July 21, 2005, 8:54pm PDT | Length: 00:03:35
Rootkits attack deep within operating systems and make themselves invisible to the anti-spyware and anti-virus software sent out to detect them. Learn how to use rootkit detectors, which use the same tricks as the rootkits themselves.
My name is John Sheesley. I'm senior editor forTechProGuild, and today I'm going to be talking to you about rootkits. It'shard enough as it is to deal with viruses and spyware, and all the othersecurity threats on your network, but at least the anti-spyware and anti-virussoftware that we're using can detect and defeat them.
The whole idea behind rootkits is the fact that it iscompletely invisible to those countermeasures. Rootkits began on the Unixoperating system, and then quickly moved over the Linux operating system. Thatwouldn't be so bad because these operating systems don't have a very largemarket share, but now hackers have pointed their rootkits to Windows. Thatmeans that just about anybody who's running Windows, which is about 99% ofpeople on the Internet, are now vulnerable to rootkits.
So, how does a rootkit work? A rootkit integrates itselfdeep within your operating system, taking over bits and pieces of the operatingsystem, and then hiding from anything which is trying to detect it. So, let'ssay that you have something on your operating system, like command.com, just aregular operating system file. The rootkit will go ahead and infect the file,and become part of it. If you go ahead and try and use some anti-virussoftware, or anti-spyware software against it, the rootkit does like kind of alittle of a Jedi mind trick, telling the anti-virus, anti-spyware software,there are no droids here, move along. And the anti-virus and the anti-spywaresoftware go, 'Okay.' In essence, what happens is a rootkit, much like thispiece of paper, is completely invisible and no longer detected.
So, what do you do about rootkits? Fortunately, severalvendors have created rootkit detectors. Some of the most popular rootkitdetectors include Rootkit Revealer, Ghostbuster, and BlackLight. The way thedetectors work is actually kind of ironic. They use the same tricks thatrootkits do to hide from any virus and anti-software programs. But instead,they use those tricks against the rootkit itself. They hide themselves from therootkit, so whenever the rootkit goes out to see if there is any detectors, itcan't see them.
Now of course, rootkit hackers don't like that idea. Theywant to make sure that the rootkit can do its job, so they change the rootkitsin order to be able to detect the rootkit detector. The detector softwarecompanies change their programs so they can detect the rootkits again. So youwind up in an ever-escalating arms race as the two fight each other in order tomake sure that they gain superiority. That means it's very important that ifyou're using a rootkit detector that you have to have the most latest updateson your system, or else the rootkit just can't be seen.
Rootkits are going to be an increasing problem as we goforward. Because of the very nature of being invisible, it makes it difficultto make sure whether a problem that you're having is hardware, software orhidden rootkit. One of the most important things to remember is, is that justbecause you can't see a problem it doesn't mean that the problem doesn't exist.