How Rootkits Work
A rootkit is malware that is installed on a computer by an intruder for the purpose of gaining control of the computer while avoiding detection. Unlike other malware, rootkits are capable of avoiding the operating system scan and other related antivirus/anti-spyware programs by hiding files and concealing running processes from the computer's operating system. Rootkits are basically Trojan horse malware that is used in conjunction with other malicious programs in an effort to remain undetected by the computer user or the antivirus scan system.
Types of Rootkits
There are several different types of rootkits which are User Mode, Kernal Mode, and Firmware rootkits.
- User Mode: User mode rootkits are able to run on a computer through administrator privileges which means that they are capable of accessing files, network ports, and system drivers. They copy files to the PC hard drive so they are automatically activated every time you start your computer. Rootkits in user mode can be detected and removed.
- Kernal Mode: Kernal mode rootkits are installed at the same level as the PCs operating system so it can influence your PCs operating system which leads to unexplained events. Rootkits in kernel mode cannot be detected by the user other than the unexplained events and crashes, or the antivirus program.
- Firmware: Firmware rootkits are the most malicious type of malware because they are capable of creating malcode inside the firmware while you computer is shut down. Every time you start your computer this type of malware will reinstall. Firmware cannot be detected by the user and is very difficult to remove.
How Rootkits Work
The main purpose of a rootkit is to make unauthorized modifications to the software in your PC. There are different ways that this is accomplished once a rootkit has made its way into your PC.
- Spyware: A rootkit can modify your software programs for the purpose of infecting it with spyware. The spyware that is installed by the rootkit is sometimes difficult to detect however, you will notice strange things happening like links appearing on your desktop and changes in the habits of your web browser.
- Back Door: A back door is a modification that is built into a software program in your computer that is not part of the original design of the program. It creates a hidden feature in the software program that acts like a signature so the intruder can use the software for malicious purposes without being detected.
- Byte Patching: Bytes are constructed in a specific order which can be modified by a rootkit. If the bytes are rearranged it compromises the computer software protections so the intruder can gain control of the software for malicious purposes.
- Source-Code Modification: Source code modification is accomplished by modified the code in your PC's software right at the main source. The intruder inserts malicious lines of source code for the purpose of hacking software with confidential information. The code can also end up in a myriad of other programs which makes it very difficult to locate.
PC software is designed to make very precise decision about specific types of data and a rootkit alters the software so that it makes errors in its decisions. For this reason, a rootkit is difficult to detect and difficult to remove.