What are “rootkits” and how can I tell if I have them?
This question was answered on May 11, 2005. Much of the information contained herein may have changed since posting.
Anyone that surfs the Net on a regular basis knows about all of the digital “grime” that can be picked up in the form of spyware, viruses, Trojans and worms.
As if the current exploits weren’t enough of a pain to deal with, a new tool for hiding malicious software (malware) called rootkits has begun to surface.
Rootkits assault the system at a much deeper level (the root of the operating system) which allows them to use security privileges to hide Trojans, worms and viruses from standard anti-virus and spyware detection programs
Rootkits in and of themselves are not dangerous, they are basically used like Harry Potter’s “Invisibility Cloak” to hide malware from detection programs This lethal combination has all of the same capabilities of opening up back doors and providing remote access with one major exception; they are much harder to detect.
This type of exploitation was more common in Unix-based systems and was actually in the wild for Linux and Mac OS based systems last October Windows based systems are now part of the fold, which means anyone using any kind of computer with any kind of operating system can potentially be infected by a rootkit exploit.
Now that I have made it sound like Internet computing just became completely unsafe, let me put it into perspective.
For the most part, rootkits are used most often by spyware authors; only a few examples of actual virus code have been found The real concern is about the potential for this kind of threat.
The good news is that all of the various security vendors are aware of the threat and are working on various methods of protection In a very short period of time, rootkit detection will likely become part of most anti-virus and spyware detection programs.
In the meantime, if I have spooked you enough that you want to check your own system out, there are a couple of places to turn for peace of mind.
Long time anti-virus vendor, F-Secure, has launched a Beta version of their rootkit detection and removal tool called “Blacklight” Beta means that it is still under development and that everyone that uses it is part of the testing phase of the product You can download the utility at www.f-secure.com/blacklight.
Freeware site, Sysinternals (www.sysinternals.com) has also created a downloadable program called Rootkit Revealer that will also search your system for any funny business.
Mac OS X users can check for the “Opener” rootkit malware by going to www.macintouch.com/opener.html.
In order to become a victim of a rootkit attack you must generally open or install a malicious file (usually an e-mail attachment) or be exploited through many of the known vulnerabilities in your operating system The usual advice will help you steer clear of this latest threat:
Don’t open e-mail file attachments, unless you know exactly what they are…Keep your operating system updated (Windows, Mac OS, Linux, etc.) Don’t install anything that you don’t really need!
About the author
Posted by Ken Colburn of Data Doctors on May 11, 2005