The rootkit I'd found was far from being the first Windows rootkit. However, it was new to me and served as a door into a new world; a world where programs played with the operating system and could break rules, miraculously disappearing from lists of processes and files. I spent an inordinate amount of time studying the drivers which the program used to hide itself in the system. Trojan-Dropper.Win32.SmallProxy was a program designed to target a specific system and deployed in specified locations – something relatively complex and unusual for that time.
This article focuses mainly on Windows rootkits – they are the most numerous, they are continuing to evolve, they pose a serious threat for users and because Windows is the most popular OS today, they are widely used by virus writers. I define rootkits as programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects: files, processes, drivers, services, registry keys, open ports, connections and so on.
In any discussion of rootkits, it is impossible to avoid mentioning the etymology of the term ‘rootkit’. In UNIX systems ‘root’ denotes an administrator with full privileges, while ‘kit’ is used to designate a set of tools. Thus the term ‘rootkit’ denotes a set of tools which can be used with malicious intent to gain access to the system unbeknownst to the real administrator. Such tools first appeared for UNIX in the early 90s. They still exist, but are not evolving in any significant way.
However, it's important to remember that even though Windows rootkits have inherited the name ‘rootkits’ from the Unix world, Windows malware of this type is directly descended from DOS stealth viruses, not UNIX rootkits.
DOS stealth viruses appeared around 1990; at the same time, if not slightly earlier, than UNIX rootkits. Unlike UNIX rootkits, which were designed to enable the authors to gain access to the system and mask their presence within it, DOS stealth viruses simply hid themselves from the user and AV programs. This is exactly what modern Windows rootkits do. The techniques used by DOS stealth viruses are very similar to the ones used by Windows rootkits today. For instance, stealth viruses rely on techniques such as intercepting system calls and masking the malicious code by serving false data on disk or memory content. Windows rootkits also use these techniques extensively.
Windows rootkits appeared about 10 years later. Rather than naming these new programs stealth viruses, or some other more logical name, they became known as rootkits, thanks to Greg Hoglund. He was one of the first to build a tool designed to hide data in the system by combining various techniques for evading system protection features in Windows. He published his results in the e-magazine PHRACK (http://phrack.org/issues.html?issue=55&id=5#article) where the tool was named NT Rootkit. It went on to be used in many pieces of malware; in fact, NT Rootkit continues to intrigue and inspire both researchers and rootkit authors to this day.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.