It is immediately clear that the thoughts of those researching such issues were changing course, with the focus moving from neutral tools to tools designed with ulterior motives, including malicious ones.

• 2003 – Haxdoor (aka A-311 Death and Nuclear Grabber, a modified variant of the same program). This is already more than a tool – it is a backdoor that uses rootkit techniques to conceal its presence in the system. It works primarily in user mode.
• 2004 – FU – a tool to conceal processes. This tool introduces a new technique based on modifying the system structure itself, rather than modifying access to the system. It works in kernel mode.

The list above is not exhaustive, but it includes rootkits which are key to understanding the evolution of Windows rootkits, especially HacDef, Haxdoor and FU. These 3 rootkits were commonly found in the wild in tandem with other malware. Rootkits from 2000 – 2004 fit neatly into the standard (outmoded) classification system: they can function both at user and at kernel level, by using Execution Path Modification or Direct Kernel Object Manipulation.

Rootkits – mass production

As rootkits evolved, they were also being embedded in malicious programs. In those days it was difficult to create stealth technologies independently, because little was written about this field: as a result, the small number of malicious rootkits could be divided into three categories:

• Trojans which used ready-made tools and libraries to hide themselves. The overwhelming majority of these Trojans used Hacker Defender and FU.
• Ready-made malicious rootkits which could be downloaded or purchased and which could be modified by the user. Haxdoor is one example. Like HacDef, Haxdoor was very popular in the fall of 2005; Kaspersky Lab was adding around ten new signatures daily to protect against new variants of Haxdoor.
• Custom rootkits developed for targeted attacks. AV vendors usually learned about these rootkits directly form customers, mostly large enterprises. Typically, virus analysts conducted on-site manual forensic investigations after network administrators couldn't identify the cause of the problem. This group of rootkits was extremely small, but the samples showed a high level of technical sophistication.

By 2005, almost 80% of extant rootkits were variants of HacDef and Haxdoor. Rbot and SdBot were the first multi-functional backdoor Trojans to include built in rootkit technologies. The motive was clear; any technologies that improved the overall functionality of a commercial Trojan resulted directly in additional financial gain for the author and/or controller. Thus bot masters were the first to latch on to stealth/rootkit technologies.


By 2006 we saw rootkit technologies being built into common email worms such as Bagle; Trojan-Spy programs such as Goldun; and Mailbot programs, such as Rustock. This development proved to be a serious challenge for AV vendors. However, by the time using rootkit technologies in Trojans became standard there were a number of anti-rootkit tools, both standalone and in products. The balance of power was restored.

Rootkits and scandal

By 2005 the use of rootkit technologies in malware was so widespread that it fell under the gaze of the mass media and, naturally, security vendors. Microsoft representatives brought up the topic at RSA. The numerous scandals related to rootkit-like technologies found in various software and hardware products in 2006 clearly demonstrates how rootkits have become a public issue.