Rootkits: almost invisible malware

Rootkits: almost invisible malware

Malware hides in order to have a larger lifespan and avoid detection

Rootkits are far from being something new, as their origins can be traced back to UNIX platforms. However, over recent years they have been used with increased frecuency to hide the existence of dangerous malware in computers that have been infected.

What is a rootkit?

Originally, within the context of UNIX-type systems, a rootkit was a group of tools belonging to the operating system itself, such as netstat , passwd and ps , which were modified by an intruder in order to gain unlimited access to the computer , without this intrusion being detected by the system administrator.

Within the framework of UNIX system terminology, the system administrator was called "root", thus the generic term for these tools, which remained hidden in the system once they had obtained root privileges.

Windows systems are today the most widespread operating systems, yet the concept still remains the same.

A Windows rootkit is a program that hides certain elements (files, processes, entries in the Windows Registry , memory addresses, network connections, etc.) from other programs or the operating system.

As it can be seen, this definition does not in itself represent any kind of damaging effect on the system - it is a technology that can be used for constructive as well as destructive ends.

What danger is presented by rootkits?

In this way, and contrary to popular belief, rootkits are not tools which can be used to expose a computer to risk.

In UNIX systems, rootkits are used as a way to guarantee continuous access to a remote computer that has been previously compromised in order to, for example:

  • Install backdoors through which the computer can be accessed.
  • Hide those modifications that have been made to the configuration.
  • Hide those logs left behind as a record of system intrusion.

For Windows systems the objective remains similar: to hide the existence of other elements within the computer, so that both their presence and execution remain undetected by the eyes of the user, and even by the security software itself. If these elements are viruses, then the computer owner is faced witha truly serious problem.

The year 2005 saw the first detections of variants of malware that use rootkits (external tools, and even techniques included in their code) to avoid detection. Bots , adware and spyware have added these characteristics to their own features, a trend which has only increased as time has gone by.

This fact is perfectly in line with the current malware dynamic. As the aim of malware is to carry out information crimes with the ultimate goal of economic gain, it is of the utmost importance that it passes by with little or no detection. In this way, the malware will stay active within the computer for the longest time possible, all the while remaining undetected.

On the other hand, there are potential benefits of using rootkits, which can be legitimately applied to the following areas:

  • Monitoring employees.
  • Protection of intellectual data.
  • Protecting programs from malware activity or user errors (accidental deletion, for example).

In the wake of these possibly beneficial uses there was a case that received wide media coverage at the end of 2005. Expert Mark Russinovich discovered that the anti-copy protection system that Sony had included in some of its products contained a rootkit called XCP , that aimed to prevent the aforementioned protection from being disabled.

After a detailed analysis of this situation was published, it was not long before examples of malware began to appear (for example, the Ryknos.A backdoor), which maliciously used this rootkit to hide in those systems on which the anti-copy system was installed.

Sony was finally forced to supply a tool that would delete the rootkit and uninstall the anti-copy system.

As can be seen in the light of this example, even when a rootkit is being used for legitimate purposes, there are implications that must be carefully considered.

What are the different types of rootkits?

Rootkits can be classified in accordance with the following characteristics:

  • Persistence:

    - A persistent rootkit is one that is activated every time the system starts up. To do so, it must store its code in some way within the computer, and must also have some way to automatically start itself up.

    - On the other hand, a non-persistent rootkit is not capable of automatically running again after the system has been restarted.
  • The way in which they are executed:

    - User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface). The most well-known rootkit of this type is Hacker Defender.

    - Kernel mode (nucleus of the operating system): these rootkits modify the kernel data structures, as well as they hook the kernel's own APIs. This is the most reliable and robust way of intercepting the system.

As far as other methods or techniques used to produce rootkits are concerned, of particular note is the case of the University of Michigan and Microsoft. In March 2006 a rootkit based on virtual technology was developed. Its main function was to modify the computer's start-up sequence, so that it was loaded instead of the operating system. The rootkit then went on to load the operating system as if it were a virtual machine, so that all communication between the operating system and the hardware was intercepted. Once installed, this rootkit is basically undetectable.

How can I protect myself from rootkits?

The fight against rootkits is a real armed struggle, with creators developing measures to remain undetected and security companies releasing counter-measures to protect their clients.

The following techniques can be used to detect the existence of rootkits within a system:

  • Signature-based detection: mature technology which has been successfully used by antivirus companies for many years now. This technology is based on scanning files and comparing them with a collection of signatures from known malware.
  • Heuristic or behavior-based detection: identifies rootkits by recognizing any deviations in the computer's normal activity.
  • Detection by comparison: it compares results returned by the operating system with those obtained through low-level calls - if any differences are detected, a rootkit is present in the system.
  • Integrity-based detection: shows the existence of a rootkit by comparing files and memory with a test status that is known to be reliable.

Each of these techniques has its limitations, and for this reason it is highly recommended to integrate various different technologies. It must also be taken into account that some of these rootkits are expressly designed to avoid detection by those antivirus companies that lead the market.

The first line of defense against rootkits consists in preventing them from entering your computer. To do this, please bear in mind the following basic advice on protection against malware:

  • Install a good antimalware solution on your computer, and always keep it activated and updated.
  • Install a firewall that will protect against unauthorized access to your computer.
  • Always ensure that the applications installed on your computer are kept up-to-date, and make sure to install any security patches supplied by manufacturers.

However, the task of protecting yourself against rootkits is not to be taken lightly, and cannot be limited to a series of generic protection measures.

In order to help users to detect the existence of rootkits in their computers and delete them with absolute precision, Panda Security makes available the tool Panda Anti-Rootkit . Use this free utility  to detect and delete any possible rootkits in your computer.

The main threats we face are:


Security Threats to mobile devices(Smartphones, PDA) are on the rise, as more sensitive information is stored on them.

Crimeware: the silent epidemic

Malware evolves to focus on obtaining financial returns


Malware is hidden to increase its useful life span and avoid detection.


All you need to know to understand viruses and other malware.


Spyware is perhaps the most worrying of all IT threats, as it intrudes on your privacy without you realizing

Phishing: personal data theft

Have you received an email message from your bank, in which you are asked to verify your account details?

Spam: Unsolicited email messages

Miracle products? Make money easily? Unbeatable mortgage terms? Spam, spam, wonderful spam.

Panda Cloud-computing

Thanks to Collective Intelligence, Panda's exclusive cloud-computing technology, the company's 2010 solutions leverage the knowledge gathered from the community of millions of Panda users around the world. Each new file received is automatically classified within six minutes and the Collective Intelligence servers classify more than 50,000 new malware samples every day. These technologies correlate information on malware received from each computer to continuously improve the protection level for the worldwide community of users. Panda's 2010 solutions have continuous, real-time contact with this vast knowledge base allowing the company to offer users the fastest response against the new malware that appears every day.

The Cloud Security Company

Founded in 1990, Panda Security is the world's leading provider of cloud-based security solutions, with products available in more than 23 languages and millions of users located in 195 countries around the world. Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology. This innovative security model can automatically analyze and classify thousands of new malware samples every day, guaranteeing corporate customers and home users the most effective protection against Internet threats with minimum impact on system performance. Panda Security has 56 offices throughout the globe with US headquarters in California and European headquarters in Spain.