In this article I will describe what a rootkit is, a little about the history of rootkits (including the famous Sony/BMG rootkit), the different types of rootkits, and finally I'll touch on how to detect and remove rootkits.
What A Rootkit Is
A rootkit is a series of programs that are designed to hide themselves and allow someone to have access to your computer's Operating System. The term “rootkit" or “root kit" comes from the Linux/Unix “Root" or “Administrator" privileges and “kit" or a series of programs. Although a rootkit can be one single program, it's typically a a group of programs working together. Rootkits can be on Windows, Linux, Unix, or even Mac Operating Systems. However, not all rootkits are malicious. Alcohol 120% (a popular CD/DVD copying program), and Daemon Tools (a virtual CD/DVD mounting program) use rootkits to enable them to create virtual drives. And even some antivirus programs use rootkits to enable them to defeat countermeasures taken by virus creators.
A Brief History of Rootkits
Rootkits have been around since the early 1990's. The first known use of a rootkit was rumored to be by Lance Davis and Steve Dake, who inserted a rootkit into a Sun Microsystems version of SunOS -- although no public record of this has been found. Prior to that, Ken Thompson sent a root-kitted version of a GNU C compiler to Bell Labs for their Unix OS. But the most famous use of Rootkits would have been Sony/BMG. They included DRM in various CD's that utilized rootkits to hook into the CD-ROM's and prevent the DRM from being bypassed. These rootkits were discovered by Mark Russinovich, purely by accident as he was testing his new “rootkit revealer" program. The resulting scandal was a slap in the face for Sony/BMG, and included lawsuits filed by the Texas Attorney's General.
Types of Rootkits
The types of rootkits are based on how they enter the system, and how they interact with it. Wikipedia lists five types of rootkits: hardware/firmware, hypvervisor, kernel, library, and application. Hardware/Firmware would come installed inside of some external device that you buy. Hypothetically speaking, the digital picture frames that are advertised as gifts could have rootkits built into the firmware. Hypervisor actually turns your Operating System into a Virtual Machine, and it controls the hardware calls. Kernel level rootkits are hidden in the “brains and backbone" of the Operating System. Library level rootkits could be in the form of .dll files or device drivers. And application level rootkits occur when the rootkit replaces programs with infected copies, or creates hooks into the programs.
Detection and Removal of Rootkits
Most antivirus and antispyware programs contain some form of an anti-rootkit program. However, like antivirus and antispyware programs, no single anit-rootkit program will find and remove all rootkits. The best methods of finding the rootkits is in “offline" detection, which involves booting the suspect system from a Live CD (typically Linux or a WinPE CD), and running the anti-rootkit programs from there. Most of the anti-rootkit programs will remove the rootkits that they find. However the general consensus amongst security professionals is that you should wipe the system and restore it from a known “clean" backup. You ARE backing up your systems on a regular basis, right? To learn more about rootkit removal tools, see our article Free Anti-rootkit Applications for Windows.