Rootkit and removal guide

As the internet takes over the world, and major computers are connected online, we can also see the rise in cyber threat. Today, the cyber threat that raise concern is spyware. Even though virus and trojan are still existed, more and more people are focusing on spyware threat.

A spyware would take more than the computer - it takes money and life for that computer owner.

Just imagine, when someone spies on your sensitive data, like your e-mail account, or your bank passwords - they could rob your account and ruin your life.

So, what's the most sophisticated type of spyware ? It is rootkit. Rootkit is a set of programs, that can hide spyware, malware and even itself from being detected. In order to do that, it could change the way system works, and probably install itself as part of the operating system, kernel modules or drivers. Because of this, rootkit can't be easily detected using a single virus or spyware remover scan.

Actually, rootkit is already existed in early 1990. That time, the main target is is Linux and Sun operating system. Also, it is not spread quickly among Windows OS, hence this malware doesn't get public attention. However, after famous cases, such as Sony BMG uses rootkit technology in their CD-ROM, people started to aware of this threat. So far, rootkit threat today is still under control, since it can't duplicate itself and spread automatically.

Type of rootkit

Firmware

A firmware is any program that can be embedded into certain devices, such as microcontroller, or flash drive. This type of rootkit is not necessarily created by hackers or crackers. Some USB Flash already had firmware rootkits installed by the manufacture (and of course, that company will have to face the lawsuits). By installing in such devices, people won't suspect any spyware installed.

A microchip processor. Firmware rootkits

can be installed in such device.

Virtualized
This one is the lowest level of rootkit. It works by modifying the boot sequence of the machine and load themselves, instead of the original operating system. Once loaded into memory a virtualized rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS.

Kernel Level

Just like the name, this one adds new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers, in Windows OS. If the added codes contain errors, it will create serious damage to system.

Library level
Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker.

Application level
Application level rootkits may replace regular application with fake ones, normally containing malware. Or they may modify the behavior of existing apps using hooks, patches, injected codes.

Rootkit remover

Popular antispyware programs today, like SpySweeper, CounterSpy and Spyware Doctor has rootkit detector as additional feature. However, a spyware scan becomes slower when detecting rootkit. Hence, by default, SpySweeper turns this feature off.

If you want to use free application, try F-secure Blacklight. Seems to me that the command version is more effective.

Download F-secure Blacklight

Effective way to remove rootkit

You might thinking, if your computer is suspected to have rootkit, all you have to do is run full scan using rootkit detector from Windows. Then, remove all threats detected. Yes, this technique might be effective, if the rootkit can't hide itself from F-secure Blacklight, SpySweeper or else. That rootkit might be created to hide the malware, but not to hide itself from scanner. Application type rootkit usually can be detected this way.

But what if that rootkit modifies your system itself? Can you possibly detect them by single scan in Windows? The answer is no. You cannot trust your system and the scan result itself.

Which is why, the most effective way to detect and remove rootkit, is by creating a rescue disk and boot the system from alternate device, such as USB flash, CD-ROM or DVD-ROM. Then, run the command version of F-secure Blacklight and eliminate any rootkit found.