Kaspersky Lab announces the publication of the analytical article 'Rootkit Evolution'

28 Aug 2008
Virus News

Kaspersky Lab, a leading developer of secure content management solutions, announces the release of the article "Rootkit Evolution" by Alisa Shevchenko, a virus analyst at the company.

This article by Alisa Shevchenko is the second in a series devoted to the evolution of viruses and antivirus solutions. The author defines rootkits as "programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects, such as files, processes, etc." and provides an overview of rootkit evolution from their first appearance to the present day. The article is aimed at readers with some technical knowledge who require the historical background to a topic currently widely discussed in the IT security industry. It focuses on Windows rootkits: as Windows is the most widely-used operating system, rootkits targeting this system are the most commonly used by virus writers.

Although the term rootkit has its origins in the UNIX world, contemporary Windows rootkits actually stem from the DOS stealth viruses which first appeared in the 1990s. These viruses were designed to hide themselves from the user and from AV programs; it was only later that these techniques were used by Windows rootkits to hide other malware.

Windows rootkits made their appearance approximately ten years after DOS stealth viruses, and the author provides an overview of their origins, the first implementation of such programs, and their functionality. Once it became clear how rootkit technologies could be developed, these technologies started being incorporated into a wide range of malicious programs. However, initially the number of malicious rootkits and the ways in which they were applied was relatively small.

By 2005, the use of rootkit technologies was widespread; media attention was drawn to the issue, and found that these technologies were not only used in malware, but also, seemingly, in commercial products. One example of this was the Sony DRM scandal in 2006.

Both the AV industry and independent researchers responded to the use of rootkit technologies and produced a large number of technologies, products and tools designed to combat rootkits.

The article addresses recent trends such as bootkits (rootkits which run during the boot sequence); a 'mythical' rootkit called Rustock.c, which was discussed widely on the Internet towards the end of 2006; and rootkits for non-Windows systems such as OS X (Macintosh) and mobile operating systems. The author concludes that although "rootkits…no longer cause any particular excitement…the concept of evading systems is obviously still valid and we are very likely to see new threats implementing stealth technologies".

The full version of the article is available at Viruslist.com.