Rootkits are one of the most insidious attack tools in the wild Internet.  Rootkits can replace core components of the operating system kernel.  In many ways, it is like lifting the user-visible operating system up into a virtual world and placing an attacker-controlled hypervisor between the OS and the hardware.  This gives the attacker the ability to hide processes, files, network use, and to remap calls for one good application to an evil version of the application controlled by the attacker. 

 

In order to install a rootkit, the attacker must first get root, superuser, or administrator privileges on the victim machine.  We can prevent this by good operating system hardening practices, such as using host IPS along with applying good security templates from the Center for Internet Security.

 

There are a number of tools for detecting rootkits.  One should use at least three of the tools because each looks for different rootkit fingerprints.  Be aware that the tools also produce frequent false positives. 

 

Here are some good tools:

 

Sysinternals Rootkit Revealer:

 

F-Secure BlackLight:

 

ICE Sword:

 

Sophos Anti-Rootkit:

 

McAfee Rootkit Detective:

 

Of course, when a rootkit is installed, you cannot trust anything the kernel is telling you.  You should really use trusted tools such as the Helix incident response bootable linux CD.