The rootkit I'd found was far from being the first Windows rootkit. However, it was new to me and served as a door into a new world; a world where programs played with the operating system and could break rules, miraculously disappearing from lists of processes and files. I spent an inordinate amount of time studying the drivers which the program used to hide itself in the system. Trojan-Dropper.Win32.SmallProxy was a program designed to target a specific system and deployed in specified locations – something relatively complex and unusual for that time.
This article focuses mainly on Windows rootkits – they are the most numerous, they are continuing to evolve, they pose a serious threat for users and because Windows is the most popular OS today, they are widely used by virus writers. I define rootkits as programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects: files, processes, drivers, services, registry keys, open ports, connections and so on.
In any discussion of rootkits, it is impossible to avoid mentioning the etymology of the term ‘rootkit’. In UNIX systems ‘root’ denotes an administrator with full privileges, while ‘kit’ is used to designate a set of tools. Thus the term ‘rootkit’ denotes a set of tools which can be used with malicious intent to gain access to the system unbeknownst to the real administrator. Such tools first appeared for UNIX in the early 90s. They still exist, but are not evolving in any significant way.
However, it's important to remember that even though Windows rootkits have inherited the name ‘rootkits’ from the Unix world, Windows malware of this type is directly descended from DOS stealth viruses, not UNIX rootkits.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.