Malware is no longer viewed with the notoriety it once was. Gone are the days of massive infections, such as the “I love you” worm, which was headline news even in the mainstream press.
Today, professional creators looking to profit financially from malware need any virus, worm or Trojan to be able to operate undetected by users, as this is a key ingredient in achieving their objectives. In other words, an invisible virus is far more dangerous than one that is easily noticed.
So how can we see malware?
Well let’s not forget, after all, that it is only software, and all software leaves its trace on a system: not just the file or files that contain the intruder, but also the registry keys, folders, activity reports, etc. Any tool that lets you list files or registry values, such as Windows Explorer or Regedit, will reveal the presence of an intruder that cannot cover its tracks.
Now, this is where rootkits come in to play. A rootkit is software whose sole purpose is to hide system components, such as files, processes, registry keys, etc, so that the user cannot see them. They do this by penetrating the most critical layer of the operating system, the kernel, and manipulating certain internal structures and functions, thereby deceiving applications and preventing them from displaying the real content of the system.
For example, imagine there is a virus, whose binary name is “malo.exe”, installed in “C:WindowsSystem32”.
When the intruder loads to memory, the rootkit manipulates the system functions that list the files in this folder, so that when they detect the path “C:WindowsSystem32MALO.EXE”, they ignore it and go on to the next one. This way, an application that requests the list of files cannot see this folder. The same thing happens with registry keys, processes, or any other component of the system that the rootkit wants to hide.
It is interesting to note here that rootkits are not malicious per se, as they may have perfectly legitimate uses, or at least, uses that are not related in any way to malware. In fact, the term “rootkit” first became used on a wide scale thanks to an incident involving the company Sony.
In 2005, Sony BMG Music included copy protection software on its music CDs which also included a rootkit designed to hide the protection system. The problem in this case was that it was done without user authorization, transmitting information and creating a security hole. Any attempt to remove the rootkit manually would leave the CD drive inoperable.
The danger therefore of any malware that includes a rootkit component is evident, given the significant stealth capacity and the ability to control a system without users realizing. Moreover, rootkits are among the most complex, advanced and resilient threats, operating at a level so deep that typical detection techniques are of little use, and specific purpose-built scanners are required, such as the free Panda Anti-Rootkit.
In any event, it is important to remember that all rootkits enter systems initially through a file, so the usual precautionary advice we offer for other types of malware also serves in the case of rootkits: use a good antivirus, keep it up-to-date, use a firewall, install the latest security patches, do not use an administrator account unless strictly necessary , etc.
So now you know…. watch out for rookits!!
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
9 comments
Great article!!! I am going to send this off to some of my people so they can understand sort of what a rootkit is.
Thanks Bill, glad you like it 🙂
I don’t think you meant to imply the Sony rootkit was legit.
Any software that would intentionally disable other functions of a computer when it is removed or would be installed secretly the way the Sony rootkit was (and maybe against the owners wishes) is definitely in the malware category.
Sony went too far in an attempt to protect their legal intellectual property.
BTW the link to the Panda Anti-Rootkit is a 404 page.
I’ve been using Pands AV for years and it has been rock solid. Thanks.
Hello James, thanks for your comments.
I think the Sony rootkit wasn’t legit, however, what I meant to say is that I think it was never intended to be harmful, and malware is always intended to be harmful.
Thanks Melina, I’m glad you like it.
A good and clear explanation, thanks Javier!
I am not a techie but I have been on the Panda website for 2 hours now trying to figure out what is happening to my computer. For three days in a row now a bizarre .exe file (each time with new name) along with two files that might be .dll or .ini files (i can’t tell – they are hidden but I have hidden files viewed)(and these both have the same name every day) has suddenly appeared in my D: drive! I am not on email, I am not on my browser, I just left the computer on and it is connected to my internet provider, but nothing was open. How is this happening? I had Panda analyze these files and Panda got rid of them, but they keep coming back! I don’t know where to look for help, and I don’t know if they are called malware, viruses, or what these are.
@tb
Hello,
It seems the malware you are infected with implements some kind of persistence mechanism. You should boot your machine with a clean disc and try analyzing again.
Good luck!