It has always been in the interest of malware authors to hide their malware on an infected machine. They don’t want to make it easy for security vendors to find and remove their files. Rootkits are one of the most sophisticated methods malware authors use to stay undiscovered.
A rootkit is a tool that allows an attacker to hide a threat on a computer. Rootkits almost never work alone. Instead, an attacker will deliver both a malicious program (e.g., spyware) and an accompanying rootkit when they infect a new computer. The job of the rootkit is to hide telltale signs of both itself and the malicious program from the user and any security software on the machine.
How does a rootkit do this? It burrows into the operating system and monitors attempts by the user or security software to access its files or the malware files it is protecting. Any time the user (or naïve security software) tries to access the rootkit or the malware files it is protecting, the rootkit suppresses the operating system and responds on its behalf, saying something like “The file you’re asking for doesn’t exist.” The result is when antivirus software tries to get a list of the files on a computer to scan them, the two or three files hidden by the rootkit don’t show up on its list, and therefore aren’t scanned for threats.
Rootkits are not new. The Brian virus, written back in 1986 is generally considered the first virus to use a rootkit. We discuss more about rootkits in our Internet Security Threat Report http://www.symantec.com/business/threatreport/.
Rootkits can present a challenge to security software. After all, how can you remove something if you can’t find it? Even if you can find it, how can you remove something that is subverting the operating system? Well, as it turns out, there are a number of sophisticated techniques that we can use to both detect rootkits as well as to remove them. For example, how do police determine if a witness is telling the truth or lying to them? They tend to ask a question many different ways, to many different people to make sure they get a consistent result each time. If they receive different answers from the same person, or from different people, it indicates that something is likely amiss. In a similar fashion, our security products can detect rootkits by interrogating the operating system in multiple different ways and measuring the results. Typically a rootkit can hide from some techniques, but never from all. Once our security software finds such a discrepancy or inconsistency, its game over for the rootkit and the malware it’s hiding.
Take the rootkit Agony as an example. It can be used to hide malware on a Windows computer. But it can’t hide files from Norton’s multiple lines of interrogation. To give you an idea of how we detect malware hidden by rootkits we created the video below. Take a look at this video:
The video shows just one technology we use to find and remove rootkit threats. An overview of all the security layers Norton uses can be found here: http://www.symantec.com/business/theme.jsp?themeid=star. Of course our enterprise security products, such as Symantec Endpoint Protection have the exact same capabilities to catch rootkits, such as Agony.
Symantec's layered approach; it can prevent a lot of Agony.