Malware has long since abandoned its quest for notoriety and those massive infections. Nowadays, the professionalization of its creators and their search for economic benefits has meant that every virus, worm or Trojan horse needs to pass as unnoticed as possible, since user ignorance is an essential ingredient to achieve its objectives. In other words, an invisible virus is far more dangerous than one detectable with the naked eye.
And how can you “see” the malware?
Well, we must not forget that it is nothing more than software, and all software leaves its traces on the system where it is installed – not only the file or files that contain the intruder, but also registry keys, folders, activity reports, etc. Any tool that allows us to list files or registry values will expose any intruder who does not know how to hide their tracks.
It is in this context that root kits come into play. A root kit is a software component whose sole and exclusive purpose is to hide system elements, such as files, processes, registry keys, etc., in such a way that the user cannot see them. To do this, they enter the most critical layer of the operating system (the kernel), and manipulate certain internal functions and structures. It manages to deceive applications and preventing them from showing the “real” content of our system.
An example to understand better
Suppose that a virus whose binary name is “abcd.exe” is installed in the folder “C: WindowsSystem32”. When the intruder loads into memory, the root kit will manipulate the system functions that are in charge of enumerating the files in that folder, in such a way that upon detecting the appearance of the path “C: WindowsSystem32ABCD.EXE”, it will ignore it and go to the next. Thus, an application that requests file enumeration will not be able to “see” that folder.
It is interesting to note that the root kit is not “malicious” thing, and can be used in totally legitimate practices. It has nothing to do with malware. In fact, the term “root kit” became known on a large scale as a result of the incident involving the Sony Company. In 2005 Sony BMG Music introduced a copy protection software that also installed a root kit to hide said protection scheme. The downside of the case is that it did it without the user’s authorization.
The highly dangerous nature of any malware that includes a root kit component is evident, since it gives it a very high concealment capacity and allows it to control the system without the user being aware of it. Furthermore, root kit is one of the most complexes, advanced and difficult threats to combat.
In any case, we must not forget that any root kit will enter our machine through a file, so the usual advice we give for other types of malware also applies to root kit: use a good Rootkit scanner, keep it updated, not use the administrator account when it is not strictly necessary, etc.