What is a Rootkit?

What is a rootkit and why should I care if one is installed on my computer?

Rootkits are secretive programs that are installed on your computer with the intent to obscure their purpose and actions while avoiding detection. Historically, rootkits are associated with hacker tools designed to grab passwords and other sensitive information from your computer with the intent of using that information to break in later. If you've ever heard the term Trojan Horse in reference to a computer virus, a rootkit is one example. The goal of a rootkit is to install itself, undetected, and then keep performing it's prescribed purpose without detection indefinitely or until the creator gains access.

There are four main classes of rootkits. Depending on what the rootkit is designed to do and where it installs on your system, the potential for harm or data compromise varies.

Memory-based rootkits install in active memory, which means flushing your memory or power cycling your computer renders the rootkit useless. These aren't as common as other types of rootkits because the potential useful life is short.

Persistent rootkits become active each time your computer boots. Persistent rootkits install in the Windows Registry or as part of the Windows file system. In general, this type of rootkit is associated with malware that initiates a specific action, like sending your personal data to a remote location and continues to perform the operation until removed from your system.

User-mode rootkits intercept data at the user level to avoid detection. When an application running as the current logged on user attempts to locate information, like the contents of your hard drive, for instance, a user-mode rootkit attempts to disguise its existence by excluding itself from the results.

Kernel-mode rootkits are harder to locate than user-mode rootkits because they are disguised at the operating system level. Instead of simply hiding from the current user, a kernel-mode rootkit attempts to cloak its existence from Windows while still performing operations.

As indicated above, rootkits are typically associated with malware or viruses. More recently, Sony/BMG Entertainment is coming under fire for bundling a rootkit as part of the copy protection software included on music CDs. They have since pulled the plug on distribution, but the potential damage is done. There is already one documented exploit of this security hole.