootkit-detection tools have become a crucial part of any Windows administrator’s toolbox. Fortunately, several programs are now available to help you find rootkits on your Windows system.
Sony caused a huge flap earlier this year when it admitted to using a rootkit to hide its copy-protection features on music CDs. Not only did the program hide the copy protection, but it made it effectively impossible to remove. While Sony released a method to disable the copy protection, there’s still no good way to get rid of it.
What’s a Rootkit?
Rootkits are specialized programs that are designed to dig a hole in your system and pull the hole in after them. Their purpose in life is to infect your computer and then hide. Almost always they will hide other programs as well—ones that can damage you or your system.
Basically, rootkits work by modifying the operating system or an application to cloak themselves—and their associated cargo of malware—from the operating system and most kinds of applications. This makes them different from malware that uses standard Windows features such as alternate data streams (ADS) to hide. To take a simple example, a rootkit might substitute its own version of the dir utility, which won’t report the rootkit’s files or those of its associated payload. As someone put it on the Internet: "When you can get the dir command to lie, it’s all over." To put it another way, given a sufficiently clever rootkit, your computer can be doing absolutely anything to anybody anywhere, and you’ll never know it.
dir isn’t the only command affected by rootkits, nor are files the only thing they can hide. Rootkits can hide processes, logins, and log files, and may also intercept data from networks and keyboards. Rootkits can be extremely clever at hiding themselves, and they’re getting more clever all the time. An arms race is going on between rootkit writers and security programmers, and who’s ahead changes from week to week.
By themselves, rootkits are seldom dangerous. But then you almost never find a rootkit by itself. Rootkits are designed to install and hide other software—usually malicious software that will do anything from stealing vital information to hijacking your computer. A significant portion of the spam that infests our computers is being sent by innocent PCs that have been turned into spam-spewing zombies by rootkit-protected software.
Rootkits are one computer security problem that didn’t start on Windows. They owe their name to the fact that they started on UNIX, where the administrator account is known as "root." They were extensively developed under UNIX before rootkits were written to start attacking Windows systems.
The structure of Windows makes rootkits particularly easy to hide. Because Windows is big, proprietary, and largely monolithic, there are plenty of places for rootkits to hide. The ease of adding device drivers gives rootkit writers a built-in pathway into the operating system.