How do rootkits work?
In Windows, the easiest way for a rootkit to run is in user mode. The
easiest way for it to do this is to grab hold of the ntldll.dll file,
and if it can control this then it can hide anything it wants from any
other program running in user mode. Software may askntldll.dll if there
is a rootkit present, and if there is, it will say "No".
Other rootkits run in kernel mode, and these can fool not only user-mode scanning, but also kernel-mode scanning. That can be a big concern.
Once installed, a rootkit can do anything it wants to. It can hide files, directories, ports, registry entries, pretty much anything you might use in user mode to examine the system.
Most virus scanners cannot detect a rootkit when that rootkit is active — the scanner says "show me all the files on the operating system, and the rootkits say "ok, I'll show you all the files on the operating system (except mine)." So all the files are scanned except those belonging to, or hidden by, the rootkit.
User mode rootkits are relatively stable. If they crash then they only affect themselves. They are much more common that kernel-level rootkits. However, a lot of people try to write kernel mode rootkits, and these are inherently dangerous as they operate in a space where the operating system works. They can destabilise the entire system. They frequently bluescreen machines; in product support that is often the first sign we see that a rootkit exists on a system.
Kernel mode rootkits are more powerful but far more dangerous, as they tend to be more unstable. Why?
Because the application programmers writing them are not so advanced.
Yet. We have to see any great programmers writing kernel mode rootkits,
but this is in its infancy, so that may well change.
Talkback
A rootkit exists in video memory?? Is this video memory volatile or non-volatile? If volatile then where is the rk stored if not on the HD? If non-volatile then how will a system nuke fix things?
wouldn't it solve the problem if the OS does not allow the system to hide the file and behave as a rootkit in the first place? or if it has stricter rules to govern the use of rootkits even for legitimate reasons?
This article is woefully uninformed, from the meaning of rootkit, to the suggestion that you must nuke the system rather than restoring a ghost image of the hard disk that is made on a regular basis.
"root" comes from root under Unix. The term doesn't even describe sony's code. A root kit installs over system programs and generally collects data for a hacker. Sony's program is simply a stealth program that uses traditional methods of hiding processes on Windows. Thats not a root kit. If it replaced the login program, or replaces the explorer program, it would be a rootkit. Key to a rootkit is the fact that it replaces a legitimate program with its own rendition which collects some data.
Yes, Sony's "rootkit" hides itself. But any program in windows can hide itself...it doesn't have to be root to do so, and it doesn't have to replace any program on the system to do so. It simply hooks the kernel dll calls and layers itself on top. This technique has been around since windows 3.0. But its not a rootkit.
Rootkits should be viwed exactly the same as other attacks on our PC's, they are secrative, no permission has been given for them to tresspass on our property and they are not neutral they do something to you. Sony's actions were disgraceful company's have no right to intrude and trespass without property. They should be legaly responsible for their actions. This reminds me of the Tesco tracking chip - who do they companiers think they are. Consumer boycotts are a good start they will soon cease these activities
Try reading and fixing the terribly high amount of typos in this piece!!
otherwise it's quite good!