What are Rootkits?
Rootkits are actually nothing new on the Windows® operating systems, they have already been around for years. It was only at the end of 2005 that this special class of “applications” started getting publicity, attracting the attention of the media, the public, the users and – unfortunately – also the virus programmers. Rootkits get installed in the same way as any other malicious programs and they can include all the same functions as ordinary spyware, Trojans and other malware.
What makes rootkits different and very dangerous is that they can hide all their program files, Windows® Registry entries and everything else that might betray their existence. Usually they are so well hidden that not even Windows® knows that a rootkit is installed and running. For the same reason most anti-virus and anti-spyware tools are also unable to deal with rootkits, because the rootkit’s files, registry entries and other components are completely invisible to them. |
What’s the difference between a rootkit and spyware?
Most normal spyware and Trojans are stored in infected EXE program files that can be listed in Windows® Explorer and found by spyware and anti-virus tools. Rootkit components cannot be listed in Windows® Explorer and they are also invisible to other programs and even the Windows® system itself. The same applies to the active processes belonging to the rootkit – they are not displayed by the Windows® Task Manager or other similar tools. For Windows®, other programs and the user everything seems to be perfectly normal. There is no indication of any kind of problem or infection.
Rootkits often include code that opens a hidden “back door” that gives the rootkit programmer full access to your computer via the Internet whenever you are online. Many also include “key loggers” that record and store all the input from your keyboard, including your email addresses, account numbers, passwords, credit card numbers and bank security codes. All this data can then be accessed and used by the rootkit programmer – and you won’t even notice anything is happening. |
Removing Rootkits…
What makes rootkits particularly dangerous is that they are even harder to remove than they are to find – much harder than “normal” malicious programs. They often run in protected mode and/or disguise themselves as part of an ordinary system driver. Even if you can find these processes it is generally not possible to terminate them because they are active and “resist” being terminated – with the active support of the operating system, which has been tricked into thinking they are system components.
To remove a rootkit that is protected like this you will generally need a bootable CD with tools for accessing your hard disk like a Linux installation that can be started from the CD or other similar tools. These tools can then be used to locate the objects associated with the rootkit on your hard disk while Windows® itself is not running. Once you have identified the rootkit’s processes finding the files is generally quite easy, as the infected files often have the same name as the process. So all you need to do is search for files with these names. |
Performing the Scan…
To scan your system for rootkits click on Search in the Rootkit-Detector screen. The dialog below will be displayed if a rootkit is identified. The screen shows all the components of the rootkit, which can include services, active processes and entries in the Windows® Registry. When you select one of these components options will be displayed with which you can attempt to terminate the process or delete the file.
|
Rootkit identification by the AntiSpy Guard...
When the AntiSpy Guard identifies a rootkit or a rootkit component the dialog below is displayed with detailed information on the file name, the nature of the infection and the origin of the file. You then have the same options as for identified spyware: You can put the infected file in quarantine, allow it to remain active or block it. |
Protect yourself with updates…
Rootkits are a new and rapidly-growing threat that you need to take very seriously, so please check for program updates regularly with the Online Update function in the Internet menu. Every rootkit is different and the Rootkit Detector must extended and updated regularly to provide protection against new rootkits and rootkits with new “cloaking” technologies. |