Why rootkits?

Since early 2005, rootkits have been one of the most intriguing aspects of the malicious code industry. We've all known about rootkits for ages, on both Windows and Unix/Linux OSs, but this writer first encountered one in the wild in early 2005. If you have grown up children, and you're good at computers, it turns out that you get to be Tech Support Of Last Resort. If ever they have a machine at work that they can't clean, they bring it home to dad. One afternoon in March 2005, I encountered the first machine that I couldn't clean, and in fact, I killed it trying. In time, I came to understand that it was a rootkit. I started digging around to find out about them, and have been fascinated ever since.

What's a rootkit?

In simple terms, a rootkit is code that modifies the operating system, so that it controls the operating system, and it typically uses that control to hide from things that would like to remove it, for example, anti virus or anti spy programs.

So who's installing rootkits?

Great question, and the answer is ... about everybody. Pretty much all the Bad Guys(tm) who go to the trouble of 0wning your computer also install a rootkit. Something about protecting their investment.

So why don't more people know about them?

Because most people don't have any way to know if they have a rootkit. Simply put, few anti virus and anti spy programs can detect them once they get installed.

What this means is that it's really important to know which anti virus programs, if any, can detect a rootkit once it's installed, and which, if any, can remove it.

Even more important than that is knowing how a product performs over time, against a variety of rootkits. If part of your purchasing criteria is rootkit removal, then you really need to know if a given product is able to keep up.