A root kit is a collection of computer software, typically malicious,
designed to enable access to a computer or areas of its software that
is not otherwise allowed (for example, to an unauthorized user) and
often masks its existence or the existence of other software. The
term rootkit is a concatenation of "root" (the traditional name of the
privileged account on
Unix-like operating systems) and the word "kit"
(which refers to the software components that implement the tool). The
term "rootkit" has negative connotations through its association with
Rootkit installation can be automated, or an attacker can install it
after having obtained root or Administrator access. Obtaining this
access is a result of direct attack on a system, i.e. exploiting a
known vulnerability (such as privilege escalation) or a password
(obtained by cracking or social engineering tactics like "phishing").
Once installed, it becomes possible to hide the intrusion as well as
to maintain privileged access. The key is the root or administrator
access. Full control over a system means that existing software can be
modified, including software that might otherwise be used to detect or
Rootkit detection is difficult because a rootkit may be able to
subvert the software that is intended to find it. Detection methods
include using an alternative and trusted operating system,
behavioral-based methods, signature scanning, difference scanning, and
memory dump analysis. Removal can be complicated or practically
impossible, especially in cases where the rootkit resides in the
kernel; reinstallation of the operating system may be the only
available solution to the problem. When dealing with firmware
rootkits, removal may require hardware replacement, or specialized
Sony BMG copy protection rootkit scandal
1.2 Greek wiretapping case 2004–05
3.1 User mode
3.2 Kernel mode
Firmware and hardware
4 Installation and cloaking
5.1 Alternative trusted medium
5.5 Integrity checking
5.6 Memory dumps
7 Public availability
9 See also
12 Further reading
13 External links
The term rootkit or root kit originally referred to a maliciously
modified set of administrative tools for a
Unix-like operating system
that granted "root" access. If an intruder could replace the
standard administrative tools on a system with a rootkit, the intruder
could obtain root access over the system whilst simultaneously
concealing these activities from the legitimate system administrator.
These first-generation rootkits were trivial to detect by using tools
such as Tripwire that had not been compromised to access the same
information. Lane Davis and Steven Dake wrote the earliest known
rootkit in 1990 for Sun Microsystems'
SunOS UNIX operating system.
In the lecture he gave upon receiving the
Turing award in 1983, Ken
Thompson of Bell Labs, one of the creators of Unix, theorized about
C compiler in a
Unix distribution and discussed the
exploit. The modified compiler would detect attempts to compile the
Unix login command and generate altered code that would accept not
only the user's correct password, but an additional "backdoor"
password known to the attacker. Additionally, the compiler would
detect attempts to compile a new version of the compiler, and would
insert the same exploits into the new compiler. A review of the source
code for the login command or the updated compiler would not reveal
any malicious code. This exploit was equivalent to a rootkit.
The first documented computer virus to target the personal computer,
discovered in 1986, used cloaking techniques to hide itself: the Brain
virus intercepted attempts to read the boot sector, and redirected
these to elsewhere on the disk, where a copy of the original boot
sector was kept. Over time, DOS-virus cloaking methods became more
sophisticated, with advanced techniques including the hooking of
BIOS interrupt calls to hide unauthorized
modifications to files.
The first malicious rootkit for the
Windows NT operating system
appeared in 1999: a trojan called NT
Rootkit created by Greg
Hoglund. It was followed by HackerDefender in 2003. The first
rootkit targeting Mac
OS X appeared in 2009, while the
was the first to target programmable logic controllers (PLC).
Sony BMG copy protection rootkit scandal
Screenshot of RootkitRevealer, showing the files hidden by the
Extended Copy Protection
Extended Copy Protection rootkit
Sony BMG copy protection rootkit scandal
Sony BMG published CDs with copy protection and digital
rights management software called Extended Copy Protection, created by
software company First 4 Internet. The software included a music
player but silently installed a rootkit which limited the user's
ability to access the CD.
Software engineer Mark Russinovich, who
created the rootkit detection tool RootkitRevealer, discovered the
rootkit on one of his computers. The ensuing scandal raised the
public's awareness of rootkits. To cloak itself, the rootkit hid
from the user any file starting with "$sys$". Soon after Russinovich's
report, malware appeared which took advantage of that vulnerability of
affected systems. One
BBC analyst called it a "public relations
Sony BMG released patches to uninstall the rootkit,
but it exposed users to an even more serious vulnerability. The
company eventually recalled the CDs. In the United States, a
class-action lawsuit was brought against Sony BMG.
Greek wiretapping case 2004–05
Main article: Greek wiretapping case 2004–05
The Greek wiretapping case of 2004-05, also referred to as Greek
Watergate, involved the illegal telephone tapping of more than
100 mobile phones on the
Vodafone Greece network belonging mostly
to members of the Greek government and top-ranking civil servants. The
taps began sometime near the beginning of August 2004 and were removed
in March 2005 without discovering the identity of the perpetrators.
The intruders installed a rootkit targeting Ericsson's AXE telephone
exchange. According to IEEE Spectrum, this was "the first time a
rootkit has been observed on a special-purpose system, in this case an
Ericsson telephone switch." The rootkit was designed to patch the
memory of the exchange while it was running, enable wiretapping while
disabling audit logs, patch the commands that list active processes
and active data blocks, and modify the data block checksum
verification command. A "backdoor" allowed an operator with sysadmin
status to deactivate the exchange's transaction log, alarms and access
commands related to the surveillance capability. The rootkit was
discovered after the intruders installed a faulty update, which caused
SMS texts to be undelivered, leading to an automated failure report
being generated. Ericsson engineers were called in to investigate the
fault and discovered the hidden data blocks containing the list of
phone numbers being monitored, along with the rootkit and illicit
Modern rootkits do not elevate access, but rather are used to make
another software payload undetectable by adding stealth
capabilities. Most rootkits are classified as malware, because the
payloads they are bundled with are malicious. For example, a payload
might covertly steal user passwords, credit card information,
computing resources, or conduct other unauthorized activities. A small
number of rootkits may be considered utility applications by their
users: for example, a rootkit might cloak a CD-ROM-emulation driver,
allowing video game users to defeat anti-piracy measures that require
insertion of the original installation media into a physical optical
drive to verify that the software was legitimately purchased.
Rootkits and their payloads have many uses:
Provide an attacker with full access via a backdoor, permitting
unauthorized access to, for example, steal or falsify documents. One
of the ways to carry this out is to subvert the login mechanism, such
as the /bin/login program on
Unix-like systems or GINA on Windows. The
replacement appears to function normally, but also accepts a secret
login combination that allows an attacker direct access to the system
with administrative privileges, bypassing standard authentication and
Conceal other malware, notably password-stealing key loggers and
Appropriate the compromised machine as a zombie computer for attacks
on other computers. (The attack originates from the compromised system
or network, instead of the attacker's system.) "Zombie" computers are
typically members of large botnets that can launch denial-of-service
attacks, distribute e-mail spam, conduct click fraud, etc.
Enforcement of digital rights management (DRM).
In some instances, rootkits provide desired functionality, and may be
installed intentionally on behalf of the computer user:
Conceal cheating in online games from software like Warden.
Detect attacks, for example, in a honeypot.
Enhance emulation software and security software.
Alcohol 120% and
Daemon Tools are commercial examples of non-hostile rootkits used to
defeat copy-protection mechanisms such as
SafeDisc and SecuROM.
Kaspersky antivirus software also uses techniques resembling rootkits
to protect itself from malicious actions. It loads its own drivers to
intercept system activity, and then prevents other processes from
doing harm to itself. Its processes are not hidden, but cannot be
terminated by standard methods (It can be terminated with Process
Anti-theft protection: Laptops may have BIOS-based rootkit software
that will periodically report to a central authority, allowing the
laptop to be monitored, disabled or wiped of information in the event
that it is stolen.
Microsoft Product Activation
Further information: Ring (computer security)
There are at least five types of rootkit, ranging from those at the
lowest level in firmware (with the highest privileges), through to the
least privileged user-based variants that operate in Ring 3. Hybrid
combinations of these may occur spanning, for example, user mode and
Computer security rings (Note that Ring ‑1 is not shown)
User-mode rootkits run in Ring 3, along with other applications as
user, rather than low-level system processes. They have a number
of possible installation vectors to intercept and modify the standard
behavior of application programming interfaces (APIs). Some inject a
dynamically linked library (such as a .DLL file on Windows, or a
.dylib file on Mac OS X) into other processes, and are thereby able to
execute inside any target process to spoof it; others with sufficient
privileges simply overwrite the memory of a target application.
Injection mechanisms include:
Use of vendor-supplied application extensions. For example, Windows
Explorer has public interfaces that allow third parties to extend its
Interception of messages.
Exploitation of security vulnerabilities.
Function hooking or patching of commonly used APIs, for example, to
hide a running process or file that resides on a filesystem.
...since user mode applications all run in their own memory space, the
rootkit needs to perform this patching in the memory space of every
running application. In addition, the rootkit needs to monitor the
system for any new applications that execute and patch those programs'
memory space before they fully execute.
Rootkit Overview, Symantec
Kernel-mode rootkits run with the highest operating system privileges
(Ring 0) by adding code or replacing portions of the core operating
system, including both the kernel and associated device drivers. Most
operating systems support kernel-mode device drivers, which execute
with the same privileges as the operating system itself. As such, many
kernel-mode rootkits are developed as device drivers or loadable
modules, such as loadable kernel modules in
Linux or device drivers in
Microsoft Windows. This class of rootkit has unrestricted security
access, but is more difficult to write. The complexity makes bugs
common, and any bugs in code operating at the kernel level may
seriously impact system stability, leading to discovery of the
rootkit. One of the first widely known kernel rootkits was
Windows NT 4.0 and released in
Phrack magazine in 1999
by Greg Hoglund. Kernel rootkits can be especially
difficult to detect and remove because they operate at the same
security level as the operating system itself, and are thus able to
intercept or subvert the most trusted operating system operations. Any
software, such as antivirus software, running on the compromised
system is equally vulnerable. In this situation, no part of the
system can be trusted.
A rootkit can modify data structures in the Windows kernel using a
method known as direct kernel object manipulation (DKOM). This
method can be used to hide processes. A kernel mode rootkit can also
System Service Descriptor Table (SSDT), or modify the gates
between user mode and kernel mode, in order to cloak itself.
Similarly for the
Linux operating system, a rootkit can modify the
system call table to subvert kernel functionality. It's common
that a rootkit creates a hidden, encrypted filesystem in which it can
hide other malware or original copies of files it has infected.
Operating systems are evolving to counter the threat of kernel-mode
rootkits. For example, 64-bit editions of
Microsoft Windows now
implement mandatory signing of all kernel-level drivers in order to
make it more difficult for untrusted code to execute with the highest
privileges in a system.
A kernel-mode rootkit variant called a bootkit can infect startup code
Master Boot Record
Master Boot Record (MBR),
Volume Boot Record
Volume Boot Record (VBR) or boot
sector, and in this way can be used to attack full disk encryption
An example of such an attack on disk encryption is the "evil maid
attack", in which an attacker installs a bootkit on an unattended
computer. The envisioned scenario is a maid sneaking in the hotel room
where the victims left their hardware. The bootkit replaces the
legitimate boot loader with one under their control. Typically the
malware loader persists through the transition to protected mode when
the kernel has loaded, and is thus able to subvert the
kernel. For example, the "Stoned Bootkit" subverts the
system by using a compromised boot loader to intercept encryption keys
and passwords. More recently, the
Alureon rootkit has successfully
subverted the requirement for 64-bit kernel-mode driver signing in
Windows 7 by modifying the master boot record. Although not
malware in the sense of doing something the user doesn't want, certain
"Vista Loader" or "Windows Loader" software works in a similar way by
injecting an ACPI SLIC (System Licensed Internal Code) table in the
RAM-cached version of the
BIOS during boot, in order to defeat the
Windows Vista and
Windows 7 activation process. This vector of
attack was rendered useless in the (non-server) versions of Windows 8,
which use a unique, machine-specific key for each system, that can
only be used by that one machine. Many antivirus companies provide
free utilities and programs to remove bootkits.
Rootkits have been created as Type II Hypervisors in academia as
proofs of concept. By exploiting hardware virtualization features such
Intel VT or AMD-V, this type of rootkit runs in Ring -1 and
hosts the target operating system as a virtual machine, thereby
enabling the rootkit to intercept hardware calls made by the original
operating system. Unlike normal hypervisors, they do not have to
load before the operating system, but can load into an operating
system before promoting it into a virtual machine. A hypervisor
rootkit does not have to make any modifications to the kernel of the
target to subvert it; however, that does not mean that it cannot be
detected by the guest operating system. For example, timing
differences may be detectable in CPU instructions. The "SubVirt"
laboratory rootkit, developed jointly by
Microsoft and University of
Michigan researchers, is an academic example of a virtual
machine–based rootkit (VMBR), while Blue Pill software is
another. In 2009, researchers from
Microsoft and North Carolina State
University demonstrated a hypervisor-layer anti-rootkit called
Hooksafe, which provides generic protection against kernel-mode
Windows 10 introduced a new feature called "Device
Guard", that takes advantage of virtualization to provide independent
external protection of an operating system against rootkit-type
Firmware and hardware
A firmware rootkit uses device or platform firmware to create a
persistent malware image in hardware, such as a router, network
card, hard drive, or the system BIOS. The rootkit hides in
firmware, because firmware is not usually inspected for code
integrity. John Heasman demonstrated the viability of firmware
rootkits in both ACPI firmware routines and in a PCI expansion
card ROM. In October 2008, criminals tampered with European credit
card-reading machines before they were installed. The devices
intercepted and transmitted credit card details via a mobile phone
network. In March 2009, researchers Alfredo Ortega and Anibal
Sacco published details of a BIOS-level Windows rootkit that was able
to survive disk replacement and operating system
re-installation. A few months later they learned that some
laptops are sold with a legitimate rootkit, known as Absolute
CompuTrace or Absolute LoJack for Laptops, preinstalled in many BIOS
images. This is an anti-theft technology system that researchers
showed can be turned to malicious purposes.
Intel Active Management Technology, part of Intel vPro, implements
out-of-band management, giving administrators remote administration,
remote management, and remote control of PCs with no involvement of
the host processor or BIOS, even when the system is powered off.
Remote administration includes remote power-up and power-down, remote
reset, redirected boot, console redirection, pre-boot access to BIOS
settings, programmable filtering for inbound and outbound network
traffic, agent presence checking, out-of-band policy-based alerting,
access to system information, such as hardware asset information,
persistent event logs, and other information that is stored in
dedicated memory (not on the hard drive) where it is accessible even
if the OS is down or the PC is powered off. Some of these functions
require the deepest level of rootkit, a second non-removable spy
computer built around the main computer. Sandy Bridge and future
chipsets have "the ability to remotely kill and restore a lost or
stolen PC via 3G". Hardware rootkits built into the chipset can help
recover stolen computers, remove data, or render them useless, but
they also present privacy and security concerns of undetectable spying
and redirection by management or hackers who might gain control.
Installation and cloaking
Rootkits employ a variety of techniques to gain control of a system;
the type of rootkit influences the choice of attack vector. The most
common technique leverages security vulnerabilities to achieve
surreptitious privilege escalation. Another approach is to use a
Trojan horse, deceiving a computer user into trusting the rootkit's
installation program as benign—in this case, social engineering
convinces a user that the rootkit is beneficial. The installation
task is made easier if the principle of least privilege is not
applied, since the rootkit then does not have to explicitly request
elevated (administrator-level) privileges. Other classes of rootkits
can be installed only by someone with physical access to the target
system. Some rootkits may also be installed intentionally by the owner
of the system or somebody authorized by the owner, e.g. for the
purpose of employee monitoring, rendering such subversive techniques
unnecessary. The installation of malicious rootkits is
commercially driven, with a pay-per-install (PPI) compensation method
typical for distribution.
Once installed, a rootkit takes active measures to obscure its
presence within the host system through subversion or evasion of
standard operating system security tools and application programming
interface (APIs) used for diagnosis, scanning, and monitoring.
Rootkits achieve this by modifying the behavior of core parts of an
operating system through loading code into other processes, the
installation or modification of drivers, or kernel modules.
Obfuscation techniques include concealing running processes from
system-monitoring mechanisms and hiding system files and other
configuration data. It is not uncommon for a rootkit to disable
the event logging capacity of an operating system, in an attempt to
hide evidence of an attack. Rootkits can, in theory, subvert any
operating system activities. The "perfect rootkit" can be thought
of as similar to a "perfect crime": one that nobody realizes has taken
place. Rootkits also take a number of measures to ensure their
survival against detection and "cleaning" by antivirus software in
addition to commonly installing into Ring 0 (kernel-mode), where they
have complete access to a system. These include polymorphism (changing
so their "signature" is hard to detect), stealth techniques,
regeneration, disabling or turning off anti-malware software. and
not installing on virtual machines where it may be easier for
researchers to discover and analyze them.
The fundamental problem with rootkit detection is that if the
operating system has been subverted, particularly by a kernel-level
rootkit, it cannot be trusted to find unauthorized modifications to
itself or its components. Actions such as requesting a list of
running processes, or a list of files in a directory, cannot be
trusted to behave as expected. In other words, rootkit detectors that
work while running on infected systems are only effective against
rootkits that have some defect in their camouflage, or that run with
lower user-mode privileges than the detection software in the
kernel. As with computer viruses, the detection and elimination of
rootkits is an ongoing struggle between both sides of this
conflict. Detection can take a number of different approaches,
including looking for virus "signatures" (e.g. antivirus software),
integrity checking (e.g. digital signatures), difference-based
detection (comparison of expected vs. actual results), and behavioral
detection (e.g. monitoring CPU usage or network traffic).
For kernel-mode rootkits, detection is considerably more complex,
requiring careful scrutiny of the System Call Table to look for hooked
functions where the malware may be subverting system behavior, as
well as forensic scanning of memory for patterns that indicate hidden
Unix rootkit detection offerings include Zeppoo,
chkrootkit, rkhunter and OSSEC. For Windows, detection tools include
Microsoft Sysinternals RootkitRevealer, Avast Antivirus,
Sophos Anti-Rootkit, F-Secure, Radix, GMER, and
WindowsSCOPE. Any rootkit detectors that prove effective ultimately
contribute to their own ineffectiveness, as malware authors adapt and
test their code to escape detection by well-used tools.[Notes 1]
Detection by examining storage while the suspect operating system is
not operational can miss rootkits not recognised by the checking
software, as the rootkit is not active and suspicious behavior is
suppressed; conventional anti-malware software running with the
rootkit operational may fail if the rootkit hides itself effectively.
Alternative trusted medium
The best and most reliable method for operating-system-level rootkit
detection is to shut down the computer suspected of infection, and
then to check its storage by booting from an alternative trusted
medium (e.g. a "rescue"
CD-ROM or USB flash drive). The technique
is effective because a rootkit cannot actively hide its presence if it
is not running.
The behavioral-based approach to detecting rootkits attempts to infer
the presence of a rootkit by looking for rootkit-like behavior. For
example, by profiling a system, differences in the timing and
API calls or in overall CPU utilization can be attributed
to a rootkit. The method is complex and is hampered by a high
incidence of false positives. Defective rootkits can sometimes
introduce very obvious changes to a system: the
crashed Windows systems after a security update exposed a design flaw
in its code. Logs from a packet analyzer, firewall, or
intrusion prevention system may present evidence of rootkit behaviour
in a networked environment.
Antivirus products rarely catch all viruses in public tests (depending
on what is used and to what extent), even though security software
vendors incorporate rootkit detection into their products. Should a
rootkit attempt to hide during an antivirus scan, a stealth detector
may notice; if the rootkit attempts to temporarily unload itself from
the system, signature detection (or "fingerprinting") can still find
it. This combined approach forces attackers to implement counterattack
mechanisms, or "retro" routines, that attempt to terminate antivirus
programs. Signature-based detection methods can be effective against
well-published rootkits, but less so against specially crafted,
Another method that can detect rootkits compares "trusted" raw data
with "tainted" content returned by an API. For example, binaries
present on disk can be compared with their copies within operating
memory (in some operating systems, the in-memory image should be
identical to the on-disk image), or the results returned from file
Windows Registry APIs can be checked against raw structures
on the underlying physical disks—however, in the case of the
former, some valid differences can be introduced by operating system
mechanisms like memory relocation or shimming. A rootkit may detect
the presence of a such difference-based scanner or virtual machine
(the latter being commonly used to perform forensic analysis), and
adjust its behaviour so that no differences can be detected.
Difference-based detection was used by Russinovich's RootkitRevealer
tool to find the Sony DRM rootkit.
The rkhunter utility uses
SHA-1 hashes to verify the integrity of
Code signing uses public-key infrastructure to check if a file has
been modified since being digitally signed by its publisher.
Alternatively, a system owner or administrator can use a cryptographic
hash function to compute a "fingerprint" at installation time that can
help to detect subsequent unauthorized changes to on-disk code
libraries. However, unsophisticated schemes check only whether the
code has been modified since installation time; subversion prior to
that time is not detectable. The fingerprint must be re-established
each time changes are made to the system: for example, after
installing security updates or a service pack. The hash function
creates a message digest, a relatively short code calculated from each
bit in the file using an algorithm that creates large changes in the
message digest with even smaller changes to the original file. By
recalculating and comparing the message digest of the installed files
at regular intervals against a trusted list of message digests,
changes in the system can be detected and monitored—as long as the
original baseline was created before the malware was added.
More-sophisticated rootkits are able to subvert the verification
process by presenting an unmodified copy of the file for inspection,
or by making code modifications only in memory, rconfiguration
registers, which are later compared to a white list of expected
values. The code that performs hash, compare, or extend operations
must also be protected—in this context, the notion of an immutable
root-of-trust holds that the very first code to measure security
properties of a system must itself be trusted to ensure that a rootkit
or bootkit does not compromise the system at its most fundamental
Forcing a complete dump of virtual memory will capture an active
rootkit (or a kernel dump in the case of a kernel-mode rootkit),
allowing offline forensic analysis to be performed with a debugger
against the resulting dump file, without the rootkit being able to
take any measures to cloak itself. This technique is highly
specialized, and may require access to non-public source code or
debugging symbols. Memory dumps initiated by the operating system
cannot always be used to detect a hypervisor-based rootkit, which is
able to intercept and subvert the lowest-level attempts to read
memory—a hardware device, such as one that implements a
non-maskable interrupt, may be required to dump memory in this
scenario. Virtual machines also make it easier to analyze the
memory of a compromised machine from the underlying hypervisor, so
some rootkits will avoid infecting virtual machines for this reason.
Manual removal of a rootkit is often too difficult for a typical
computer user, but a number of security-software vendors offer
tools to automatically detect and remove some rootkits, typically as
part of an antivirus suite. As of 2005[update], Microsoft's monthly
Software Removal Tool is able to detect and remove
some classes of rootkits. Also, Windows Defender Offline can
remove rootkits, as it runs from a trusted environment before the
operating system starts. Some antivirus scanners can bypass file
system APIs, which are vulnerable to manipulation by a rootkit.
Instead, they access raw filesystem structures directly, and use this
information to validate the results from the system APIs to identify
any differences that may be caused by a rootkit.[Notes
2] There are experts who believe that the only
reliable way to remove them is to re-install the operating system from
trusted media. This is because antivirus and malware removal
tools running on an untrusted system may be ineffective against
well-written kernel-mode rootkits.
Booting an alternative operating
system from trusted media can allow an infected system volume to be
mounted and potentially safely cleaned and critical data to be copied
off—or, alternatively, a forensic examination performed.
Lightweight operating systems such as Windows PE, Windows Recovery
Console, Windows Recovery Environment, BartPE, or Live Distros can be
used for this purpose, allowing the system to be "cleaned". Even if
the type and nature of a rootkit is known, manual repair may be
impractical, while re-installing the operating system and applications
is safer, simpler and quicker.
Like much malware used by attackers, many rootkit implementations are
shared and are easily available on the Internet. It is not uncommon to
see a compromised system in which a sophisticated, publicly available
rootkit hides the presence of unsophisticated worms or attack tools
apparently written by inexperienced programmers. Most of the
rootkits available on the Internet originated as exploits or as
academic "proofs of concept" to demonstrate varying methods of hiding
things within a computer system and of taking unauthorized control of
it.[dubious – discuss] Often not fully optimized for stealth,
such rootkits sometimes leave unintended evidence of their presence.
Even so, when such rootkits are used in an attack, they are often
effective. Other rootkits with keylogging features such as GameGuard
are installed as part of online commercial games.
System hardening represents one of the first layers of defence against
a rootkit, to prevent it from being able to install. Applying
security patches, implementing the principle of least privilege,
reducing the attack surface and installing antivirus software are some
standard security best practices that are effective against all
classes of malware. New secure boot specifications like Unified
Firmware Interface have been designed to address the threat
of bootkits, but even these are vulnerable if the security features
they offer are not utilized. For server systems, remote server
attestation using technologies such as Intel Trusted Execution
Technology (TXT) provide a way of validating that servers remain in a
known good state. For example,
data-at-rest validates servers are in a known "good state" on bootup.
PrivateCore vCage is a software offering that secures data-in-use
(memory) to avoid bootkits and rootkits by validating servers are in a
known "good" state on bootup. The
PrivateCore implementation works in
concert with Intel TXT and locks down server system interfaces to
avoid potential bootkits and rootkits.
Computer security conference
Host-based intrusion detection system
Rootkit Arsenal: Escape and Evasion in the Dark Corners of the
^ The process name of Sysinternals
RootkitRevealer was targeted by
malware; in an attempt to counter this countermeasure, the tool now
uses a randomly generated process name.
^ In theory, a sufficiently sophisticated kernel-level rootkit could
subvert read operations against raw filesystem data structures as
well, so that they match the results returned by APIs.
^ a b c d e f g h "Rootkits, Part 1 of 3: The Growing Threat" (PDF).
McAfee. 2006-04-17. Archived from the original (PDF) on
^ a b c d "Windows
Rootkit Overview" (PDF). Symantec. 2006-03-26.
^ Sparks, Sherri; Butler, Jamie (2005-08-01). "Raising The Bar For
Rootkit Detection". Phrack. 0xb (0x3d). access-date=
requires url= (help)
^ a b c d e Myers, Michael; Youndt, Stephen (2007-08-07). "An
Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits".
Crucial Security. CiteSeerX: 10.1.1.90.8832. access-date=
requires url= (help)
^ Andrew Hay; Daniel Cid; Rory Bray (2008).
OSSEC Host-Based Intrusion
Detection Guide. Syngress. p. 276. ISBN 1-59749-240-X.
^ Thompson, Ken (August 1984). "Reflections on Trusting Trust" (PDF).
Communications of the ACM. 27 (8): 761.
^ a b Greg Hoglund; James Butler (2006). Rootkits: Subverting the
Windows kernel. Addison-Wesley. p. 4.
^ Dai Zovi, Dino (2009-07-26). Advanced Mac
OS X Rootkits (PDF).
Blackhat. Endgame Systems. Retrieved 2010-11-23.
Stuxnet Introduces the First Known
Rootkit for Industrial Control
Systems". Symantec. 2010-08-06. Retrieved 2010-12-04.
Spyware Detail: XCP.Sony.Rootkit". Computer Associates. 2005-11-05.
Archived from the original on 2010-08-18. Retrieved 2010-08-19.
^ Russinovich, Mark (2005-10-31). "Sony, Rootkits and Digital Rights
Management Gone Too Far". TechNet Blogs. Microsoft. Retrieved
^ "Sony's long-term rootkit CD woes".
BBC News. 2005-11-21. Retrieved
^ Felton, Ed (2005-11-15). "Sony's Web-Based
Uninstaller Opens a Big
Security Hole; Sony to Recall Discs".
^ Knight, Will (2005-11-11). "
Sony BMG sued over cloaking software on
music CD". New Scientist. Sutton, UK: Reed Business Information.
^ Kyriakidou, Dina (March 2, 2006). ""Greek Watergate" Scandal Sends
Political Shockwaves". Reuters. Retrieved 2007-11-24. [dead link]
^ a b Vassilis Prevelakis; Diomidis Spinellis (July 2007). "The Athens
^ Russinovich, Mark (June 2005). "Unearthing Root Kits". Windows IT
Pro. Retrieved 2010-12-16.
^ "World of Warcraft Hackers Using
Sony BMG Rootkit". The Register.
2005-11-04. Retrieved 2010-08-23.
^ Steve Hanna (September 2007). "Using
Rootkit Technology for
Malware Detection" (PDF). CCEID Meeting.
^ Russinovich, Mark (6 February 2006). "Using Rootkits to Defeat
Digital Rights Management". Winternals. SysInternals. Archived from
the original on 14 August 2006. Retrieved 2006-08-13.
^ a b Ortega, Alfredo; Sacco, Anibal (2009-07-24). Deactivate the
Rootkit: Attacks on
BIOS anti-theft technologies (PDF). Black Hat USA
2009 (PDF). Boston, MA: Core Security Technologies. Retrieved
^ Kleissner, Peter (2009-09-02). "Stoned Bootkit: The Rise of MBR
Rootkits & Bootkits in the Wild" (PDF). Retrieved
^ a b c d Anson, Steve; Bunting, Steve (2007). Mastering Windows
Network Forensics and Investigation. John Wiley and Sons.
pp. 73–74. ISBN 0-470-09762-0.
^ a b c d "Rootkits Part 2: A Technical Primer" (PDF). McAfee.
2007-04-03. Archived from the original (PDF) on 2008-12-05. Retrieved
^ Kdm. "NTIllusion: A portable Win32 userland rootkit". Phrack. 62
^ a b c d "Understanding Anti-
Malware Technologies" (PDF). Microsoft.
2007-02-21. Retrieved 2010-08-17.
^ Hoglund, Greg (1999-09-09). "A *REAL* NT Rootkit, Patching the NT
Kernel". Phrack. 9 (55). Retrieved 2010-11-21.
^ Shevchenko, Alisa (2008-09-01). "
Help Net Security.
^ Chuvakin, Anton (2003-02-02). An Overview of
Unix Rootkits (PDF)
(Report). Chantilly, Virginia: iDEFENSE. Retrieved 2010-11-21.
^ Butler, James; Sparks, Sherri (2005-11-16). "Windows Rootkits of
2005, Part Two".
Symantec Connect. Symantec. Retrieved
^ Butler, James; Sparks, Sherri (2005-11-03). "Windows Rootkits of
2005, Part One".
Symantec Connect. Symantec. Retrieved
^ Burdach, Mariusz (2004-11-17). "Detecting Rootkits And Kernel-level
Compromises In Linux". Symantec. Retrieved 2010-11-23.
^ Marco Giuliani (11 April 2011). "ZeroAccess – An Advanced Kernel
Mode Rootkit" (PDF). Webroot Software. Retrieved 10 August 2011.
^ "Driver Signing Requirements for Windows". Microsoft. Retrieved
^ Schneier, Bruce (2009-10-23). "'Evil Maid' Attacks on Encrypted Hard
Drives". Retrieved 2009-11-07.
^ Soeder, Derek; Permeh, Ryan (2007-05-09). "Bootroot". eEye Digital
Security. Archived from the original on 2013-08-17. Retrieved
^ Kumar, Nitin; Kumar, Vipin (2007). Vbootkit: Compromising Windows
Vista Security (PDF). Black Hat Europe 2007.
^ "BOOT KIT: Custom boot sector based Windows 2000/XP/2003
Subversion". NVlabs. 2007-02-04. Archived from the original on June
10, 2010. Retrieved 2010-11-21.
^ Kleissner, Peter (2009-10-19). "Stoned Bootkit". Peter Kleissner.
Retrieved 2009-11-07. [self-published source?]
^ Goodin, Dan (2010-11-16). "World's Most Advanced
64-bit Windows". The Register. Retrieved 2010-11-22.
^ Peter Kleissner, "The Rise of MBR Rootkits And Bootkits in the
Hacking at Random
Hacking at Random (2009) - text; slides
^ Windows Loader -
Software Informer. This is the loader application
that's used by millions of people worldwide
Microsoft tightens grip on OEM
Windows 8 licensing
^ King, Samuel T.; Chen, Peter M.; Wang, Yi-Min; Verbowski, Chad;
Wang, Helen J.; Lorch, Jacob R. (2006-04-03). International Business
Machines (ed.), ed. SubVirt: Implementing malware with virtual
machines (PDF). 2006 IEEE Symposium on Security and Privacy. Institute
of Electrical and Electronics Engineers. doi:10.1109/SP.2006.38.
ISBN 0-7695-2574-1. Retrieved 2008-09-15. CS1 maint: Extra
text: editors list (link)
^ Wang, Zhi; Jiang, Xuxian; Cui, Weidong; Ning, Peng (2009-08-11).
"Countering Kernel Rootkits with Lightweight Hook Protection" (PDF).
In Al-Shaer, Ehab (General Chair). Proceedings of the 16th ACM
Conference on Computer and Communications Security. CCS 2009: 16th ACM
Conference on Computer and Communications Security. Jha, Somesh;
Keromytis, Angelos D. (Program Chairs). New York: ACM New York.
doi:10.1145/1653662.1653728. ISBN 978-1-60558-894-0. Retrieved
^ Delugré, Guillaume (2010-11-21). Reversing the Broacom NetExtreme's
Firmware (PDF). hack.lu. Sogeti. Archived from the original (PDF) on
2012-04-25. Retrieved 2010-11-25.
^ a b
^ Heasman, John (2006-01-25). Implementing and Detecting an ACPI BIOS
Rootkit (PDF). Black Hat Federal 2006. NGS Consulting. Retrieved
^ Heasman, John (2006-11-15). "Implementing and Detecting a PCI
Rootkit" (PDF). Next Generation Security Software. CiteSeerX:
10.1.1.89.7305. Retrieved 2010-11-13.
^ Modine, Austin (2008-10-10). "Organized crime tampers with European
card swipe devices: Customer data beamed overseas". The Register.
Situation Publishing. Retrieved 2008-10-13.
^ Sacco, Anibal; Ortéga, Alfredo (2009). Persistent
(PDF). CanSecWest 2009. Core Security Technologies. Retrieved
^ Goodin, Dan (2009-03-24). "Newfangled rootkits survive hard disk
wiping". The Register. Situation Publishing. Retrieved
^ Sacco, Anibal; Ortéga, Alfredo (2009-06-01). "Persistent BIOS
Infection: The Early Bird Catches the Worm". Phrack. 66 (7). Retrieved
^ Ric Vieler (2007). Professional Rootkits. John Wiley & Sons.
p. 244. ISBN 9780470149546.
^ Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). "TDL3: The
Rootkit of All Evil?" (PDF). Moscow: ESET. p. 3. Retrieved
^ Matrosov, Aleksandr; Rodionov, Eugene (2011-06-27). "The Evolution
of TDL: Conquering x64" (PDF). ESET. Retrieved 2011-08-08.
^ Brumley, David (1999-11-16). "Invisible Intruders: rootkits in
practice". USENIX. USENIX.
^ a b c d e Davis, Michael A.; Bodmer, Sean; LeMasters, Aaron
(2009-09-03). "Chapter 10:
Rootkit Detection" (PDF). Hacking Exposed
Malware & Rootkits:
Malware & rootkits security secrets &
solutions (PDF)format= requires url= (help). New York: McGraw Hill
Professional. ISBN 978-0-07-159118-8. Retrieved 2010-08-14.
^ Trlokom (2006-07-05). "Defeating Rootkits and Keyloggers" (PDF).
Trlokom. Retrieved 2010-08-17.
^ Dai Zovi, Dino (2011). "Kernel Rootkits". Archived from the original
on September 10, 2012. Retrieved 13 Sep 2012.
^ "Zeppoo". SourceForge. 18 July 2009. Retrieved 8 August 2011.
^ Cogswell, Bryce; Russinovich, Mark (2006-11-01). "RootkitRevealer
v1.71". Microsoft. Retrieved 2010-11-13.
Rootkit & Anti-rootkit". Retrieved 13 September 2017.
Sophos Anti-Rootkit". Sophos. Retrieved 8 August 2011.
^ "BlackLight". F-Secure. Retrieved 8 August 2011.
^ "Radix Anti-Rootkit". usec.at. Retrieved 8 August 2011.
^ "GMER". Retrieved 8 August 2011.
^ Harriman, Josh (2007-10-19). "A Testing Methodology for Rootkit
Removal Effectiveness" (PDF). Dublin, Ireland:
Response. Retrieved 2010-08-17.
^ Cuibotariu, Mircea (2010-02-12). "Tidserv and MS10-015". Symantec.
^ "Restart Issues After Installing MS10-015". Microsoft. 2010-02-11.
^ "Strider GhostBuster
2010-01-28. Retrieved 2010-08-14.
^ "Signing and Checking Code with Authenticode". Microsoft. Retrieved
^ "Stopping Rootkits at the Network Edge" (PDF). Beaverton, Oregon:
Trusted Computing Group. January 2017. Retrieved 2008-07-11.
^ "TCG PC Specific Implementation Specification, Version 1.1" (PDF).
Trusted Computing Group. 2003-08-18. Retrieved 2010-11-22.
^ "How to generate a complete crash dump file or a kernel crash dump
file by using an NMI on a Windows-based system". Microsoft. Retrieved
^ Seshadri, Arvind; et al. (2005). "Pioneer: Verifying Code Integrity
and Enforcing Untampered Code Execution on Legacy Systems". Carnegie
Mellon University. access-date= requires url= (help)
^ Dillard, Kurt (2005-08-03). "
Rootkit Revealer vs.
Microsoft Windows Malicious
Software Removal Tool helps remove
specific, prevalent malicious software from computers that are running
Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or
Windows XP". Microsoft. 2010-09-14.
^ Hultquist, Steve (2007-04-30). "Rootkits: The next big enterprise
threat?". InfoWorld. IDG. Retrieved 2010-11-21.
^ "Security Watch: Rootkits for fun and profit". CNET Reviews.
2007-01-19. Archived from the original on 2012-10-08. Retrieved
^ Bort, Julie (2007-09-29). "Six ways to fight back against botnets".
PCWorld. San Francisco: PCWorld Communications. Retrieved
^ Hoang, Mimi (2006-11-02). "Handling Today's Tough Security Threats:
Symantec Connect. Symantec. Retrieved 2010-11-21.
^ a b Danseglio, Mike; Bailey, Tony (2005-10-06). "Rootkits: The
Obscure Hacker Attack". Microsoft.
^ Messmer, Ellen (2006-08-26). "Experts Divided Over
and Removal". NetworkWorld.com. Framingham, Mass.: IDG. Retrieved
^ Stevenson, Larry; Altholz, Nancy (2007). Rootkits for Dummies. John
Wiley and Sons Ltd. p. 175. ISBN 0-471-91710-9.
^ Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting Malicious
Code. Prentice Hall PTR. p. 335. ISBN 0-13-101405-6.
^ Hannel, Jeromey (2003-01-23). "
Linux RootKits For Beginners - From
Prevention to Removal". SANS Institute. Archived from the original
(PDF) on October 24, 2010. Retrieved 2010-11-22.
Blunden, Bill (2009). The
Rootkit Arsenal: Escape and Evasion in the
Dark Corners of the System. Wordware.
Hoglund, Greg; Butler, James (2005). Rootkits: Subverting the Windows
Kernel. Addison-Wesley Professional. ISBN 0-321-29431-9.
Grampp, F. T.; Morris, Robert H., Sr. (October 1984). "The UNIX
System: UNIX Operating System Security". AT&T Bell Laboratories
Technical Journal. AT&T. 62 (8): 1649–1672.
Kong, Joseph (2007). Designing BSD Rootkits. No Starch Press.
Veiler, Ric (2007). Professional Rootkits. Wrox.
Rootkit Analysis: Research and Analysis of Rootkits
Even Nastier: Traditional RootKits
Sophos Podcast about rootkit removal
Rootkit research in Microsoft
Testing of antivirus/anti-rootkit software for the detection and
removal of rootkits, Anti-
Malware Test Lab, January 2008
Testing of anti-rootkit software, InformationWeek, January 2007
Security Now! Episode 9, Rootkits, Podcast by Steve Gibson/GRC
Rootkit technology, October 2005
Comparison of computer viruses
List of computer worms
Timeline of computer viruses and worms
Malware for profit
Rogue security software
By operating system
Palm OS viruses
Classic Mac OS viruses
Intrusion detection system
Data loss prevention software
Computer and network surveillance
Operation: Bot Roast