Viruses Explained What are Trojans? What are Worms? What are Rootkits? Free AntiVirus Latest Virus Threats Top 10 Anti Virus Malware Tutorials
Spyware Explained Malware Tutorials Free Anti Spyware Manual Tips
FREE Anti Virus FREE Anti Spyware FREE Online Scanners Definition Updates Manual Updates BootUp Anti Virus Portable Protection Rootkit Removal Top Security Tips
HTML Tutorial WORD Tutorial EXCEL Tutorial Computer Beginners Windows Registry Top Security Tips Malware Tutorials
Web Templates Word Templates Word Processing

Home Page
Free Anti Virus
Free Anti Spyware
Free Online Scanners
Free USB Anti Virus
Bootable Anti Virus
Rootkit Removal
Latest Virus Threats
Viruses Explained
Spyware Explained
Windows Registry
Top 10 Antivirus
Manual Updates
Definition Updates
Malware Tutorials

Computer Basics
HTML Tutorials
Free Web Templates
Word Tutorials
Excel Tutorials

CV Creation
Free CV Templates
Free CV Examples


Latest Virus Threats   Viruses Explained   Spyware Explained   Windows Registry   Top_Ten Antivirus
Free Anti Virus   Free Anti Spyware   Free Online-Scanners   Free_Portable_Protection   Bootable_Anti_Virus   Rootkit Removal  
Manual Updates   Definition Updates   Malware Tutorials  

Rootkits Explained   Rootkit Tutorials   Rootkit Removal  

What is a Rootkit:
A rootkit is usually a software and sometimes a hardware device specifically designed to get administrator control of a computer system and not be detected. Rootkit now implies malicious intent or malicious operations on a targeted computer system without the knowledge or consent of the users and especially the administrators.

The areas that rootkits can target is scary, not least because in theory they actually can become part of the targeted operating system. Then this becomes a nightmare for security software trying to detect them; why? Because your asking the thief to show themselves. The BIOS, Boot Loader, Libraries, Hypervisor (virtual machines) and Kernel are the types of areas targeted, with the system kernel being the deepest attack.

Because they have the capability to modify legitimate Operating System Code usually done in kernel rootkits it can be very difficult for Anti-Virus and Anti-Spyware software to determine them as anything other than the Operating System (Asking the thief to reveal themselves).
See Rootkit Removal or Free Anti Virus

A User-Mode program will determine a reply from the Kernel as LEGITIMATE.

Simplified Example:

The API (Application Programming Interface) are where methods and functions enable interaction with the software throughout the operating system. These API methods and functions with their blocks of code are what get modified; usually called hooks.

The Anti-Virus program sends a request to the kernel API asking the authenticity of specific code.

1. Is this code malicious (Code Sent)
2. Hooked code determines (Authentic Code)
3. Kernel replies to the Anti Virus Program (Authentic Code)

The Anti Virus program misses the infection even worse sees it as legitimate.

There are several types of Rootkits some being much worse than others. The root part comes from Unix root being the highest level of access to the system, kit part of the name is there because there are usually different programs or functions working together, these can be created in an Open Source environment etc.

Whats really worrying is that these kits are available to just about anybody with general programming skills.

How Rootkits Work:

We will take a Kernel Rootkit as an example as it is the most dangerous. How does a rootkit developer get his code into the Kernel in the first place? Most modern Operating Systems allow Kernel extensions; this can be for devices or software.

With some basic programming skills preferably in “C” a Windows Driver can be created. Depending on the developer this driver can be as simple or as complicated as they want.

These loadable modules also known as drivers can be developed by anyone using a Windows Driver Kit (WDK). These kits allow you to build drivers for XP, 2003, 2007, VISTA etc. They would load the driver into the Kernel from a User-Mode program.

Now that the code is in and working within the Kernel, depending on what the developer wants; this code can actually modify Kernel functions. For example the Kernel would have a list of System Processes and this can be modified. A rogue process can become invisible to Anti-Virus. See Free Anti Virus

Types Of Rootkits:

Memory Rootkits:
These are loaded into memory and do not have persistent programming code. Therefore they do not survive a reboot.

Persistent Rootkits:

These rootkits do use persistent code and devise ways to excute without user intervention, this could be on the startup of a computer etc. They will use some sort of persistent storeage like the system registry or system files where the user does not have to excute them.

Kernel Rootkits:
One of the real bad ones, the kernel being the core of the system. These rootkits can modify data structures on the kernel. This for example could remove itself from the list of activities on a system, making it very difficult to detect. See Rootkit Removal

A simple view of User-Mode is to understand that programs and functions are on a user-level basis and access to the core of the operating system (Kernel) is walled off to functions from User-Mode.

Kernel-Mode has core important components of the operating system.

- Process Management.
- File Access.
- Security.
- Memory Management.

If a program or function needs information from the Kernel the reply is taken as legitimate.

Rootkit Working Example:

A decent video to explain the User-Mode rootkit Hacker Defender, this video will give you a short insight into the workings of a rootkit.

Manual Steps To Help Remove VIRUS/SPYWARE>>>