A "rootkit" is a set of software tools intended to make it easier for a hacker to return to a system once they have gained initial access and, in addition, to gather confidential information from the compromised computer. The idea is far from new and rootkits have existed on the Unix and Linux platforms for some time now. Now, however, it is the turn of Windows users to brace themselves to meet them. For the famous operating system is the latest popular victim and, above all, the most profitable. Virus authors and other hackers are now looking for financial gain and the many unprotected or poorly protected PCs represent an almost inexhaustible reserve of relay posts (which they rent!) for sending spam or carrying out denial-of-service attacks. For hackers, compromising tens of thousands of home computers has become much easier and much more profitable than attacking servers that run Unix or Linux, of which there are far fewer.
In order to compromise PCs and, more importantly, to retain control of them, the authors of parasites for Windows first used Trojan horses: simple “traditional” programs designed to give the author distant control of infected computers when executed by unwary users. But of course antiviruses had no trouble detecting them and the authors had to come up with another way.
And so there appeared Windows rootkits: these programs are small – often less than 10KB – and can be easily introduced by any virus or Trojan horse. Rootkits don’t reproduce and don’t travel solo: they are merely tools which viruses, worms or even spyware carry to help them to hide. Rootkits use a particularly effective technique to achieve their ends: they position themselves between the “heart” of Windows (the kernel) and the rest of the programs. So when a traditional program tries to see the memory’s contents, list the programs that are running or explore the contents of the hard drive – for example, to make sure that there is no malicious software – the rootkit can intercept its requests and send whatever it wants back to it. Generally, this is an idealised vision of the system in which “everything’s fine, there aren’t any malicious codes at work, the user can continue to surf the net worry free…”, while in reality, unbeknownst to them, their PC continues to send thousands of spam messages or infected emails every day.
Recently, parasites such as certain versions of the MyFip.h and Sober.p viruses or bot software (Rbot) have incorporated a prefabricated Windows rootkit (for example the open-source FU rootkit) or similar techniques, in order to remain concealed. According to Microsoft, the FU and Ispro rootkits are now the principal malicious codes found on PCs operating under Windows XP.
Detecting a rootkit once it’s been installed on the operating system of a PC requires special techniques. Most of these work along similar principles to rootkits: they ask to scan the memory or the hard drive using several different methods, at least one of which is as close to the system as possible, and then compare the results. If some files or processes appear in the final reading but not in the others, there’s a good chance that a rootkit is at work. Unfortunately this technique is still complex and doesn’t produce entirely satisfying results.
Fortunately, an antivirus is still very useful: it may have trouble detecting a rootkit once it’s started working but it can easily identify it when it arrives on the system, for example via a virus or spyware. It can then stop it from executing and installing. So even when faced with rootkits, the solution remains the same: an up-to-date antivirus!
