Rootkit technology is not really new; it began back in the Unix world as a group of Trojan applications that replaced the standard ones for hiding files and providing higher access. While detection technique evolved using integrity detection and other means, the rootkit also evolved by moving from the user space to the more powerful kernel space, usually as kernel modules and using different techniques to stay hidden. Contrary to the backdoor that offers more functionally to the remote administrator, the role of the rootkit is mainly to hide itself and other applications. Usually the race between the detector and the rootkit is won by the first one to be installed on the system. Therefore it is important to be ready and plan ahead before putting any system into production. Trying to detect and remove a rootkit after it is installed, if nothing was done previously, could end up being a very difficult task—the best time-saving solution might be to format and re-install the whole system.

There are several rootkits available. We’ll peer into the best ones for each platform and note their strengths and weaknesses. If you want more information on rootkit technology and more specific “under the hood” documentation of how they work and interact with the various operating systems they can be used against, a great resource is the web site http://www.rootkit.com. In addition, the book RootKits: Subverting the Windows Kernel by Jamie Butler and Greg Hoglund (Addison-Wesley) ...