Rootkit evolution

This article by Alisa Shevchenko is the third in a series devoted to the evolution of viruses and antivirus solutions. The author defines rootkits as 'programs that evade or circumvent standard system mechanisms by using stealth techniques to hide system objects, such as files, processes, etc' and provides an overview of rootkit evolution from their first appearance to the present day. The article is aimed at readers with some technical knowledge who require the historical background to a topic currently widely discussed in the IT security industry. It focuses on Windows rootkits: as Windows is the most widely-used operating system, rootkits targeting this system are the most commonly used by virus writers.

Although the term rootkit has its origins in the UNIX world, contemporary Windows rootkits actually stem from the DOS stealth viruses which first appeared in the 1990s. These viruses were designed to hide themselves from the user and from AV programs; it was only later that these techniques were used by Windows rootkits to hide other malware.

Windows rootkits made their appearance approximately ten years after DOS stealth viruses, and the author provides an overview of their origins, the first implementation of such programs, and their functionality. Once it became clear how rootkit technologies could be developed, these technologies started being incorporated into a wide range of malicious programs. However, initially the number of malicious rootkits and the ways in which they were applied was relatively small, and broke down into three categories:

• Trojans which used ready-made tools and libraries to hide themselves in the system
• Ready-made malicious rootkits which could be modified by the user
• Custom rootkits which were developed specifically with the aim of carrying out targeted attacks

By 2005, the use of rootkit technologies was widespread; the media directed its attention towards the topic, and found that these technologies were not only used in malware, but also, seemingly, in commercial products. One example of this was the Sony DRM scandal in 2006.

Both the AV industry and independent researchers responded to the use of rootkit technologies and produced a large number of technologies, products and tools designed to combat rootkits. Some of these are free; some are commercial; and some are designed to address threats which are still in the proof-of-concept stage, such as rootkits which use hardware virtualization.

The article also addresses recent trends such as bootkits (rootkits which run during the boot sequence); a 'mythical' rootkit, Rustock.c, which was discussed widely on the Internet towards the end of 2006; and rootkits for non-Windows systems such as OS X (Macintosh) and mobile operating systems. The author concludes that although 'rootkits…no longer cause any particular excitement…the concept of evading systems is obviously still valid and we are very likely to see new threats implementing stealth technologies'.

The full version of the article “‘Instant’ threats” can be found at www.viruslist.com.