January 31, 2016

What is rootkit?

What is rootkit?

A rootkit is a piece of software or hardware designed with the intent to gain unauthorized root-level access over computer’s operating system in a stealthy way, without being detected.

Rootkits typically target the kernel mode of the operating system, computer’s BIOS, boot loader located on MBR, and they can alter user mode libraries and applications as well.

Rootkit infections are ubiquitous and tend to plague especially Microsoft Windows-based operating systems along with other malicious software, such as viruses, trojan horses, spyware that make our lives miserable.

How to you uproot a rootkit? (no pun intended)

As rootkit contaminations are a growing and get more elaborate, you would think and expect that there would be plenty of software tools out on the market, readily accessible, to fight them off. On the contrary, there aren’t many mainstream programs readily available that are able to detect and eradicate rootkit infiltrations effectively.

An important thing to note is that there isn’t and never will be a universal rootkit scanner/remover and the best results are achieved by combining on-line/off-line comparison scanners with solid antivirus program(s).

There are quite a few tools out there, developed either by independent programmers or little known software groups that we have had pretty successful rate with rootkit detection or better yet, preventing infections.

Free tools

Aside from tools by Bitdefender, F-secure BlackLight, Malwarebytes or Sophos Anti-Rootkit, we’ve used tools by some obscure names from all over the world. Since, at most instances those tools are accompanied by little or no documentation whatsoever and you don’t know what they actually do, we don’t recommend or endorse any. Use at your own risk and always exercise caution!

GMER (www.gmer.net) – a rootkit detector by a Polish developer scans for and detects: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT/IDT/ IRP calls, inline hooks. Though the last release is dated 03/2009 we’ve had quite a success with detecting and removing MBR rootkits with this tool.

FLISTER – a rootkit detector tool by another talented Polish researcher targets windows rootkits (at both user and kernel mode) by exploiting their bug: failure to hide properly the files or directories which should have need hidden.

ARIES Rootkit Remover by Lavasoft claims to reliably locate and permanently remove the rootkit that was developed by First4Internet and used by Sony BMG to hide their digital rights management (DRM) software.

Combofix –is an effective tool against rootkits and other malware that incorporates GMER technology in its scans. Although it had some stability issues and bugs in the past, it is rather powerful and should be used under guidance of tech support at the one of these forums. Combofix is normally available on Bleeping Computer forums all the Bleeping Computer forums where its available for download.

Avira Rootkit Detection A beta version of Avira Rootkit Detection will reveal active rootkits and hidden objects and will present you with actions to take against its findings.