Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal: not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system:

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.^[1]

Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor and restore one another as needed.

External links Edit

1. ↑ Catb.org

• Rootkit Analysis: Research and Analysis of Rootkits
• Even Nastier: Traditional RootKits
• Sophos Podcast about rootkit removal
• Rootkit research in Microsoft
• White paper on new-generation rootkit detection
• antirootkit.com
• Testing of antivirus/anti-rootkit software for the detection and removal of rootkits made by Anti-Malware Test Lab, January 2008
• Testing of anti-rootkit software made by InformationWeek, January 2007
• Sony, Rootkits and Digital Rights Management Gone Too Far (Mark Russinovich's first blog entry about the Sony DRM rootkit, from which the scandal ensued)
• Designing BSD Rootkits An Introduction to Kernel Hacking (book by Joseph Kong)
• How to remove spyware from your PC: rid yourself of rootkits
• Glossary of malware terminology ("Rootkit" has a negative connotation)
• White paper on hypervisor rootkit technology
• Review: Six Rootkit Detectors Protect Your System
• Article about writing simple rootkits for Linux