Do you have a rootkit surreptitiously installed on your servers? How do you know? Are you monitoring for rootkit infestation? Do you know the tools to monitor for rootkit infestation?

Do you know what rootkits are?

A rootkit, at least in the Windows world, is a piece of code that registers with the operating system and montiors for a call to a kernel API. When it sees that call -- perhaps for a file listing -- it intercepts the call, manipulates the result, and sends that result on to the requesting entity.

One example of this is when you attempt to request a "dir" for a particular folder. The rootkit has registered itself with the internal memory pointers for the operating system. When it sees a request for a "dir" to the particular directory it is attempting to cloak, it intercepts the request.

What it does next is insidious (but actually pretty nifty from a strictly geek standpoint). It will then request the "dir" listing from the kernel on behalf of the requestor, manipulate the kernel's response to remove the folders it is attempting to cloak, then send the request back to the command prompt with the removed folders removed.

Well, these sorts of Malware are all very difficult to locate and remove. Since they're registered with the operating system and in-line with the request process for the object they are trying to cloak, finding them is difficult and removing them could crash the operating system. Often, the only way to find the rootkit is to run two separate scans on the operating system: One at a level above the rootkit and another at a core level below it and watch for the differences.

Scary? Yes. Interested in learning more? I read an interesting podcast briefing from SearchSecurity yesterday that discusses the problem in detail. Registration for the briefing is required: http://whitepapers.zdnet.com/whitepaper.aspx?&tag=nl.e539&docid=276641&promo=100511