A kernel driver rootkit is a malicious system driver that is installed by a virus or a worm.
Keep in mind the rootkits that I am talking about are kernel driver-style rootkits. Very sophisticated. There are other types that don't do all this.. they attack system files and are simplier and easier to detect. All they do is start up a backdoor into your computer, provide a basic shell with basic hacker tools to try to crack other computers, and try to fool simple system scans. Early non-sophisticated rootkits were just groups of tools and commands and maybe something to help install a trojan into a system.
What it does is that it sits between the kernel and the rest of the system and intercepts system calls that programs use and it hides itself that way. So if you have something like a virus scanner and scan the system looking for suspect files then the rootkit will simply have the OS ignore any files that it doesn't want found. A person could have a entire multigig porn collection on your computer and you will have _NO_ way to even detect that it exists, sort of running out of disk space.
The system has been rooted. Depending on the sophistication of the rootkit program, of course. Some are easier to detect then others. Some are simplier then others. Some are very complex and are programmed by expert programmers that are paid VERY well for what they do. A good rootkit will leave you defenseless and your computer wide open to the attacker. There is no way to detect it, except thru unusual behavior on your system (which itself can be hidden by a clever programmer) or behavor on a network. Which is why good network monitoring programs like Snort are a must. There is no adaware that will be able to unistall it, unless the programmer made a flaw. There is no way a virus scanner will be able to detect it, unless they figure out something the rootkit programmer didn't...
And that would be only a temporary thing. Rootkit programmers would buy and use all the major virus/spyware scanners and test their creations against it constantly to make sure that they won't get detected.
In short, you can't trust your own computer. You can't even go thru file by file and compare checksums on files looking for the violated system files and driver files.. becuase a clever programmer would expect that and have the OS return the 'correct' checksums just like the original files were untampered with.
Rootkits have been around for years and years and years on Unix systems. This is because Unix security has always been much better then anything used in Windows. Also there are numerious security tools and technics commonly used that make things like adware, normal viruses, and worms fairly easy to deal with. These tools and basic functionality are generally included by default, or made easily aviable, on most installations. So the level of sophistication to keep control and keep undetected on a Unix machine was much higher then a Windows machine. For instance on a NT or a Windows 98 machine a simple virus could take it over and install a backdoor out of a UDP port on the system and the typical Windows admin would never even think about detecting this sort of thing and Windows wouldn't provide the functionality for the admins to go about detecting stuff. You'd have to go and buy add-ons like virus scanning to get close to dealing with these sort of things. However as Windows increase in sophistication and security gets better so then must also the attack methods.
Hackers want to gain control of the system, then remain undetected for as long as possible on as many machines as possible. So they want to have a hacked server or something that they can launch attacks at clients and other servers. They screw those guys up, get information from them... then those servers/clients get cleaned up and secured again... but the original machine is still under the hacker's control. Those are what rootkits are fundamentally for.
With Windows 2000 servers you'd begin to see the first rootkits appearing on machines. Now with hueristic virus scanners, patching, and firewalls that detect ingoing and outgoing information, and such appearing on more and more machines then kernel-level rootkits are going to get more and more popular.
The only way, Linux, Unix or Windows, to recover a machine after a detected rootkit attack is to format the harddrive and start a completely clean install. You can boot up a live linux cdrom and scan and compare checksums on each and every system file, or look for any files that don't show up while the system is in use, and that will detect almost all rootkits. Since the OS isn't in use, then the rootkit can't intercept the system calls to hide itself. Even after that the machine and the information on the machine, and passwords ever used on the machine (and also if those passwords are used on other machines on your network.). All that can never be trusted again. It always has to be treated as if it was tainted.
Think about if a Active Directory server gets rooted by a human or worm now. On a AD server Microsoft uses a modified form of Kerberos to keep track of passwords and provide a Single Sign On solution. This means that all security for your network and your PC clients are entirely dependant on that one machine. If that machine gets rooted then its basicly like giving the keys to the entire Active Directory Domain to a attacker. Everything is laid bare, everything is open to them, potentionally.
Or if a client machine is rooted and a keylogger is included with the rootkit, and it's sophisticated enough to hide from all scans... then a administrator with rights to the AD server logs into that client machine for whatever reason. Oops, kiss your entire network security goodbye.
Sucks and can be very devastating. It's the fundamental flaw to sophisticated single sign on solutions like those provided by directory services like Microsoft's active directory (and many others, such as used by Unix or Linux systems.. not trying to pick on microsoft here).
Rootkits are the sort of thing that should give system administrators nightmares.
edit:
Here is a book on how to author Windows driver rootkits:
http://btobsearch.barnesandnoble.com/bo...ob=Y&ean=9780321294319&displayonly=PRF
You can find code samples and probably entire rootkits at
http://rootkit.com/
You can sign up for a class on how to make them here:
http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-gh.html
So on and so forth.
Facebook
Twitter