Rootkits: The Obscure Hacker Attack

Published: October 6, 2005

By Mike Danseglio and Tony Bailey

See other Security Tip of the Month columns

A rootkit is a special type of malware (malicious software). Rootkits are special because you don't know what they're doing. Rootkits are nearly undetectable and they're almost impossible to remove. Although detection tools are proliferating, malware developers are constantly finding new ways to cover their tracks.

A rootkit's purpose is to hide itself and other software from view. This is done to prevent a user from identifying and potentially removing an attacker's software. A rootkit can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and thus enable an attacker to store many files on your computer invisibly.

Rootkits do not infect computers by themselves like viruses or worms do. Instead, an attacker identifies an existing vulnerability in a target system. Vulnerabilities may include an open network port, an unpatched system, or a system with a weak administrator password. After gaining access to a vulnerable system, the attacker can install a rootkit manually. This type of stealthy directed attack does not usually trigger automated network security controls such as intrusion detection systems.

Identifying rootkits can be difficult. There are several software packages that detect rootkits. These software packages fall into two categories: signature-based and behavior-based detectors. Signature-based detectors, such as most virus scanners, look for specific binary files that are known to be rootkits. Behavior-based detectors attempt to identify rootkits by looking for hidden elements, which is the primary behavior of rootkits. One popular behavior-based rootkit detector is Rootkit Revealer.

Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.

Preventing rootkits from getting onto your system is the best strategy you can use. This is done with the same defense-in-depth strategy that you should use to prevent all malware from attacking your computer. Elements of defense-in-depth include virus scanners, regular software updates, a firewall on the host and the network, and a strong password strategy.

For more information on rootkits, see the excellent webcast Rootkits in Windows.

In addition, the Microsoft Solutions for Security and Compliance (MSSC) team has produced the Antivirus Defense-in-Depth Guide, which provides an easy-to-understand overview of different types of malware, including information about the risks they pose. The guide also discusses malware characteristics, means of replication, and payloads.

You can also find other MSSC guidance on the TechNet Web site.