Now, the term ‘rootkit’ is used more generally and is not restricted merely to Unix. While the rootkit performs the same function, it can do so for any operating system such as Microsoft Windows and Mac. The rootkit as it is used now, may also exist with or without the ‘root’ in the system.
Comparison with viruses and worms
The rootkit is very much like a computer virus, in that, it seeks to compromise the system’s security by updating itself and seeing to it that it continues to keep infecting files. This way, the intruder sees to it that he retains full control of the root. Rootkit involves the use of backdoors, hidden command-line switches and port knocking checks to ensure that the intruder remains in total control of the system.
The rootkit, however, differs from the virus, in that, it aims to maintain control only over one system and does not spread to all the programs, like the virus does.
A computer worm is a program or a group of programs that aims to scan vulnerable programs to target and exploit them. Yet other worms try to access usernames and passwords in order to spread themselves through the system.
A worm can actually install a rootkit and a rootkit might also contain worms in itself. So the rootkit and the worm are quite closely interconnected. Rootkits can affect various levels, namely, virtualized, firmware, library, kernel and application levels.
How to detect a rootkit
Because this program modifies many tools and libraries in the system, the rootkit can get difficult to detect. The main trouble with detection is that the operating system that has a suspect rootkit program running in it, cannot be trusted to behave in a certain way. Rootkit detection programs are effective only because they cannot yet hide from the online detectors available right now.
The best way to detect the suspect program is to shut down the computer and then check its storage by booting from a CD-ROM or a similar alternate device. A rootkit which is not currently running will be clearly visible by this method and will definitely be caught by an efficient anti-virus system. If the program manages to hide itself during a scan, it will get caught by a good stealth detector or by a fingerprint detection.
How to remove rootkit
There is a school of thought that says that the rootkit cannot be removed from the system by conventional anti-virus methods. This school believes that the rootkit can be completely destroyed if and only if the system is completely reformatted and gotten back to normal. This, they believe, will help smoke the malicious program out of its hole.
But there are also others who believe that rootkits can be completely removed from the system by installing and running a rootkit removal program. There are several rootkit removal programs available on the Net and many of them are known to very highly effective to remove rootkit programs. Once the program is erased, the system is rebooted and the rootkit will not be able to install itself once more on the system.