Rootkits have gone from theoretical to everyday infections in a pretty short time. Tools like TDSSKiller, Sophos Antirootkit, Combofix, and others all help in the battle against these sophisticated infections but the best solution is to avoid getting one installed in the first place. To better understand the threat that rootkits pose, I recommend reading the threat report that the Microsoft Malware Protection Center just published today.
“The Microsoft Malware Protection Center (MMPC) has published a new threat report on Rootkits and how they work. This threat report is recommended reading for those people looking to better understand how malware families use rootkits to avoid detection and how to protect themselves from this type of threat.”
The report covers the purpose of rootkits and their etymology, how attackers use rootkits, the scope of the rootkit problem, notable malware families that use rootkits, and protection against rootkits and malicious/potentially unwanted software.
A rootkit works by essentially inserting itself into a system to moderate – or filter – requests to the operating system. By moderating information requests, the rootkit can provide false data, or incomplete data, to utterly corrupt the integrity of the affected system. This is the key function of a rootkit and explains why rootkits are a serious threat – after a rootkit is installed, it is no longer possible to trust any information that is reported back from the affected computer.
You can find out more from the Microsoft Security blog, which announced the report’s release. You can jump straight to the report (.pdf) by clicking the image below.
