A rootkit is a tool to assist in the break-ins to computer systems. It hides the malicious files and processes that allow to maintain control over the system. Historically, rootkits were packets (ang. Kit) containing modified key system binaries of Unix systems (inetd, sshd, ps) and replacing the original binaries just after the break-in. Modified binaries contained the original code with the rootkit modifications. It did not show certain processes or enabled root login for giving special password. The rootkit infects the kernel and removes hidden programs from the process list and files returned to the programs. They can for example hide themselves and Trojan horses from the administrator and antivirus software. Hiding is done mostly by the acquisition of selected operating system, serving for example. List of processes or files in a directory generated by the original code is censored by these functions, so names hidden by the rootkit were not visible in the results. There are rootkits for various operating systems, including Microsoft Windows, Solaris, Mac OS X and FreeBSD. Rootkits can operate in user mode (usermode) or operating system mode (kernel-mode). Rootkit can get to your computer with the application that is actually a Trojan.
Rootkits in the form of binary files are detected by most of
antivirus programs, but only until they will be run on your system. Detection
of a rootkit on the infected system is extremely difficult. The rootkit is able
to control the operation of specialized tools for the detection and deceive
them so as to falsely inform the user that the system is clean. Such techniques
were applied, inter alia, in commercial version Antidetection Hacker Defender
to early 2006, when the project was closed. The most common used root detection
technique is cross-comparisons (ang.
Cross-checking), wherein we compare the list of files in the directory returned
by the API of the operating system and read directly from the file system.
Similarly, Windows register can be verified (the result of the API, and
directly from the log file). In healthy system, this two results should be
identical. Records which are on the second list and are not returned by the API
are likely hidden by the rootkit.