It has always been in the interest of malware authors to hide their malware on an infected machine.  They don’t want to make it easy for security vendors to find and remove their files.  Rootkits are one of the most sophisticated methods malware authors use to stay undiscovered. 

A rootkit is a tool that allows an attacker to hide a threat on a computer.  Rootkits almost never work alone. Instead, an attacker will deliver both a malicious program (e.g., spyware) and an accompanying rootkit when they infect a new computer. The job of the rootkit is to hide telltale signs of both itself and the malicious program from the user and any security software on the machine.

How does a rootkit do this? It burrows into the operating system and monitors attempts by the user or security software to access its files or the malware files it is protecting. Any time the user (or naïve security software) tries to access the rootkit or the malware files it is protecting, the rootkit suppresses the operating system and responds on its behalf, saying something like “The file you’re asking for doesn’t exist.” The result is when antivirus software tries to get a list of the files on a computer to scan them, the two or three files hidden by the rootkit don’t show up on its list, and therefore aren’t scanned for threats.

Rootkits are not new.  The Brian virus, written back in 1986 is generally considered the first virus to use a rootkit.  We discuss more about rootkits in our Internet Security Threat Report http://www.symantec.com/business/threatreport/. 

Rootkits can present a challenge to security software.  After all, how can you remove something if you can’t find it?  Even if you can find it, how can you remove something that is subverting the operating system? Well, as it turns out, there are a number of sophisticated techniques that we can use to both detect rootkits as well as to remove them. For example, how do police determine if a witness is telling the truth or lying to them? They tend to ask a question many different ways, to many different people to make sure they get a consistent result each time. If they receive different answers from the same person, or from different people, it indicates that something is likely amiss.  In a similar fashion, our security products can detect rootkits by interrogating the operating system in multiple different ways and measuring the results.  Typically a rootkit can hide from some techniques, but never from all. Once our security software finds such a discrepancy or inconsistency, its game over for the rootkit and the malware it’s hiding.

Take the rootkit Agony as an example.  It can be used to hide malware on a Windows computer.  But it can’t hide files from Norton’s multiple lines of interrogation.  To give you an idea of how we detect malware hidden by rootkits we created the video below.  Take a look at this video:  

The video shows just one technology we use to find and remove rootkit threats. An overview of all the security layers Norton uses can be found here: http://www.symantec.com/business/theme.jsp?themeid=star. Of course our enterprise security products, such as Symantec Endpoint Protection have the exact same capabilities to catch rootkits, such as Agony.

Symantec's layered approach; it can prevent a lot of Agony.  

I just spent all day trying to remove a trojan/virus from the "ups" email my wife opened. Froze my mouse then whole pc after loading windows. it turned off Norton and would not let me resart it.Could not turn system restore off due to being GONE.Ran rkill and malware but on restart, it removed them not the trojans.....Is anything out there that will help. Using windows 7 all the solutions are for vista or xp. Even tried them but nothing except complete system wipe worked.....

It has always been in the interest of malware authors to hide their malware on an infected machine.  They don’t want to make it easy for security vendors to find and remove their files.  Rootkits are one of the most sophisticated methods malware authors use to stay undiscovered. 

A rootkit is a tool that allows an attacker to hide a threat on a computer.  Rootkits almost never work alone. Instead, an attacker will deliver both a malicious program (e.g., spyware) and an accompanying rootkit when they infect a new computer. The job of the rootkit is to hide telltale signs of both itself and the malicious program from the user and any security software on the machine.

How does a rootkit do this? It burrows into the operating system and monitors attempts by the user or security software to access its files or the malware files it is protecting. Any time the user (or naïve security software) tries to access the rootkit or the malware files it is protecting, the rootkit suppresses the operating system and responds on its behalf, saying something like “The file you’re asking for doesn’t exist.” The result is when antivirus software tries to get a list of the files on a computer to scan them, the two or three files hidden by the rootkit don’t show up on its list, and therefore aren’t scanned for threats.

Rootkits are not new.  The Brian virus, written back in 1986 is generally considered the first virus to use a rootkit.  We discuss more about rootkits in our Internet Security Threat Report http://www.symantec.com/business/threatreport/. 

Rootkits can present a challenge to security software.  After all, how can you remove something if you can’t find it?  Even if you can find it, how can you remove something that is subverting the operating system? Well, as it turns out, there are a number of sophisticated techniques that we can use to both detect rootkits as well as to remove them. For example, how do police determine if a witness is telling the truth or lying to them? They tend to ask a question many different ways, to many different people to make sure they get a consistent result each time. If they receive different answers from the same person, or from different people, it indicates that something is likely amiss.  In a similar fashion, our security products can detect rootkits by interrogating the operating system in multiple different ways and measuring the results.  Typically a rootkit can hide from some techniques, but never from all. Once our security software finds such a discrepancy or inconsistency, its game over for the rootkit and the malware it’s hiding.

Take the rootkit Agony as an example.  It can be used to hide malware on a Windows computer.  But it can’t hide files from Norton’s multiple lines of interrogation.  To give you an idea of how we detect malware hidden by rootkits we created the video below.  Take a look at this video:  

The video shows just one technology we use to find and remove rootkit threats. An overview of all the security layers Norton uses can be found here: http://www.symantec.com/business/theme.jsp?themeid=star. Of course our enterprise security products, such as Symantec Endpoint Protection have the exact same capabilities to catch rootkits, such as Agony.

Symantec's layered approach; it can prevent a lot of Agony.  

Oh, wish I'd read this article last night. Computer wouldn't start this morning after I used the Norton Eraser.  Norton scans found no threats rep said  update was "corrupt"  Windows kept trying to update a security file and it would fail. Something called "FFFFFFFF" Windows help stated a malware might make the security update fail. I scanned 2xs and used the Norton eraser. Dead computer next day. Toshiba thought it was my hard drive and I was going to send it in.  Decided to restore computer back to factory.  I lost all my pictures since I didn't /couldn't do a backup. So, it must have been truly a malware because computer works now.  My friend likes to go to Big Fish to buy games. My brother thinks malware gets dumped from these type of sites.  I wish I out could figure  out where it came from - buying an external hard drive to load games/pictures on.  Norton didn't catch this one. I learned  the importance of doing backups the hard way.

I have the Babylon Virus and thus the search capability and the contact links in this Community/Site do not work/respond. So, what am I to do? Is there a fix for this virus yet?  Thanks!

lf you have a solution, please, e-mail me [Removed]I may not be able to get in here :)

Helmut

[edit: Removed email per the Participation Guidelines and Terms of Service.]