If you know anything about security, the word rootkit should send shivers down your spine. If not, we'll get there by the end of this article. Rootkits are simply a piece of software that evades detection by hiding in the inner-most layers of your system. We usually see rootkits as part of a Trojan Horse payload, since they are fairly tough to install without user interaction. Once a rootkit is installed, they are very tough to spot, and even harder to remove.

I remember the first time I faced a rootkit on a compromised system quite well. The machine just kept getting the same virus back, over and over, even without an Internet connection. It was driving me crazy, until I finally pulled the hard drive out and scanned it in another machine. I think we were using NOD32 at the time, and it picked off a handful of files that were totally cloaked inside of Windows. Once they were gone, the system showed a slew of registry entries that had been hidden, and removal was trivial at that point.

More recently, I spotted a rootkit in the wild on a client's PC using the excellent Sysinternals software called RootkitRevealer. I usually run it from Live Sysinternals, which is great except that you have to be hooked to the Internet to get there. You can also download the tool and save it on a CD, which is my preferred method as USB drives can be infected pretty easily these days. If you burn a mastered CD, it really can't be infected by software, so it's safe to take from machine to machine. RootkitRevealer works by inspecting the actual values stored on the hard drive and comparing those to the ones that are visible in Windows. There are usually a couple of registry discrepancies that come out of the box, but if you know what to look for, they'll pop right out at you.

Most recently, I actually had to throw in the towel on a system that was so infected that I couldn't even run RootkitRevealer. The rootkit was blocking it, which is a new trick to me. While I could have started combing through all of the .dll's on the system, I probably would've missed one, and it was faster to wipe the hard drive and reinstall. That knocked it out though, and the system has been clean ever since.

Rootkits don't have to live in the filesystem though, and that's when things get really scary. The Black Hat conference just wrapped up, and among other hacks, a firmware rootkit was demonstrated that lives in Apple Keyboards. This is the scariest type, no pun intended, since the rootkit lives in the keyboard, and no amount of formatting hard drives will remove it. The recommended action for a rootkitted Apple Keyboard is to simple toss it and buy another.

Hacks have also shown that rootkits can live in the BIOS of a system also, just like the keyboard's firmware. Most laptops from big vendors have the option to include LoJack in them. This is a system that can track a system if it gets stolen. Apparently, there has been a vulnerability found in the LoJack software that can be used to load a rootkit into the BIOS of the laptop. This would survive hard drive replacement, and could be very difficult to spot, and even harder to remove.

At the end of the day, we're seeing more and more of these rootkit-style attacks in the wild, and it's only a matter of time until they start infecting firmware and becoming harder, if not impossible, to remove. Truly, the rootkit is the worst of all malware.