Malware is no longer viewed with the notoriety it once was. Gone are the days of massive infections, such as the “I love you” worm, which was headline news even in the mainstream press.
Today, professional creators looking to profit financially from malware need any virus, worm or Trojan to be able to operate undetected by users, as this is a key ingredient in achieving their objectives. In other words, an invisible virus is far more dangerous than one that is easily noticed.
So how can we see malware?
Well let’s not forget, after all, that it is only software, and all software leaves its trace on a system: not just the file or files that contain the intruder, but also the registry keys, folders, activity reports, etc. Any tool that lets you list files or registry values, such as Windows Explorer or Regedit, will reveal the presence of an intruder that cannot cover its tracks.
Now, this is where rootkits come in to play. A rootkit is software whose sole purpose is to hide system components, such as files, processes, registry keys, etc, so that the user cannot see them. They do this by penetrating the most critical layer of the operating system, the kernel, and manipulating certain internal structures and functions, thereby deceiving applications and preventing them from displaying the real content of the system.
For example, imagine there is a virus, whose binary name is “malo.exe”, installed in “C:WindowsSystem32”.
When the intruder loads to memory, the rootkit manipulates the system functions that list the files in this folder, so that when they detect the path “C:WindowsSystem32MALO.EXE”, they ignore it and go on to the next one. This way, an application that requests the list of files cannot see this folder. The same thing happens with registry keys, processes, or any other component of the system that the rootkit wants to hide.
It is interesting to note here that rootkits are not malicious per se, as they may have perfectly legitimate uses, or at least, uses that are not related in any way to malware. In fact, the term “rootkit” first became used on a wide scale thanks to an incident involving the company Sony.
In 2005, Sony BMG Music included copy protection software on its music CDs which also included a rootkit designed to hide the protection system. The problem in this case was that it was done without user authorization, transmitting information and creating a security hole. Any attempt to remove the rootkit manually would leave the CD drive inoperable.
The danger therefore of any malware that includes a rootkit component is evident, given the significant stealth capacity and the ability to control a system without users realizing. Moreover, rootkits are among the most complex, advanced and resilient threats, operating at a level so deep that typical detection techniques are of little use, and specific purpose-built scanners are required, such as the free Panda Anti-Rootkit.
In any event, it is important to remember that all rootkits enter systems initially through a file, so the usual precautionary advice we offer for other types of malware also serves in the case of rootkits: use a good antivirus, keep it up-to-date, use a firewall, install the latest security patches, do not use an administrator account unless strictly necessary , etc.
So now you know…. watch out for rookits!!