Why rootkits mean you must nuke your machine

Why rootkits mean you must nuke your machine

Summary: At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio explained the only reliable method of dealing with rootkits

TOPICS: Security

Rootkits hit the news earlier this month when Mark Russinovich of Sysinternals noticed odd behaviour following installation of some digital rights management (DRM) software that shipped with a Sony music CD. What he found sparked a furore that saw Sony threatened with everything from boycotts to class action lawsuits, and system administrators totally reassigning their approach to users playing what had previously been widely seen as harmless music CDs on work computers.

Rootkits may have been around for many years on Unix systems, but the Sony DRM debacle has propelled them into the consciousness of many IT managers responsible for Windows computers.

At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio delved into the technical aspects of rootkits. ZDNet UK was there to report what he had to say, to find out what University of Michigan students get up to with rootkits, why the only way to recover an affected machine with any level of assurance is to nuke it, and what the future holds.

What is a rootkit?
A rootkit is not an attack vector on its own. It is not a virus, and it is not a worm. It is a cloak or a disguise — something to hide something else. For instance an attacker might want to use a rootkit to put a virus on your system but doesn't want you to be able see that virus.

Is a rootkit malware?
Most people think it is, but it is not always. A sys admin might want to use a rootkit to hide something from the user, to monitor the system in some way. I treat rootkits neutrally — I don't want to class them as good or bad. You have to make your decision in each case.

The rootkit is not a virus, a worm, or a Trojan horse. It is just the code that hides something. Can it hide worms and spyware etc? Absolutely it can. The issue in the Sony DRM case is whether Sony properly disclosed that it is installing a rootkit on your system. And what Sony uses is a rootkit: it hides other things.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A rootkit exists in video memory?? Is this video memory volatile or non-volatile? If volatile then where is the rk stored if not on the HD? If non-volatile then how will a system nuke fix things?
  • wouldn't it solve the problem if the OS does not allow the system to hide the file and behave as a rootkit in the first place? or if it has stricter rules to govern the use of rootkits even for legitimate reasons?
  • This article is woefully uninformed, from the meaning of rootkit, to the suggestion that you must nuke the system rather than restoring a ghost image of the hard disk that is made on a regular basis.

    "root" comes from root under Unix. The term doesn't even describe sony's code. A root kit installs over system programs and generally collects data for a hacker. Sony's program is simply a stealth program that uses traditional methods of hiding processes on Windows. Thats not a root kit. If it replaced the login program, or replaces the explorer program, it would be a rootkit. Key to a rootkit is the fact that it replaces a legitimate program with its own rendition which collects some data.

    Yes, Sony's "rootkit" hides itself. But any program in windows can hide itself...it doesn't have to be root to do so, and it doesn't have to replace any program on the system to do so. It simply hooks the kernel dll calls and layers itself on top. This technique has been around since windows 3.0. But its not a rootkit.
  • Rootkits should be viwed exactly the same as other attacks on our PC's, they are secrative, no permission has been given for them to tresspass on our property and they are not neutral they do something to you. Sony's actions were disgraceful company's have no right to intrude and trespass without property. They should be legaly responsible for their actions. This reminds me of the Tesco tracking chip - who do they companiers think they are. Consumer boycotts are a good start they will soon cease these activities
  • Try reading and fixing the terribly high amount of typos in this piece!!

    otherwise it's quite good!