If you find your computer working more slowly than usual, the problem may be a rootkit that has borrowed its way into your system. A rootkit is a program that allows a hacker to gain administrator privileges (root access) to a system and then hide all traces of its presence. Once ensconced in the system, it has complete control over the client machine without being detected, allowing the program to wreak all kinds of havoc. By installing rootkits, for example, the hacker gains complete access to the computer, allowing them to freely steal files. Or they can use the infected machine to launch attacks on other computers. Apart from your computer slowing down, the sudden appearance of popup ads and the redirection to unwanted websites are signs that your computer may have a rootkit.
There are several types of rootkits, including persistent rootkits that run every time the system boots, user-mode rootkits that change the system's binary files to give control of the computer to the hacker, bootkits that infect the Master Boot Record and execute malicious code even before the system boots, firmware that infects hardware like the system BIOS or the network card and hypervisor rootkits that infect the hypervisor level that coordinates the host systems and the virtual system, allowing the program to intercept calls going to the original OS. There may also be rootkits that are hybrids of the different types, i.e. kernel and user modes.
How do you detect the presence of a rootkit? Here are some methods commonly used:
This involves shutting down the computer and rebooting from an external medium such as a USB flash disk or CD-ROM. Since the rootkit is not running, it cannot take measures to actively conceal its presence.
Guessing that there is a rootkit by the way your computer behaves. For example, if your computer is part of a network, you can examine the activity logs of your firewall or anti-virus software to detect rootkits. This method can be difficult to use, since there is a high possibility that there will be false positives.
Detecting the signature of a rootkit. When the rootkit uses counterattacks to conceal its presence from a combined attack from anti-virus and rootkit detection software, it uses a certain method. This particular method is its signature and can be used to identify it by rootkit detectors. However, this method may not be effective against rootkits that are specifically made to attack particular programs.
Comparing trustworthy raw data with the infected content coming from the application programming interface. This works with user-mode rootkits that work by filtering the calls that are coming from the API to the system's kernel. This method was used to detect the Sony DRM rootkit.
Using a cryptographic hash function to compute a digital fingerprint that can be used to determine if unauthorized changes to code libraries has been made.
Completely dumping the virtual memory of your computer in order to capture the rootkit and detect it offline using a debugger program.
Once you detect a rootkit, it can be very difficult to remove. There are manual methods that can be used but they may be too difficult for the ordinary user to implement. Here is one method using MSConfig (System Configuration).
Open the System Configuration tool and then enable bootlog.
Reboot your computer
Open C:WINNT or C:WINDOWS, then activate ntbtlog and use it to search for malicious files. You can download lists of rootkits that you can look for. Once you've detected a rootkit, get the path of the program.
Open a command prompt and then use the path to disable file permission using the ICACLS or CACLS command.
Restart the computer
Remove the file by searching for it from the registry, C:WINNT or C: WINDOWS, C:\WINDOWS\System32\Drivers
You can also use commercial rootkit products. To ensure that you remove all the rootkits from your system, you should use several programs to scan for them. In some cases, even if you detect the rootkit/s, the damage it has inflicted on your computer may be so serious that you will need to reinstall and reformat your system. However, this is a last resort and, hopefully, this will not be necessary.
About Author: David Fuller is a contributing writer at http://www.shoppingpreview.com/laptops. He joins other contributing writers in providing consumers with low-downs on the most recent developments in information technology products.