DOS stealth viruses appeared around 1990; at the same time, if not slightly earlier, than UNIX rootkits. Unlike UNIX rootkits, which were designed to enable the authors to gain access to the system and mask their presence within it, DOS stealth viruses simply hid themselves from the user and AV programs. This is exactly what modern Windows rootkits do. The techniques used by DOS stealth viruses are very similar to the ones used by Windows rootkits today. For instance, stealth viruses rely on techniques such as intercepting system calls and masking the malicious code by serving false data on disk or memory content. Windows rootkits also use these techniques extensively.
Windows rootkits appeared about 10 years later. Rather than naming these new programs stealth viruses, or some other more logical name, they became known as rootkits, thanks to Greg Hoglund. He was one of the first to build a tool designed to hide data in the system by combining various techniques for evading system protection features in Windows. He published his results in the e-magazine PHRACK (http://phrack.org/issues.html?issue=55&id=5#article) where the tool was named NT Rootkit. It went on to be used in many pieces of malware; in fact, NT Rootkit continues to intrigue and inspire both researchers and rootkit authors to this day.
Origins and popularization
Hoglund’s article is dated 1999, and based on research into the Windows kernel conducted the previous year and published on Usenet by a programmer from Sri Lanka. Back in 1995, Jeffrey Richter, a Windows programming guru, disclosed techniques for intercepting system calls in user mode in his famous book "Advanced Windows" and its fourth edition, which was called "Programming Applications for Microsoft Windows". These techniques were later implemented in many rootkits, which even went as far as to copy source code directly from the book.
Techniques for intercepting system calls in kernel mode were disclosed publicly in two other classic programming manuals: Schreiber’s “Undocumented Windows 2000 Secrets", published in 2001, and "Undocumented Windows NT" by P. Dabak et al, 1999.
The first Windows rootkits
Researchers continued to investigate Windows system protection, and soon after NTRootkit was released several other tools appeared, all designed to hide objects in the operating system:
- 2000 – he4hook, designed by a Russian programmer. The tool is not malicious, but it does hide files. It works in kernel mode. Interestingly, even the author doesn't call this program a rootkit.
- 2002 – Hacker Defender (aka HacDef). This is also just a tool, but a more powerful one: it can be used to hide files, processes and registry keys with flexible settings in the configuration file. It also works in kernel mode.
- 2003 – Vanquish. This tool can be used to hide files, directories and registry keys. Moreover, it has a malicious payload – it log passwords. Vanquish works in user mode.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.