Rootkit Evolution
by Alisa Shevchenko - Virus analyst, Kaspersky Lab - Monday, 1 September 2008.
I saw my first rootkit in 2004, when I was still a rookie virus analyst. At that point I had some vague knowledge of UNIX-based rootkits. One day I stumbled on an executable for Windows that didn’t seem to do anything when I launched it. But I had a funny feeling about it and took a closer look…and saw a file in the list of loaded modules that weren't present on disk. Obviously, I was lucky to be able to see this with the naked eye - the rootkit had errors in its code. Today I'd need a number of dedicated tools to achieve the same result, and even they might not be enough.

The rootkit I'd found was far from being the first Windows rootkit. However, it was new to me and served as a door into a new world; a world where programs played with the operating system and could break rules, miraculously disappearing from lists of processes and files. I spent an inordinate amount of time studying the drivers which the program used to hide itself in the system. Trojan-Dropper.Win32.SmallProxy was a program designed to target a specific system and deployed in specified locations – something relatively complex and unusual for that time.

This article focuses mainly on Windows rootkits – they are the most numerous, they are continuing to evolve, they pose a serious threat for users and because Windows is the most popular OS today, they are widely used by virus writers. I define rootkits as programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects: files, processes, drivers, services, registry keys, open ports, connections and so on.

UNIX rootkits

In any discussion of rootkits, it is impossible to avoid mentioning the etymology of the term ‘rootkit’. In UNIX systems ‘root’ denotes an administrator with full privileges, while ‘kit’ is used to designate a set of tools. Thus the term ‘rootkit’ denotes a set of tools which can be used with malicious intent to gain access to the system unbeknownst to the real administrator. Such tools first appeared for UNIX in the early 90s. They still exist, but are not evolving in any significant way.

However, it's important to remember that even though Windows rootkits have inherited the name ‘rootkits’ from the Unix world, Windows malware of this type is directly descended from DOS stealth viruses, not UNIX rootkits.

Stealth viruses

DOS stealth viruses appeared around 1990; at the same time, if not slightly earlier, than UNIX rootkits. Unlike UNIX rootkits, which were designed to enable the authors to gain access to the system and mask their presence within it, DOS stealth viruses simply hid themselves from the user and AV programs. This is exactly what modern Windows rootkits do. The techniques used by DOS stealth viruses are very similar to the ones used by Windows rootkits today. For instance, stealth viruses rely on techniques such as intercepting system calls and masking the malicious code by serving false data on disk or memory content. Windows rootkits also use these techniques extensively.

Windows rootkits appeared about 10 years later. Rather than naming these new programs stealth viruses, or some other more logical name, they became known as rootkits, thanks to Greg Hoglund. He was one of the first to build a tool designed to hide data in the system by combining various techniques for evading system protection features in Windows. He published his results in the e-magazine PHRACK ( where the tool was named NT Rootkit. It went on to be used in many pieces of malware; in fact, NT Rootkit continues to intrigue and inspire both researchers and rootkit authors to this day.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th