There’s a new kid on the block, and he’s a particularly tough and nasty bully. He goes by the name Root Kit, and he’s changing the rules of the game where malicious programs are concerned.
In the good old days, computer virus creators would create a new virus and unleash it on the world. It wouldn’t take long for anti-virus companies to get a copy of the new virus, analyze it and then add the required code to their programs in order to recognize the new virus program and eliminate it.
This was how the virus/anti-virus war played itself out for many years. Sure, some virus authors were more creative than others and would use techniques to change the code contained in their virus programs on-the-fly, but the anti-virus companies would usually figure out a way to detect and remove them anyway.
For the most part, the anti-virus companies were able to stay one step ahead of the virus creators.
Recently however, it is becoming more difficult for the good guys to stay ahead of the bad guys, and it’s all because of this nasty bully known as Root Kit.
A ‘root kit’ is a technique that is starting to be put into use by people who create computer viruses or other malicious software such as spyware.
The numerous anti-virus and anti-spyware programs available have been very effective for the most part. These programs have probably saved computer users an unimaginable quantity of time and money by detecting and removing malicious software before it has had a chance to do its dirty work.
In order to detect and remove malicious programs, anti-virus, anti-spyware and other malicious software detection programs must first be able to detect the presence of the malicious programs. This is where the root kit comes into play.
There is certain functionality built into computer operating systems that allow the computer user to monitor the types of programs and files that currently reside on their computer. A good example of this would be the Windows Explorer.
If you have a Windows computer, you can right-click on the ‘Start’ button and then select ‘Explore.’ This will launch the Windows Explorer program and allow you to view the contents of your computer hard drive. This will allow you to see all the files and programs that currently reside on your hard drive.
In a way, using Windows Explorer is kind of like ‘lifting the hood’ on your PC and taking a peek inside. It goes a bit beyond just clicking ‘Start’ and then selecting ‘Programs’ to launch whatever programs you want to use at the moment. Many computer users have probably never used Windows Explorer and may not ever have a reason to do so. But it is there if the need should arise.
Another useful method of checking what your computer is up to is to check the currently running processes. This shows you the programs that are currently running on your PC, many of which are background processes that are always running when your computer is turned on. Most of these background processes are essential to the proper operation of your computer and allow you to do things like connect to the Internet or be notified if you receive a new e-mail message.
To check out the programs currently running on your Windows PC, you can hold down the ‘Ctrl’ and ‘Alt’ keys, and then, while still holding them down, hit the ‘Delete’ key. You should then see a box appear in the middle of your screen with some choices. Click on ‘Task Manager’ and then select ‘Processes’ to see a list of every program that is currently running on your PC.
If you are not a ‘techie’ type person to some degree, the list of processes is probably not going to be very meaningful or informative. But it is a good example of how one might begin their search if they suspected that their computer had become infected with a malicious program, because it shows you everything that is currently going on with the computer and it should be easy for an experienced computer user to identify a program that should not be there.
Here’s how the scenario might play out. In fact, I’ve been through this exercise a few times myself, so I can tell you exactly how I would approach this and how a root kit can stay one step ahead of me.
Let’s say I notice that my computer is running slower than normal one day. I also notice that there appears to be a lot more hard disk activity than I would normally expect. This makes me wonder if there is a malicious program running on my PC that is doing things in the background and causing my PC to slow down.
The first thing I do is run the Task Manager so I can see the list of processes that are running on my computer at the moment. Sure enough, I spot a very suspicious program running in my computer called ‘EvilSpyware.’ No creator of spyware would ever use a name like that, but you get the point.
I then use Task Manager to terminate the program and I notice that the hard drive activity on my PC dies down and the speed of my PC returns to normal.
I then call up Windows Explorer and do a search of my hard drive for any file or program called EvilSpyware. I soon locate the EvilSpyware.exe program in a directory called C:\Evilspyware on my hard drive and delete it.
I then use the registry editor to remove the command from the system registry that starts up the EvilSpyware program every time I turn on my PC. The vast majority of malicious software use this technique to make sure their program is running each and every time the PC is turned on.
You should be aware that this was a pretty simplistic example of how a malicious program might be detected and eliminated from my PC. It is usually never that simple these days, but it does give you an idea how one might use the functionality that is built into Windows to track down a malicious program.
What a root kit does that is different from the usual types of malicious software is that it actually changes the functionality of the Windows operating system itself.
For example, let’s say a malicious program makes its way onto your computer. This, in itself, is bad news. However, this particular malicious program uses root kit techniques to hide itself.
In this hypothetical example, the root kit re-writes part of the code that makes up Windows Explorer. It re-writes it in such a way that Windows Explorer will no longer display the names of any programs that begin with $spy$ that may be residing on your computer’s hard drive.
So, when you bring up Windows Explorer to search for any malicious programs that might be residing on your PC, you will not see any programs whose names begin with $spy$. So guess what the name of the program is that is delivered to your PC as part of this malicious package. You guessed it! A name that starts with $sys$.
This ensures that you will never find this malicious program if you are searching for it with Windows Explorer!
A malicious program using root kit techniques can change pretty much anything it wants to on your PC. It could also easily change the code for the Task Manager program and just as easily prevent it from displaying the names of any running programs that start with $sys$ or any other name the malicious software author chooses.
Root kit techniques can also be used to change the code of anti-virus or anti-spyware programs. A malicious software program could be programmed to seek out any of the well-known anti-virus or anti-spyware programs that may be installed on your PC and change the code in order to hide the malicious program from the anti-virus or anti-spyware program.
As you can see, root kit techniques can be used to make malicious software very difficult to detect. And for most computer users, who are not technically inclined, nearly impossible to detect.
Fortunately, the good guys are out there and they are quite determined to make life as difficult as possible for the creators of malicious software.
New programs and techniques such as RootKitRevealer and BartPE are indeed making things a bit tougher for the creators of malicious software. My hat is off to the good guys who are spending many hours of their time developing tools that make computing safer for all of us. I encourage you to visit their sites, use their tools and support them however you can.
Leave a Reply