The Dissection of a Rootkit | eWeek

The Dissection of a Rootkit

Written By
Lisa Vaas
Lisa Vaas
Feb 23, 2007
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a programs software kernel with modified code, are expected to continue to grow in frequency in 2007.

While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsofts new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable to their sophisticated techniques.

F-Secure Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled “Kernel Malware: The Attack from Within” (a PDF) as well as in a slide show (also a PDF).

Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.

Kernel rootkits are still a very small fraction of malware discovered, but Kasslins paper provides a stark, graphical illustration of how their use has skyrocketed post-2004.

Why the sudden surge in this frightening mode of attack?

“The high rise in popularity of kernel malware can be mostly explained by the increased motivation for malware authors to hide their creations from detection as long as possible,” Kasslin writes.

/zimages/1/28571.gifClick hereto read more about rootkit tactics.

“To hide even better, they have started to use kernel-mode rootkit techniques as more and more documentation, examples and fully working examples with full source code has become publicly available. However, there are other motives for malware to move to kernel, probably [the] most important ones being firewall and anti-virus scanner bypassing.”

Current security solutions are generally feeble protection, Kasslin says, given that a rootkit operating in full kernel mode (as opposed to reaching up into user mode to execute activity unavailable in kernel mode, also known as semi-kernel malware) has the same privileges as the operating system itself and can cut off firewalls and anti-virus software at the knees.

“This has already been seen with rootkits and their anti-detection engines,” Kasslin writes. “After the rootkit notices that it is no longer able to hide from the rootkit detector and is going to [lose] the game, it changes tactics and starts to make a direct attacks against the detector. It might take a more aggressive approach and prevents the rootkit detector from starting. Or it could directly patch the rootkit detectors code to change its inner logic.”

Is there hope? Kasslin offers little. “Current security solutions, including anti-virus scanners and firewalls, have not been designed to protect against kernel malware. Prevention might be the only solution,” he writes in his slide show conclusion.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.