Rootkit

A rootkit is a piece of software that hides programs or processes running on a computer. It is often used to conceal misuse of the computer or data theft.

When malicious software, such as an internet worm, gains access to your computer, it sometimes installs a rootkit. This is often used to hide the presence of utilities that allow a hacker to open a “back door” that gives continuing access to the computer. The hidden utilities may also give the hacker rights to carry out functions that can usually only be performed by a user with special privileges. (On UNIX and Linux computers, such users are called “root”, and hence the name rootkit).

A rootkit can hide keystroke loggers or password sniffers, which capture confi dential information and send it to hackers via the internet. It can also allow hackers to use the computer for illicit purposes, e.g. launching a “denial-of-service” attack against other computers, or sending out spam mail, without the user’s knowledge.

Even if a rootkit is not installed with malicious intent (as in the case of Sony’s Digital Rights Management, used to prevent pirating of music CDs), it can make the computer vulnerable to hackers.

Detecting rootkits is diffi cult. Once a rootkit is running on the computer, you cannot reliably identify all the processes running on that computer, or all the fi les in a directory – so traditional anti-virus software may not fi nd evidence of the rootkit’s presence. A rootkit may also suspend its activity until the software has fi nished its scanning. A sure method of fi nding the rootkit is to turn off the computer, restart it from a rescue CD and then use anti-virus software to scan the computer. As the rootkit is not running, it cannot hide itself.

Anti-virus programs can detect the Trojans or worms that typically install the rootkit, of course, and some programs can now detect the rootkit itself while it is running.

Sophos.com