Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.
Some malicious programs contain routines to defend against removal: not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system:
- Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.
Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor and restore one another as needed.
- Rootkit Analysis: Research and Analysis of Rootkits
- Even Nastier: Traditional RootKits
- Sophos Podcast about rootkit removal
- Rootkit research in Microsoft
- White paper on new-generation rootkit detection
- Testing of antivirus/anti-rootkit software for the detection and removal of rootkits made by Anti-Malware Test Lab, January 2008
- Testing of anti-rootkit software made by InformationWeek, January 2007
- Sony, Rootkits and Digital Rights Management Gone Too Far (Mark Russinovich's first blog entry about the Sony DRM rootkit, from which the scandal ensued)
- Designing BSD Rootkits An Introduction to Kernel Hacking (book by Joseph Kong)
- How to remove spyware from your PC: rid yourself of rootkits
- Glossary of malware terminology ("Rootkit" has a negative connotation)
- White paper on hypervisor rootkit technology
- Review: Six Rootkit Detectors Protect Your System
- Article about writing simple rootkits for Linux