A rootkit scanner is a tool that scans for a type of malware name rootkit. In general, there are two types of rootkits. A rootkit that will try to hide objects on your device, by manipulation of the operation system.
The second type is a rootkit that will try to modify your BIOS, this type also known as Bootkit. Another use of bootkit can be to load before the antivirus, antimalware or another security tool to manipulate so it will not block the malware from running. This is also known as a surviving reboot.
How does a rootkit work?
Rootkit scanner needs to be able to scan both areas on the operation system. It needs to be able to scan the user mode and the kernel mode. To understand why we will have to understand how rootkit works.
So how rootkit works?
Let’s start with some history, what is a rootkit. A rootkit is a combination of two words, root and kit. Root, to those who do not familiar with the Linux/Unix operation system, it the master user. Like the administrator on the Windows operating system.
The main idea of rootkit was to be able to become root on the system using some kits (tools). If for example, you were able to hack into a system sometimes the user that you ware able to hack in was a normal user, a service user, etc. A user does not have the privilege to do stuff on the system. Using tools, kits, you were able to make yourself root. Being root gives you the option to do whatever you want to the system.
With time, rootkit had been evolving to do manipulation on the operation system. If we look on the following example, this can be a behavior of rootkit.
File object manipulation a rootkit example:
Let think about the file system under the windows operation system. When you open explorer to see the list of files in the current directory something happens behind the scene. Explorer calls Windows function to find the first file in the folder and then it continues till it finds all the files in the current folder. It orders them in a nice to see view, and show it to the user.
But what really happens is that there is something that you can think of like a chain. Explorer calls the function to find the first file, in user mode. This will call a kernel-mode function to find the first file that will call other functions in the chain until it gets to the last one. Once it gets there the functions will send back the information till it arrives at the fist function that calls it.
If we were able to manipulate this chain we were able to hide files on the file system. If we can change one of the functions on the chain to not return information about files that start with or contain a keyword we need. The list of files that we will see will not contain those files.
To be able to manipulate the behavior of the system we need to craft a driver, insert it somewhere in that chain. This will cause our driver to be called every time that someone searches or browse for files.
How does a rootkit scanner work?
A rootkit scanner will have to use a driver to scan both the user mode and the kernel mode. It will need to be able to locate manipulation base changes in the operating system environment. It can be drivers, hooks, and other manipulations.
Most of today antivirus scanners have an anti-rootkit scanner engine integrated with them. There is a type of rootkit that can manipulate memory on hardware devices, so that even if you format and reinstall your operating system the rootkit will be injected back into the kernel.
Some of the rootkit scanners are working offline, which means that you load them from a USB, DVD, or CD and then it scan the entire hard disk to find signature of rootkits. They can work on the file system and at the hard disk as a raw data. This is due to the fact that you do not know where the rootkit hides.
Some of the rootkit capabilities:
As mention above, a rootkit can work is a very sophisticated way. It can manipulate the OS and show a false picture of the environment it currently running on.
- Hiding object on the operation system – Hiding file, running process, services, drivers, and every other known object of the OS.
- Create a hiding network connection – Using rootkit you can create a hiding connection to the internet to upload and download files. A malware can use it to download updates or other parts of it (like more trojans).
- Manipulate hardware – Injecting code to survive clean up and even format. It can also return false information regarding the hardware current status.
- Hiding User accounts – As accounts are also objected, we can create full user account and hide it so no one will know we have it.
- Manipulate the BIOS – Replacing the original BIOS with a bootkit to control the device behavior, change hardware setting, and so on. Doing it before the OS is loading.
Rootkit scanner the conclusion:
To create a rootkit scanner you need to be familiar with the groove and guts of the operating system. Due to its complex ability and the knowledge there are all kinds of ways to scan for a rootkit. Some can catch part of the rootkit and other can catch other parts. It all depends on the imagination of the rootkit writer.