Archives

Rootkits! Part 1

-“This is a rootkit, not a virus.”
-“So what is the difference? What is rootkit?”

Here is the first part of explanation:
Many ages ago the word “root” became famous in computer world.
UNIX administrator’s rights account (full rights with full privileges) was called “root” account.
Rootkit Malware means to gain these admin privileges by the attacker allowing him to drop or install other malicious components to affected machine, for example:
Install backdoors, record keystrokes, steal passwords and any other sensitive data by sending it to attacker, etc.
So the meanings of two parts of “rootkit” are as follows:
Root – administrator’s rights.
Kit – other malicious stuff to do on affected machines (sometime set of files/programs that can do any damage).
On top of that the meaning of rootkit is hiding the presents and all the activities of above.
In another worlds: all malicious processes of rootkits are not only stealthy and hidden, but also have full (administrator) control of infected system.
In addition, allow me to say: I consider malware rootkits are a worth kind of all kinds of malware!
Not only because of worst case scenario of malicious payload, but also because of removal difficulties upon infection.

Rootkits are stealthy, so the user of infected machine cannot see malicious files using Windows explorer as well as process entries using Windows task manager.
Usually, upon rootkit’s attack: malicious registry elements (keys and values that belong to malicious software) would be hidden from user’s view (by regedit and other registry view tools).
There are also MBR rootkits: they hack into Master Boot Record (MBR), so they started before the operating system and antivirus as well. 
We have other blog about these kind of rootkits:

http://www.totaldefense.com/securityblog/2011/08/26/rootkit-infection-mbr-wanted.aspx

Some rootkits (that we saw in our virus lab) hook windows DLLs simply replacing API calls with malicious code, some do the same in Window’s kernel.
Others are operate as ‘injectors’ using well known Windows applications.

To be continue…