What is a Rootkit:|
A rootkit is usually a software and sometimes a hardware device specifically designed to get administrator control of a computer system and not be detected. Rootkit now implies malicious intent or malicious operations on a targeted computer system without the knowledge or consent of the users and especially the administrators.
The areas that rootkits can target is scary, not least because in theory they actually can become part of the targeted operating system. Then this becomes a nightmare for security software trying to detect them; why? Because your asking the thief to show themselves. The BIOS, Boot Loader, Libraries, Hypervisor (virtual machines) and Kernel are the types of areas targeted, with the system kernel being the deepest attack.
Because they have the capability to modify legitimate Operating System Code usually done in kernel rootkits it can be very difficult for Anti-Virus and Anti-Spyware software to determine them as anything other than the Operating System (Asking the thief to reveal themselves).
See Rootkit Removal or Free Anti Virus
A User-Mode program will determine a reply from the Kernel as LEGITIMATE.
The API (Application Programming Interface) are where methods and functions enable interaction with the software throughout the operating system. These API methods and functions with their blocks of code are what get modified; usually called hooks.
The Anti-Virus program sends a request to the kernel API asking the authenticity of specific code.
1. Is this code malicious (Code Sent)
2. Hooked code determines (Authentic Code)
3. Kernel replies to the Anti Virus Program (Authentic Code)
The Anti Virus program misses the infection even worse sees it as legitimate.
There are several types of Rootkits some being much worse than others. The root part comes from Unix root being the highest level of access to the system, kit part of the name is there because there are usually different programs or functions working together, these can be created in an Open Source environment etc.
Whats really worrying is that these kits are available to just about anybody with general programming skills.
How Rootkits Work:
We will take a Kernel Rootkit as an example as it is the most dangerous. How does a rootkit developer get his code into the Kernel in the first place? Most modern Operating Systems allow Kernel extensions; this can be for devices or software.
With some basic programming skills preferably in “C” a Windows Driver can be created. Depending on the developer this driver can be as simple or as complicated as they want.
These loadable modules also known as drivers can be developed by anyone using a Windows Driver Kit (WDK). These kits allow you to build drivers for XP, 2003, 2007, VISTA etc. They would load the driver into the Kernel from a User-Mode program.
Now that the code is in and working within the Kernel, depending on what the developer wants; this code can actually modify Kernel functions. For example the Kernel would have a list of System Processes and this can be modified. A rogue process can become invisible to Anti-Virus. See Free Anti Virus
Types Of Rootkits:
These are loaded into memory and do not have persistent programming code. Therefore they do not survive a reboot.
These rootkits do use persistent code and devise ways to excute without user intervention, this could be on the startup of a computer etc. They will use some sort of persistent storeage like the system registry or system files where the user does not have to excute them.
One of the real bad ones, the kernel being the core of the system. These rootkits can modify data structures on the kernel. This for example could remove itself from the list of activities on a system, making it very difficult to detect. See Rootkit Removal
A simple view of User-Mode is to understand that programs and functions are on a user-level basis and access to the core of the operating system (Kernel) is walled off to functions from User-Mode.
Kernel-Mode has core important components of the operating system.
If a program or function needs information from the Kernel the reply is taken as legitimate.
Rootkit Working Example:
A decent video to explain the User-Mode rootkit Hacker Defender, this video will give you a short insight into the workings of a rootkit.
Manual Steps To Help Remove VIRUS/SPYWARE>>>