Every once in a while, security geeks talk about "rootkits" in tones of fear or loathing. Here's what we're talking about and why we worry about them (and why you should, too).
A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called 'root' access - the equivalent level of authority in Windows is 'administrator'.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can't.
Rootkits are also different in that they generally limit themselves to seizing and holding control of one system - a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.
Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.
Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers' computers to exploitation by anyone who knew to look for the backdoor the rootkit created.
To defend against rootkits:
- Practice safe surfing - don't go to virus-infected websites. Music-sharing, video, software, porn, hacker and other 'gray' websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, "there ain't no such thing as a free lunch". If they're not making money through sales or advertising, they're probably getting something else out of the deal – don't let that something be your computer.
- Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
- Keep all the applications on your computer fully patched.
- Keep your firewall turned on and locked down as far as you can go. This won't necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
- Turn off your computer when you're not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn't exposed to exploit while it's turned off.
- If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they're that hard to get rid of.