A rootkit is a type of computer program that hides its presence from the administrator of the machine. Usually installed as malware, rootkits are very difficult to detect and remove because they erase all evidence of their presence. Often, the only visible symptoms of a rootkit may be an unexplainably busy CPU or unusual network traffic. With today's high-speed CPU's and high bandwidth network connections, rootkits are almost impossible to identify. Typically, rootkits are used to cloak keyloggers and other spyware, distribute spam, or to provide privileged access to an unauthorised entity. The term is named for the Unix privileged user account, root, although today rootkits are available for most major operating systems including Linux, Mac OS-X, and Microsoft Windows.
Rootkits are installed in different ways depending upon the source and the operating system being exploited. A typical installation on a networked Unix machine would involve breaching the root account for enough time to upload modified critical system files, replace the original system files with the modified versions, and remove traces of the breach before discovery services detect the action. The rootkit then allows backdoor access of other malware, and destroys logfile entries that would indicate the presence of the malware and of the rootkit itself. Most installations on Unix-type systems are the result of insecure passwords on the root account. In contrast, Windows machines are most often infected by seemingly harmless computing activities such as browsing the World Wide Web or playing removable media. Window's tight integration between the operating system and user applications such as Internet Explorer and Windows Media Player allow programs to be installed without user intervention via everyday activities.
Although rootkits have been used since at least the 1980's, public attention had usually been focused on more visible threats such as viruses. Norton SystemWorks has been criticized for using rootkit-like technology in hidding it's internal Recycle Bin, however the non-malicious nature of the software didn't cause much public alarm. In 2005 Sony BMG Music Entertainment included a rootkit in several audio compact discs to prevent illegal copying of the disks. Although the software itself was not malicious, it was poorly written and allowed other malware to hide itself. The Sony BMG rootkit had been deemed illegal in the United States and Europe as it installed automatically without informing the consumer that it was being installed, and did not come with any means of removal. Additionally, any attempt to remove the rootkit rendered critical system components inoperable and required that the operating system be reinstalled from scratch.
Programming Security Terminology Questions