What is a rootkit?

[mountaintree16]

I've seen a lot about rootkits on this site here and when I purchased my AV it said that it catches rootkits that other AV's generally can't find, and I thought that to be a good thing, but I still don't really know what a root kit is.

So my questions are, what is a rootkit, and in general, what kind of harm does it do, or, what is the bad or bad things that it does?

[exile360]

Here you go: http://en.wikipedia.org/wiki/Rootkit

It can do anything. There are good and bad rootkits. Essentially it's a way of hiding a file, registry entry or running process so that Windows and other programs can't see them, but antirootkit technology is designed to allow a program to see them. Some programs are better at this than others as there are many methods employed by rootkits for hiding their presence.

[mountaintree16]

@ Exile

Thanks for the link I read it over, skimming some parts, and I pretty much understand what it is now. Scary stuff! (the bad rootkits, that is). :/

"Numerous source code samples for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various Trojans or spyware programs, et cetera." << That's scary, but not surprising, unfortunately :/

nasty little buggars

[B-boy/StyLe/]

You can read this article too:

http://techloop.blogspot.com/2007/04/rootk...ise-threat.html

[mountaintree16]

Thanks B-boy/StyLe/

I'll check that out later on

[nosirrah]

Rootkits are defined differently than their original intention which was gaining "root" access .

On top of the base definition they have also gained 2 more :

Malware that hooks core OS functions for the purpose of modifying/diverting internal OS data structures .

Malware that cloaks itself from the API layer of the OS making normal API based tools unable to even see that they exist .

These additional 2 functions almost always are used in conjunction .

The greatest strength of rootkit technology is also its greatest meekness . For example if you want to detect rootkit cloaked files all a tool has to do is ask the OS for a list of files in a directory and then read the contents directly from disk . The lists should match and anything that is only on the direct read list is being cloaked from the API . The process is similar for processes and registry objects as well .

[mountaintree16]

@ Nosirrah

Thank you for your response! That also helps me better understand rootkits!

So am I correct in understanding that the original development of "root" was legitimate, and people modified them for illegitimate purposes? :/

And what is API?

[nosirrah]

There is the official definition but that was written by geeks for up and coming geeks so here is the basic definition of the API . It is the layer between you the user and software . Its how you control the software and how you communicate with the software . In essence rootkits make the windows API lie and/or do things that would otherwise be impossible/illegal .

Gaining root access could be for both legit and malicious purposes , gaining root is actually more about the function than the purpose . Most security software (including ours) uses various forms of rootlit like OS hooking to gain the ability to both detect and remove malware .

[mountaintree16]

@ nosirrah

Thanks for explaining API to me

Gaining root access could be for both legit and malicious purposes , gaining root is actually more about the function than the purpose . Most security software (including ours) uses various forms of rootlit like OS hooking to gain the ability to both detect and remove malware .

Ah hah. That makes sense. I kind of thought that from a few things I had read but didn't know for sure.