Introduction to Malware: The word Malware is derived from two

words Malicious and Software. As the name suggests Malware is

potentially harmful software to a computer or a server. They are
distributed through many ways like DVD, Floppy disk, USB flash drive
or through email attachments or through untrusted software
developers. There are many types of malware. Their names are given
based on their function. There are Different types of malware like
Trojan Horse, Worms, Rootkits, Botnets, Adware, Spyware, Backdoor,
Virus etc.

Rootkits: They are stealthy malware which can alter system utilities or
operating system to stay hidden. They are difficult to identify because
some rootkits hide themselves from windows process utility by
infecting the window process utility. They are typically used to hide
malicious software like Virus or Trojan Horse.
Rootkits are often operated in two modes 1. User Mode 2. Kernel
Mode
Rootkits in user mode: They work by altering system utilities or
Libraries on disk. These are easy to detect by checking integrity of files
which can be done offline by using a cryptographic hash function.
User mode rootkits often insert code into other user mode process
through methods like dll injection and alter their behavior. This can be
detected by running an anti-rootkit software which runs at kernel
level and checks continuously
Rootkits in Kernel mode: They are hard to detect because they run at
lowest levels of operating system. Kernel rootkits in windows are
usually loaded as default drivers. Because driver system is modular it
allows user to load arbitrary code in the kernel. With this feature it is

intended to load drivers for Keyboard, PS 2 mice, Speakers, Graphic

cards etc. Kernel mode rootkits in Linux or Unix are loaded usually by
loading Loadable Kernel System which functions similar to windows
kernel drivers. Once rootkit is loaded into kernel several things can be
done by rootkit to maintain its stealth. Most common method is
known as as function hooking. Since rootkit is running in kernel mode
it can modify kernel memory to replace operating system operating
system functions with customized functions. For example, a rootkit
replaces the function which shows files in a directory with a
customized function that can hide that will skip some files belonging
to rootkit. Thus any program that uses this function will not be able to
detect rootkit. Another technique used is to modify internal data
structures that kernel use to make boot log. Windows kernel keeps
the list of information of device drivers loaded in the memory. Rootkit
may modify this data structure to directly remove itself from the list
an potentially avoid detection. Once a rootkit is installed it should
ensure that it survives reboot, functional on machine and survives
after modification of registry entries. Rootkits modify kernel functions
to avoid detection and antirootkit software tries to search for
suspicious registry entries. Thus they are continuously playing hide
and seek.

Detecting Rootkits: Even though rootkits are sneaky they are not
impossible to detect. User mode rootkits are detected by checking on
modifications of files on disk. On windows important libraries are
digitally signed so any tampering would invalidate digital signature
and thus can be detected. Another technique used is to periodically
compute a cryptographic hash function for critical system components
while system is offline and hashes are checked when the system is
online if the cryptographic hash functions do not match then a rootkit

might be present and is altering these files. In addition kernel mode

anti rootkit software can detect code injection done in system
processes. Kernel mode rootkits can be difficult to detect . Most
kernel rootkits dont alter system files on disk. They perform their
operation in their kernel memory. Anti-rootkit applications detect
kernel rootkits by searching for evidence of techniques such as
function hooking. Such rootkit detectors may keep signatures of
certain kernel functions that are likely to be targeted by rootkits and
inspect memory to determine if any modifications have been made to
these functions. As kernel rootkits operate at highest privileges they
may even detect the presence of anti rootkit software and prevent it
from achieving its goals. Sometimes in-depth analysis of an infected
system is required to defeat rootkits by inspecting registry and boot
records is required.
The most powerful detection technique used for detecting rootkits
consists of performing two scans of file system, one using high level
system calls which are likely infected by rootkit and other by using
low level disk reading programs that access the content of the disk
using primitive block access methods. If these two scans achieve
different results, then we can confirm the presence of rootkit. This
method can be used for both the rootkits i.e User mode rootkits and
Kernel mode rootkits. It is often difficult to remove a rootkit so users
are often advised to reformat their hard disk on suspicion of infection
rather than attempting to remove it.
Most famous rootkit was made as a part of copyright protection by
Sony BMG in 2005. This rootkit installs by itself on Windows operating
System whenever this is plugged in an optical disk drive to rip off
music. The automatic installation relied on default auto play option
for option on Windows XP which executed commands designated on
file on CD. It basically executed autorun.inf. This rootkit would infect a

number of important files so that it wont be detected in system

utilities. The rootkits primary intention is to protect copyrights.

Comparison of rootkits with other types of Malware:

Virus : A computer virus spreads on its own by smuggling its code into
application software. The name is in analogy to its biological
archetype. Not only does a computer virus spread many times and
make the host software unusable, but also runs malicious routines.
A rootkit can be used along with the virus to conceal the virus.
Worm : A worm may be called as a next gen. It travels across the
Internet automatically, without any input from users. When a worm
infects a system, it makes copies of itself and attempts to spread
across the network to any connected computers. Worms may use
program and operating system loopholes to travel from one system to
another, or they may take advantage of email and file sharing
programs already installed to spread to other users. Frequently, worm
programs contain no malicious payload, but the constant replication
of the code may overwhelm system resources and shut computers
down. Worms are also difficult to remove in networked systems, since
clearing one machine of the malware simply leaves it open to
reinfection from any connected computers.
A rootkit cannot replicate itself but it has ability to conceal anything it
wants to conceal. For example, a preinstalled rootkit can be used to
conceal a worm/virus whenever virus or worm invades the computer
in which a configured rootkit is already present.
Trojan horse : This name is derived from story called Odyssey. A film
was made in English based on that book. A large wooden horse is
given to Trojans accepting their defeat in the war but actually there

are some guards inside the horse who came out of the horse and
opened gates of troy and destroyed troy in a single night after a never
ending battle for several years. Trojan horse is a similar type of
program that appears useful by pretending to do certain things in
foreground, but in reality they are working silently in background with
the only objective of harming your computer and/or stealing valuable
information.Most common way of getting infected with a Trojan in
through downloading cracks or keygen or pirated software or pirated
music from various untrusted sources on internet.
Same as virus and Worms a Trojan can be concealed by a rootkit.
Unlike worms they cant spread by themselves. A rootkit can be used
to download a Trojan or virus or waom to a computer.
Spyware: Spyware infects system but they doesnt cause any damage
to system but it collects data from the users like credit card numbers
or social security number or pass word details of user account etc.
They also steal bandwidth by continuously sending private
information about user to central server. Thus it slows down system.
They can also be hidden by a rootkit.
Adware: is any software package that automatically renders
advertisements in order to generate revenue for its author. The
advertisements may be in the user interface of the software or on a
screen presented to the user during the installation process. The
functions may be designed to analyze which Internet sites the user
visits and to present advertising pertinent to the types of goods or
services featured there. The term is sometimes used to refer to
software that displays unwanted advertisements. They are not
designed to steal information but they are used to display unwanted
ads. Usually they are installed as a bundle with freeware apps. Some
examples are Ilivid or ask search bar etc. They are different from

Botnet or zombie army is a number of Internet computers that,

although their owners are unaware of it, have been set up to forward
transmissions (including spam or viruses) to other computers on the
Internet. Any such computer is referred to as a zombie in effect, a
computer "robot" or "bot" that serves the wishes of some master
spam or virus originator. Most computers compromised in this way
are home-based. According to a report from Russian-based Kaspersky
Labs, botnets -- not spam, viruses, or worms -- currently pose the
biggest threat to the Internet. As said earlier rootkits can also prevent
detection of botnets. To prevent these botnets tools like Captcha are
used. The purpose of using captcha is to make sure that human can
use and bots will not be able to spam. A zombie army can be used to
cause a Distributed Denial Of Service attack (DDoS)
Botnet: Botnet or zombie army is a number of Internet computers
that, although their owners are unaware of it, have been set up to
forward transmissions (including spam or viruses) to other computers
on the Internet. Any such computer is referred to as a zombie in
effect, a computer "robot" or "bot" that serves the wishes of some
master spam or virus originator. Most computers compromised in this
way are home-based. According to a report from Russian-based
Kaspersky Labs, botnets -- not spam, viruses, or worms -- currently
pose the biggest threat to the Internet. As said earlier rootkits can
also prevent detection of botnets. To prevent these botnets tools like
Captcha are used. The purpose of using captcha is to make sure that
human can use and bots will not be able to spam. A zombie army can
be used to cause a Distributed Denial Of Service attack (DDoS)
References:
http://www.gadgetreview.com/2013/08/what-are-rootkits-and-whythey-are-dangerous

http://www.guidingtech.com/8888/difference-between-malwarevirus-rootkits-trojans-worm-spyware/
https://en.wikipedia.org/wiki/Trojan_War
https://en.wikipedia.org/wiki/Adware
http://searchsecurity.techtarget.com/definition/botnet