Digging into Windows rootkits

Now Microsoft is even co-opting Unix hacker terms. Rootkits were originally programs that helped a hacker cover their tracks. It would overwrite log files and other system activity trackers so a sys admin could not see the traces left behind by the intruder. I have to admit that Windows rootkits have a similar purpose but they are hiding files, not changing them.

Putting aside my Unix sensibilities for the moment the critical thing about the activity around Windows rootkits is that the hackers are developing techniques that are not based on Windows vulnerabilities to hide files associated with other malicious software. This allows them to avoid detection and removal by Anti-virus and Anti-Spyware programs. There are two economic drivers behind this.

First, hackers want to protect the armies of bots (infected machines) that hackers use to execute denial of service attacks on their targets. Hackers go to great lengths to cultivate the largest possible collections of machines under their control. It is a challenge to avoid detection and removal. If they can incorporate a rootkit to hide from AV products they can prolong the life of their armies. The threat of a denial of service attack is the primary weapon in the arsenal of extortionists (“pay me or your site goes down!