Select Page

Eric Howes, who consults with us on spyware issues, writes this about rootkits:

Windows rootkits are malicious programs that use some fancy low-level programming tricks to hide themselves and other files and directories from Windows. When a rootkit is running on your machine, you won’t be able to see it (or the other files it’s hiding) through Windows Explorer. And neither will other standard Windows applications either. They’re effectively invisible, even to Windows itself.

Rootkits are attractive and useful to malware, spyware, and adware creators because rootkits can hide malicious files that take control of users’ PCs and prevent those files from being easily removed. Spyware and adware authors have been especially aggressive is using rootkits to conceal their software on victims’ PCs. The best example is SearchMiracle/Elitebar, which uses a rootkit to hide dozens of files and directories within the Windows directory. Once SearchMiracle/Elitebar is installed, it is very difficult to remove, and users’ PCs are deluged with mysterious pop-ups that seem to come from nowhere.

As with other aspects of malware, rootkit creators and anti-malware companies are now in an arms race of sorts, with rootkit creators finding ever more clever ways to hide their code within Windows and anti-malware vendors scrambling to improve their applications to detect these newer breeds of rootkits.

Some links: 

Microsoft Strider Project
(note: contains links to plenty of white papers and such)

Microsoft Rootkit Webcast

News articles
http://www.eweek.com/article2/0,1759,1829744,00.asp
http://www.eweek.com/article2/0,1759,1816972,00.asp
http://www.securityfocus.com/columnists/358
http://www.viruslist.com/en/analysis?pubid=168740859
http://www.eweek.com/article2/0,1895,1841266,00.asp

Anti-rootkit tools for Windows (Note: Most of these are complex programs that require an experienced user).

Blacklight

IceSword

Microsoft – Malicious Software Removal Tool  

RootkitRevealer

UnHackMe

Alex