Free PC Security

This blog has moved to

  • Archives

  • Our Reviews
    "I can't find a the perfect word to attach to this website's image because it is out of this world. No matter what type of Computer Security System you are interested in, you'll find help and quality content here. The content is awsome, well displayed and well arranged. The menu and speed is excellent. Navigation, Response and Relevance are also the best of the best. I don't even have to mention the Links because i must admit that i have never seen any better. I will let other people say more or invent other words because it really does suit it! Keep doing what you are doing now because you are exactly on the right path! Thanks for sharing! BOOKMARKED!"

    Get your own reviews, free traffic at

    Our Reviews
    "Great initiative. Will be very usefull to many PC users at home and in business."

    Get your own reviews, free traffic at

    Page copy protected against web site content infringement by Copyscape
    Photo Sharing and Video Hosting at Photobucket
    Blogging Den 2

What is a rootkit?

Posted by cotojo on August 2, 2007

What is a rootkit?

A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Panda which I have covered in another post.

Related Post:
Panda Anti-Rootkit – Free

Add to Technorati Favorites

Join My Community at MyBloglog!

Click here to join FreePCSecurityClick to join FreePCSecurity

WOT Logo

© Free PC Security 2007 – 2008

One Response to “What is a rootkit?”

  1. […] is an article about rootkits here and advice on searching your hard drive for the presence of rootkits and tools to remove them […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: