Viruses Explained What are Trojans? What are Worms? What are Rootkits? Top 10 Anti Virus Malware Tutorials
Spyware Explained Malware Tutorials Manual Tips
FREE Anti Virus FREE Anti Spyware FREE Online Scanners BootUp Anti Virus Portable Protection Rootkit Removal
HTML Tutorial WORD Tutorial EXCEL Tutorial Computer Beginners Windows Registry
Web Templates Word Templates Word Processing
BitDefender
   IP: 38.107.191.117


Virus Explained   Spyware Explained   Windows Registry   Top_Ten Antivirus
Free Anti Virus   Free Anti Spyware   Free Online-Scanners   Free_Portable_Protection   Bootable_Anti_Virus   Rootkit Removal  
Manual Updates   Malware Tutorials  

Rootkits Explained   Rootkit Tutorials   Rootkit Removal  

What is a Rootkit:
Some will say they exist because legitimate companies created them and they were then exploited. They are looked upon now as a hiding mechanism for viruses and spyware.

Because they have the capability to modify legitimate Operating System Code it can be very difficult for Anti-Virus and Anti-Spyware software to determine them as anything other than the Operating System.  

A User-Mode program will determine a reply from the Kernel as LEGITIMATE.


There are several types of Rootkits some being much worse than others. The kit part of the name is there because there are usually different programs or functions working together, these can be created in an Open Source environment etc.

Whats really worrying is that these kits are available to just about anybody with general programming skills.

Types Of Rootkits:

Memory Rootkits:
These are loaded into memory and do not have persistent programming code. Therefore they do not survive a reboot.

Persistent Rootkits:
These rootkits do use persistent code and devise ways to excute without user intervention, this could be on the startup of a computer etc. They will use some sort of persistent storeage like the system registry or system files where the user does not have to excute them.

Kernel Rootkits:
One of the real bad ones, the kernel being the core of the system. These rootkits can modify data structures on the kernel. This for example could remove itself from the list of activities on a system, making it very difficult to detect.

User-Mode:
A simple view of User-Mode is to understand that programs and functions are on a user-level basis and access to the core of the operating system (Kernel) is walled off to functions from User-Mode.

Kernel-Mode:
Kernel-Mode has core important components of the operating system.

- Process Management.
- File Access.
- Security.
- Memory Management.


If a program or function needs information from the Kernel the reply is taken as legitimate.

How Rootkits Work:

We will take a Kernel Rootkit as an example as it is the most dangerous. How does a rootkit developer get his code into the Kernel in the first place? Most modern Operating Systems allow Kernel extensions; this can be for devices or software.

With some basic programming skills preferably in “C” a Windows Driver can be created. Depending on the developer this driver can be as simple or as complicated as they want.

These loadable modules also known as drivers can be developed by anyone using a Windows Driver Kit (WDK). These kits allow you to build drivers for XP, 2003, 2007, VISTA etc. They would load the driver into the Kernel from a User-Mode program.

Now that the code is in and working within the Kernel, depending on what the developer wants; this code can actually modify Kernel functions. For example the Kernel would have a list of System Processes and this can be modified. A rogue process can become invisible to Anti-Virus.


Rootkit Working Example:

A decent video to explain the User-Mode rootkit Hacker Defender, this video will give you a short insight into the workings of a rootkit.



Manual Steps To Help Remove VIRUS/SPYWARE>>>