Well, we have a dedicated page regarding tools to detect and remove rootkit – in our rootkit tools page. It is time to add another page with frequently asked questions, or Q&A regarding rootkits.
The Rootkit QnA Page
What is a rootkit?
A rootkit is a piece of software, mostly driver. That by using special methods hide objects, like users, files, process, network connection, etc. on the operation system.
How can you detect a rootkit?
There are tools that can be used to try and find rootkit or rootkit behavior on the system. Please note, that rootkit can be very hard to spot it is depending on the developer’s knowledge with the method of system manipulation.
How does a rootkit work?
The way rootkit is work by manipulation of the default behavior of the operating system. It can show false information, or filters, for objects on the windows environment. For example, by using a filter driver it can hide files on the system. If the driver doing its work correctly it will calculate the total size of the files and the count removing information about the hidden files.
What is the best rootkit removal tool?
Combination of antivirus and dedicated anti-rootkit tools. Please refer to our tools page to find a list of tools that you can download and use for scanning your system to find rootkit.
What does a rootkit virus do?
Mostly a rootkit can be part of a virus, the stealth part. Its job will be to provide stealth behavior. It can be to hide the virus in the system. Block scanner tools to scan the virus files. Hide a network connection allowing the virus to download extra trojan and create a hidden backdoor for remote control.
How does a rootkit hide?
By system manipulation. Using hooking, kernel drivers, and other methods that can change the default OS behavior. An example can be, the list of the running processes on the system. The processes are a linked list of a structure that contains information about the process and a pointer to the next process. If I can remove one of the process structures from the list, the process will still be running on the system, but the function that shows the list of the process will not find this process on the linked list. Due to that, you will not see the process.
Please check this page from time to time, as we will be adding more questions and answers related to the rootkit subjects.
What is bootkit?
Bootkit is a form of rootkit that aims at the BIOS or the boot process. After changing the kernel behavior with the service pack 3 of Windows XP. What makes it harder to rootkit developer, and driver developer in general, to load a driver into the system.
A chase was started to be able to set a driver into the boot process. To load it before drivers of security tools are loading. By that to manipulate the behavior of the security tools and manage to install the rootkit.
Later on, bootkit turn to replace the BIOS of the system with a bootkit patch BIOS. Having control from the deeper possible process of the system boot.
More will be added during the time…
Last updated: 6/5/2020