Of the many weapons and tricks in an attacker’s arsenal, none is more dangerous or insidious than the ability to hide and continuously compromise a system from within. This is the role of a rootkit. Malware uses rootkits, or rootkit functionality, in order to hide their presence on an affected computer and thus impede their removal. Once compromised by a rootkit, any information returned by an affected system can no longer be trusted and must be regarded as suspect (which is exactly how they hide themselves and their components from you – by modifying requests for information that might give them away).
However, here’s the rub – in all likelihood if you have a rootkit, you will not know that the information being returned by the system is wrong and suspicion bells are unlikely to ring. Thus you are unlikely to take more stringent measures to protect yourself as you haven’t realized the compromise in the first place. Without being alarmist, let’s be straight about this – rootkits are bad news.
The MMPC has released a short paper that discusses rootkit fundamentals and looks at how they are used by attackers. Importantly, the paper also includes guidance on how to guard against the threat and steps you can take if you believe you have been compromised.
Know your enemy and protect yourself by learning about these threats.
You can download the paper here.