Search
Hot Topics 
Hot Utilities
Notes
Stealth Viruses and Rootkits
A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.
A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.
Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).
Never use undocumented commands (e.g., FDISK /MBR) to fix virus contamination.
Always use an anti-virus package that can deal with the particular virus in question.
Undocumented commands are undocumented for a reason!
Rootkits
Under Windows, installing a rootkit is a new way of creating a form of stealth virus or other malware. Rootkits are usually installed via a Trojan but once installed can hide most any type of malware.
Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it's a system file that has been replaced it's much easier to mask and hide the malware process from anti-virus software. Indeed, some anti-virus and anti-spyware/adware software has taken on some of the characteristics of a rootkit in order to find other rootkits that might be running. This, itself, can create problems (see the acronym ADVEIS: Anti-Virus Dependent Vulnerabilities in E-mail Infrastructure Security).
Rootkits can also establish themselves in alternate data streams. The spambot Mailbot is one example of a rootkit that establishes itself in an alternate data stream associated with a system directory (yes, alternate data streams can attach to a directory as well as a file).
Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user's computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit.
Summary
- In order to infect, a virus must change something.
- A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
- To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk or CD and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.
Last Changed: Thursday, June 22, 2006
Navigation: Computer Knowledge Home :: Virus Tutorial Home :: Stealth Viruses and Rootkits