Rootkits – CompTIA Security+ SY0-401: 3.1


One of the most significant challenges with rootkits is their ability to be invisible inside of your computer. In this video, you’ll learn where rootkits live and how they manage to avoid our normal malware detection strategies.

<< Previous Video: Trojans and BackdoorsNext: Logic Bombs >>


Rootkits come from a name that is based on something you’ll find in Unix-type systems. If you are the super user of a Unix system, then you are root, very similar to being the administrator on a Windows system. And that’s where the word comes from. If you have a kit of software that allows you access to that machine, that gives you root access, then that is a rootkit.

It is something that is trying to hide itself. And a good way to hide itself in a computer is to become part of the operating system itself. And if you can become part of the kernel or embed yourself deeply in the inner workings of an operating system, then you’ve got a lot of power. And you can circumvent normal security on a system. That’s not very easy to do, of course, but if you are able to accomplish that, then you’ve got a lot of power on that particular computer.

This means that it is invisible to the operating system. A rootkit is something you’re not going to see through normal means. You’re not going to be able to pop up your Task Manager and be able to see it there. You’re also not going to be able to identify it through normal anti-virus utilities, anti-spyware utilities, anti-malware utilities. They can’t see it. And if they can’t see the malware, they can’t see the rootkit that’s on your system, then obviously they can’t remove it, either.

Sometimes you can hide yourself in an operating system, just by blending in with everything else that’s there, doesn’t have to be a very complex process. For instance, in Windows operating system, in the Windows System Directory, there’s very commonly thousands of files inside of there, hundreds of megabytes of information. Just drop a file in there. Who’s going to even realize, in that thousands of files, that you’ve now added a new one to the mix. Especially if you’re very sneaky and you name it something that looks legitimate. If you name it, run32dl1.dll, in this particular font it looks pretty obvious. But if you look at it in your Windows frontend, that 1 looks just like an l, which means it looks just like run32.dll, which is a very, very common dll on a Windows computer.

So by sneaking the name in there that looks very, very familiar, you can glance at it and miss it, especially if it’s in a directory of thousands of files.

One of the most historically notable rootkits was one that was created by Sony BMG. This is the part of Sony that creates music. And they distributed a music CD that had ‘ capability to put it in your computer. And obviously your computer is able to play CDs. You can see this is in 2005, when CDs were still relatively popular. You put the CD in your computer and the music would play. But, behind the scenes, Sony installed a rootkit on your computer, obviously without your permission. This is something not everybody would want. But Sony was trying to protect people from copying the music. And they obviously were using a very bad method to be able to control those things.

Anything that had a dollar sign sys, dollar sign period in front of it, was completely hidden from the operating system. And that’s how Sony hid their software on your computer. Unfortunately, of course, just by naming a file and making it hidden in this way, meant that other bad guys could do exactly the same thing. And they did. Once this was identified as having this problem, the bad guys went into overdrive and said, you mean we can hide from the computer? We can hide from your anti-virus? We can hide from the anti-malware, just by naming a file, dollar sign sys, dollar sign period, and then anything? Yes, absolutely you could. And so that happened very, very quickly.

Well, once Sony was presented with this and with a lot of people complaining about it, they issued a patch. Unfortunately, the patching process opened up a back door in the computer that potentially allowed other malicious software to get installed. So, really, just a bad situation all the way around. It was badly created. It was badly solved. There was a lot of problems with this. Ultimately, this was only a couple of months later, Sony said, you know what? We are recalling every one of these CDs. And if you bought one of these CDs or you were infected with this, we’re going to give you money, and give you the opportunity to download some music for free, so that this entire problem could be resolved to everybody’s satisfaction.

The Sony BMG rootkit was one that was identified by Mark Russinovich, who is the guy who created, one of the guys, who created Sysinternals. We had Sysinternals.com that was acquired by Microsoft. So he works for Microsoft now. But he has a product called RootkitRevealer, absolutely free to download from Sysinternals, that can tell you a lot about the things that are in your computer and things that may be hidden from your operating system. Uses some additional capabilities to find those things. So you can go to the Sysinternals area of the Microsoft website, download RootkitRevealer. And there are a lot of forums and other conversations you can participate online with, to discuss the things that you’re finding when you run RootkitRevealer on your system.

There’s also ways to remove rootkits, using very specific removal software. Because root kits may use a very specific method to get on your computer, you very often have to have a very specific uninstaller for that rootkit. So once somebody discovers the rootkit, they see where it’s embedded, they understand what it’s doing, it is generally a lot easier, at that point, to create something that can remove that rootkit, once and for all.