Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections.
what are rootkits?
A rootkit is a collection of programs that enable administrator-level access to a computer or computer network.
They will simply alter the table SSDT hook to redirect system calls to either the Windows API, but to their own API to distort the result.So when you want to list the running processes .. Windows will always look at the table SSDT but the address of the API was modified by the rootkit and points now to their code, the rootkit no longer refer to the process list .
A kernel mode rootkit is always composed of at least one driver. System in general, the driver is loaded via a service.The file driver is of course hidden in the disc and the service is not present in service.msc or via the registry regedit: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services.Blue Pill is the codename for a controversial rootkit based on x86 virtualization technology that targets Microsoft's Windows Vista operating system.Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer
Here are some examples of current rootkits:
- User Rootkit - A variant of Zlob / Trojan.DNS which is a fairly common rootkit redirects when doing searches on Google
- Kernelmode Rootkit - Haxdoor / Goldun
- Kernelmode Rootkit - Email-Worm.Win32.Zhelatin.a / Rootkit.Agent.dh / Trojan.Peacomm hidden with driver: C: \ Windows \ System32 \ wincom32.sys
- Kernel-mode Rootkit - Rootkit.Win32.Agent.ea