Rootkit or rootkit virus is a form of malware. Rootkits using special technique to manipulate the behavior of the environment it is running on.
If we examine the term rootkit we can see that it is a combination of 2 words. The words are root as the super user. Under Linux and Unix operation system. Kit as a kit of tools.
In the early days of rootkit. We can say that rootkit are kits of tools that you use to make you root aka super user. You can do it on the current system your on.
Under windows operation system the root user is known as the administrator or admin. In windows the kit tries to give its operation administrator privilege to control the system.
In modern days. After Windows XP, with Windows Vista. There was a big change with the operation system. The changes where mainly in the kernel. This was due to rootkit behavior. To block rootkit from loading into kernel mode. The term bootkit was invented. A bootkit can describe as rootkit that infected the system boot. That is able to start before other drivers started once the system rebooted.
How rootkit virus work?
Rootkit virus are using technique to manipulate the default operation system behavior. In both kernel mode and user mode. By doing that it can hide objects on the system.
In windows, everything is referring as an object. It includes file, process, users etc. Rootkit can hide object from being seen by manipulate the default system behavior.
An example for that can be the way we show files in folder. There are 2 main API function that the system uses to list files and folders in the system.
If we use a hooking technique in the kernel level, that each time when something is looking on files in the system, instead of using the real API function we provide our own functions, we can program the function to not show special files (like files that start with special name) in the list.
How to develop a rootkit or rootkit scanner is out of the scope of this article. You can find related information on rootkit book. Please refer to amazon for example.
This about it, if we can hide files, we can hide users, running software (process) and even network connection, and if out hook was start before the antivirus driver, the antivirus will not be able to know about it!
What is User and Kernel Mode:
User Mode: This area is where the application are running, it is what the user use and see, like the
Kernel Mode: This area is for all the drivers and other object that control by the kernel, there is no access for users.
How to remove rootkit:
There are some types of rootkit removal tools. Some of them will scan your system for knowing signature of rootkit behavior. Like hooking technique. Some will scan your entire hard disk offline. While the operation system does not run from it, aka use the hard drive as external disk.
What is the best rootkit remover?
For live scan, you can use your antivirus as most of the has an inner anti rootkit scanner in them, you can also download some other rootkit removal tools like GMER and Rootkit Revealer tools from the internet.
What rootkit can do and how?
We know what rootkit is. Rootkit can be present as the defensive module in the malware. Rootkit technology use methods to make the malware more stealth. Malware scanner will not be able to find it.
Rootkit scanner need to search the unknown to find signature or behavior of rootkits. We know of rootkits that manipulate hardware behavior, in present days. There were study of rootkit that live in the memory of the system. This rootkit is able to detected a running scanner. By copy itself to another memory location. Making it possible to hide from the scanner.
A hardware rootkit can inject itself into the hardware memory, like BIOS, video and network card, the real dangerous with this type of rootkit is that even formation, or replacing you hard drive will not clean the rootkit.
During operation system install. The operation system probe for device information. The hardware that contain the rootkit virus will hook it into the system and the infection start again.