Everyone knows about computer viruses – and people are rightly fearful of them. Many have also heard about (computer) worms, which are nasty programs designed to spread as much as they can to infect computers.
A rootkit, on the other hand, is devious in a different way. This unwanted code on your desktop is used to gain control over your desktop by hiding deep inside your system. Unlike most viruses, it is not directly destructive and unlike worms, its objective is not to spread infection as wide as possible.
So what does a Rookit do?
What it does do, is provide access to all your folders – both private data and system files – to a remote user who, through administrative powers, can do whatever he wants with your computer. Needless to say, every user should be aware of the threat they pose.
Rootkits generally go much deeper than the average virus. They may even infect your BIOS – the part of your computer that’s independent of the Operating System – making them harder to remove. And they may not even be Windows-specific, even Linux or Apple machines could be affected. In fact, the first rootkit ever written was for Unix!
Image by Fristle
Is this a new phenomenon?
No, not at all. The earliest known rootkit is in fact two decades old. However, now that every home and every work desk has a computer that is connected to the internet, the possibilities for using the full potential of a rootkit is only just being realized.
Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installed rootkits without user permission that allowed any user logged in at the computer to access the administrator mode. The purpose of that rootkit was to enforce copy protection (called “ Digital Rights Management ” or DRM) on the CDs, but it compromised the computer it was installed on. This process could easily be hijacked for malicious purposes.
What makes it different from a virus?
Most often, rootkits are used to control and not to destroy. Of course, this control could be used to delete data files, but it can also be used for more nefarious purposes.
More importantly, rootkits run at the same privilege levels as most antivirus programs. This makes them that much harder to remove as the computer cannot decide on which program has a greater authority to shut down the other.
So how I might get infected with a rootkit?
As mentioned above, a rootkit may piggyback along with software that you thought you trusted. When you give this software permission to install on your computer, it also inserts a process that waits silently in the background for a command. And, since to give permission you need administrative access, this means that your rootkit is already in a sensitive location on the computer.
Another way to get infected is by standard viral infection techniques – either through shared disks and drives with infected web content. This infection may not easily get spotted because of the silent nature of rootkits.
There have also been cases where rootkits came pre-installed on purchased computers. The intentions behind such software may be good – for example, anti-theft identification or remote diagnosis – but it has been shown that the mere presence of such a path to the system itself is a vulnerability.
So, that was about what exactly is a rootkit and how does it creep in to computer. In my next article I’ll discuss how to defend your computer from rootkits – from protection to cleaning up.