There are different types of rootkits and they've been around for years in the Unix world.
Basicly unsophisticated rootkits were simply a group small programs. scripts, and tools that you downloaded in a one convienent package. As a hacker you would take over the machine, download the rootkit, and use that to consolidate your 'own'-ership.
But as they increased in sophistication you had were rootkits would provide means to hide. They would provide more automated means to change log files, modify system programs to hide your presence and files that you may want to store on the system.
The ultimate in rootkits is provide the system tools, modified binaries, PLUS system drivers (in linux called modules) to modify the system behavior in fundamental manners.
That's why they are called 'rootkits'. In Unix 'root' is the administrator, he is 'god' of the system and can do anything and everything. There is no restrictions. These are kits designed for attackers to obtain and keep root access to server machines and avoid administator detection and then if that fails defeate removal technics.
In the Linux world these are called Linux kernel module rootkits, or LKM rootkits.
What this does is it modifies the kernel so that it sits between 'userland' (the part of the OS that exists outside protected kernel memory space) and the kernel and makes it impossible for you to detect it it, irregardless of the tools you use.
Since your using tools, and these tools depend on information aviable from the kernel, and the kernel itself is modified to hide this information, then it's impossible for you to detect them from a running system.
It's impossible to detect them, and once you boot up with a cdrom or whatnot and run checksums on all the system files and attempt to detect hidden files, you still can never be sure to that you've been able to uninstalled them.
The only way to be sure that you've uninstalled these more sophisticated form of malicious rootkits is to format and reinstall.
With Windows this was never much of a issue.
The tools and such that were provided by Microsoft were inadiquate to detect even stupidly designed viruses and worms.
As the sophisication of the system grows and the sophistication of anti-malware software grows so does the level of sophistication of the attackers. So naturally they are applying stuff they learned from trying to take over Unix systems to taking over Windows systems.
With Windows 2000 you started to see the very first kernel-level rootkit attacks.
This isn't like worms, or viruses, or adware. Those programs may include rootkit technology eventually though.
You can't detect them by using checksums, since they will intercept the system call and provide correct information to fool the checksumming program. Virus scanners can't detect them, since the system calls that the virus scanners use will simply be intercepted and lied to. Microsoft's "Windows Defender" won't be any good at them for the same reason. It may be possible to detect them thru sophisticated heuristics since they will subtly change how the kernel acts, but it would be a arms race in hiding vs detection technics with heavy advantages towards the attackers.
The worst part is that Windows administrators generally don't understand the threat. They've delt with worms were you just use a uninstall program to get rid of them and then patch the system and then that is ok.
But that's not ok anymore, and hasn't been for a while now. If your running a server and it gets rooted the only fix is to format the system and reinstall.
You can't even trust the backups unless you know exactly when the attack happenned and choose backups before then. Information can be pulled from backups and put on replacement production servers, but only after it's been double checked. Any custom code for things like web services and such would have to audited and whatnot if it was on a comprimised machine and so on and so forth.
With the Sony rootkit it's not so bad because it's well documented and Sony is accountable so they have to tell you how to uninstall them and whatnot.
If your curious about rootkits and the threat that they pose...
http://www.rootkit.com/
Offers to sell you a book on the subject and also provides code and rootkit binaries, as well as nice tools to go with your rootkit like keyloggers, for your amusement and education.
If your a good C programmer and know a bit about system internals then you may want to plop down 1600 bucks or so and learn howto make your own rootkits from this course,
http://www.blackhat.com/html/win-usa-04/train-bh-win-04-gh.html
To bad it was from January from last year. They offer other training courses though.
Maybe Sony had some programmers attend? A year and six months seems about the right turn around for people producing a commercial rootkit product to aid in DRM.
Facebook
Twitter