Your rootkit remover might have reported that it has successfully removed a rootkit from your machine, but how can you validate that? Certainly the only way to be 100% sure that a rootkit no longer exists on a machine is to reformat the hard drives and reinstall the OS. Let's take a closer a look at the nature of rootkits to see why they can be so difficult to remove.
Most applications run in what's called user mode. This setting restricts their ability to cause damage through inappropriate or inadvertent access to system processes. The name rootkit comes from the program's ability to obtain access to the core or "root" of a computer's operating system. User-mode rootkits that have obtained administrative privileges can modify the memory space of other applications in order to disguise what is happening within the operating system. They can intercept system calls and can, for example, hide processes, files and registry keys. This type of rootkit can be detected, however, by code running in what's called kernel mode.
Kernel mode is a trusted mode of operation for system services and device operations and allows privileged access to system memory and the full CPU instruction set. A rootkit operating in kernel mode is far more dangerous, as it can avoid detection by modifying the kernel component of the OS, giving it almost unrestricted potential for manipulation of the system. Corruption at such a low level means that it is difficult to detect and completely remove this type of rootkit. The Trojan Mebroot, for example, works by infecting the Master Boot Record (MBR). Boot records are reserved sectors on a disk that are used to load the operating system. Mebroot copies the original MBR to sector 62 on the hard disk, installs its own kernel loader to sectors 60 and 61, and copies a rootkit driver near to the end of the active boot partition. When the computer restarts, the infected MBR starts the kernel loader located in sectors 60 and 61, which patches the Windows Kernel in memory to load the rootkit driver. This malware then has virtual ownership of the infected machine.
A rootkit hypervisor is an even more powerful and dangerous beast. A hypervisor is a layer of virtualization software that runs between the operating system and hardware, acting as a virtual machine monitor. A rootkit hypervisor doesn't rely on hacking the kernel. It takes control by running the original operating system in a VM or virtual machine. By controlling the complete universe in which an operating system runs, it can deceive any operating system running inside it, thus defeating any security defenses running on the guest VM. This means there's really no practical way to detect it except through extreme measures.
This was first published in October 2008