I saw my first rootkit in 2004, when I was still a rookie virus analyst. At that point I had some vague knowledge of UNIX-based rootkits. One day I stumbled on an executable for Windows that didn’t seem to do anything when I launched it. But I had a funny feeling about it and took a closer look…and saw a file in the list of loaded modules that weren't present on disk. Obviously, I was lucky to be able to see this with the naked eye - the rootkit had errors in its code. Today I'd need a number of dedicated tools to achieve the same result, and even they might not be enough.

The rootkit I'd found was far from being the first Windows rootkit. However, it was new to me and served as a door into a new world; a world where programs played with the operating system and could break rules, miraculously disappearing from lists of processes and files. I spent an inordinate amount of time studying the drivers which the program used to hide itself in the system. Trojan-Dropper.Win32.SmallProxy was a program designed to target a specific system and deployed in specified locations – something relatively complex and unusual for that time.

This article focuses mainly on Windows rootkits – they are the most numerous, they are continuing to evolve, they pose a serious threat for users and because Windows is the most popular OS today, they are widely used by virus writers. I define rootkits as programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects: files, processes, drivers, services, registry keys, open ports, connections and so on.


UNIX rootkits

In any discussion of rootkits, it is impossible to avoid mentioning the etymology of the term ‘rootkit’. In UNIX systems ‘root’ denotes an administrator with full privileges, while ‘kit’ is used to designate a set of tools. Thus the term ‘rootkit’ denotes a set of tools which can be used with malicious intent to gain access to the system unbeknownst to the real administrator. Such tools first appeared for UNIX in the early 90s. They still exist, but are not evolving in any significant way.

However, it's important to remember that even though Windows rootkits have inherited the name ‘rootkits’ from the Unix world, Windows malware of this type is directly descended from DOS stealth viruses, not UNIX rootkits.