**This is a guest article by an author who wishes to remain anon. Unlike you, this person got off his ass and earned some $$ writing about what he loves. He has accomplished something with his life, he has written for MrCracker.com . What have you done? Click Here to start.**

If you are a Star Trek Generation fan and have seen how a high-breed program has taken control of The Enterprise, you will get an idea of what a rootkit is. That program gradually took control of the ship until such time that it was able to decide its course. In plain language, a rootkit is a powerful software that has the potential of wresting control of a system without being detected by security mechanisms. Since the purpose of a rootkit is to grant secret access to a non-administrator, it could be said that this administrative tool is malicious. Imagine a competitor knowing about the company’s trade secrets without the owner being aware of it.

Although it is generally used to hide intruders like Trojans, keyloggers, worms, and inappropriate files, a rootkit can be put to good use. For instance, an antivirus company can use rootkit techniques to protect a server or personal computer from viruses or malwares.

While the rootkit was created in the 1990s, the public only became aware of it in 2005 when Sony BMG had to recall its CDs that used a rootkit to hide the copyright protection. The rootkit prevented unauthorized copying of the CD but unfortunately, it also opened an opportunity for hackers or virus writers to infect or control the computer where the Sony CD had been installed. What Sony envisioned as the solution for the piracy of digital media turned into a scandal that stunned the consumers and the IT community.

You may get nervous and wonder how is a rootkit installed? So long as you keep the administrative rights to yourself, you can rest easy that a rootkit can’t get installed in your system. This is important for systems administrators to remember particularly in businesses that handle large amount of data or whose network infrastructures are complex. A rootkit can hide once it has been installed. A systems administrator must never allow a new employee or even old ones to tamper with the system. Temporary access should not be granted since it only takes one opportunity for the rootkit to be installed. A blackhat (bad hacker) might use keyloggers on the first wave of attack to secure “root” passwords or by embedding rootkits to popularly downloadable software.

Once infected with one, remote access will allow for outside people to do things with the system. There are many forms of rootkits for different types of operating systems and each has its own characteristics and ways of concealment. The first one though was built for the UNIX operating system. Technically, rootkits do the “inline function hooking.” How does this work? Just think of the rootkit being a middle man and deciding which information to send to a running program. It can send decoys to stop the program from detecting errors. Sounds very smart, right? By being able to fool the system, the administrator too is kept in the dark for an indeterminate period of time.

As a very smart malware, rootkits can hide from legitimate systems administrators who routinely monitor their servers and PCs. A rootkit cannot be detected using the following techniques:

1. Looking on file sizes and attributes using Windows explorer.
2. Using task manager to audit valid running processes.
3. Checking entries in Windows registry.
4. Scanning for network connections and ports open using netstat.
5. Inspecting log entries and audit trails.

Can it be removed?

The all-important question is whether a rootkit can be removed just like other system intruders once detected. If you believe your system is safe from a rootkit, prevent future infiltration by making your passwords difficult to determine (add any of these characters `~!@#$%^&*-=+|). As they say, prevention is better than cure. Moreover, install additional security patches, increase the level of user security, and limit remote access.

But if a rootkit is already in your computer or network, you can remove it by first determining where it is located and what is its type. There are a lot of applications in the market that help in protecting the system and removing this software. RootkitRevealer at http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx is one of those applications that can help you detect rootkits in your system. Also, some AntiVirus software, like, Symantec has this capability.

Before attempting to remove the rootkit, you must have a backup copy of all crucial data. Don’t make a backup using software image since this could have been tampered with the rootkit. Reinstall everything up from ground zero, or if you have a reliable software image for restoring the system, then, use it. Download the files but check first whether their integrity has been compromised. You can do this by using MD5 Checksum. See this link for details: http://www.go2linux.org/md5sum-how-to-check-file-integrity

Here are some of the most popular rootkits for the different types of operating systems:

Renepo-A, built for Mac and is popular probably because of the computer manufacturer’s lax security concerning Internet access.

Hackerdefender or hxdef is the most common on Windows.

Adore-ng for Linux.”"