Rootkits are software systems that consists of program/s designed to hide or obscure the fact that a system has been compromised. Contrary to what its name may imply, a Rootkit does not grant a user administrator privileges, requiring prior access to execute and tamper with system files and processes. An attacker may use a Rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the Rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a Rootkit is intended to seize control of the OS. Typically, Rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "Backdoor" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.
Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
For more detailed information, please refer to the Wikipedia main entry for rootkits.
- F-Secure BlackLight
- Kaspersky TDSSKiller