The term “rootkit” originated in the world of Unix. It means a set of utilities installed by a hacker on a hacked PC after initial access. As a rule, this set includes various utilities for cleaning up traces of invasion, hacker tools (sniffers, scanners), and trojans that substitute for the major Unix utilities. A rootkit enables the hacker to “take root” in a hacked system and conceal traces of his activity.

In Windows NT/200/XP, a rootkit is commonly understood to mean a program that invades the system and intercepts system functions (API). Interception and modification of low-level API functions primarily enables such an application to hide its presence in the system quite successfully. Moreover, a rootkit can normally mask the presence of any processes, folders, files, and registry keys that are described in its configuration. Many rootkits install their drivers and services in the system (which are naturally also “invisible”).

Detecting a running rootkit can be rather difficult: You cannot see it in the standart task manager, its registry keys are not visible in the Regedit registry editor, its files are invisible in Windows Explorer and other disk viewers.

Rootkits can be detected by using special techniques. Notably, the most difficult part is not detecting a rootkit, but correctly restoring the memory functions corrupted by it without rebooting the system, after which the rootkit can be tracked down and destroyed.

If you are not sure whether a legitimate application has intercepted certain functions, you can try to enable AVZ antirootkit. AVZ will attempt to restore the intercepted functions to their original status without affecting system operations.

AVZ blocks common rootkits. It should be noted, however, that the process of fighting a running rootkit in the memory can cause AVZ, other applications or the entire system to hang up. This is why you should enable the antirootkit function after closing other applications and shutting down the anti-virus monitor and firewall (especially the latter, because anti-virus monitors and firewalls often intercept API functions).

For details on rootkits and API interception methods, please refer to the “Rootkit—operation principles and mechanisms” article, published in Computer Press journal issue No.5.2005, or find more information at Network and data security.