SHARE
Facebook X Pinterest WhatsApp

The Dissection of a Rootkit

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a program’s software kernel with modified code, are expected to continue to grow in frequency in 2007. While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsoft’s new Windows Vista operating system […]

Written By
thumbnail Lisa Vaas
Lisa Vaas
Feb 23, 2007
Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a program’s software kernel with modified code, are expected to continue to grow in frequency in 2007.

While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsoft’s new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable to their sophisticated techniques.

F-Secure Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled “Kernel Malware: The Attack from Within” (a PDF) as well as in a slide show (also a PDF).

Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.

Kernel rootkits are still a very small fraction of malware discovered, but Kasslin’s paper provides a stark, graphical illustration of how their use has skyrocketed post-2004.

Why the sudden surge in this frightening mode of attack?

“The high rise in popularity of kernel malware can be mostly explained by the increased motivation for malware authors to hide their creations from detection as long as possible,” Kasslin writes.

Click here to read more about rootkit tactics.

“To hide even better, they have started to use kernel-mode rootkit techniques as more and more documentation, examples and fully working examples with full source code has become publicly available. However, there are other motives for malware to move to kernel, probably [the] most important ones being firewall and anti-virus scanner bypassing.”

Current security solutions are generally feeble protection, Kasslin says, given that a rootkit operating in full kernel mode (as opposed to reaching up into user mode to execute activity unavailable in kernel mode, also known as semi-kernel malware) has the same privileges as the operating system itself and can cut off firewalls and anti-virus software at the knees.

“This has already been seen with rootkits and their anti-detection engines,” Kasslin writes. “After the rootkit notices that it is no longer able to hide from the rootkit detector and is going to [lose] the game, it changes tactics and starts to make a direct attacks against the detector. It might take a more aggressive approach and prevents the rootkit detector from starting. Or it could directly patch the rootkit detector’s code to change its inner logic.”

Is there hope? Kasslin offers little. “Current security solutions, including anti-virus scanners and firewalls, have not been designed to protect against kernel malware. Prevention might be the only solution,” he writes in his slide show conclusion.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.

Recommended for you...

Manny Rivelo on Evolving Channel & How MSPs Can Get Ahead
Victoria Durgin
Aug 20, 2025
Databricks Raises at $100B+ Valuation on AI Momentum
Allison Francis
Aug 20, 2025
Keepit Achieves SOC 2 Type 1 & Canadian Ingram Micro Deal
Jordan Smith
Aug 20, 2025
AI Customer Service Fails to Satisfy Consumer Needs: Verizon
Franklin Okeke
Aug 19, 2025
Channel Insider Logo

Channel Insider combines news and technology recommendations to keep channel partners, value-added resellers, IT solution providers, MSPs, and SaaS providers informed on the changing IT landscape. These resources provide product comparisons, in-depth analysis of vendors, and interviews with subject matter experts to provide vendors with critical information for their operations.

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.