Stealth Viruses and Rootkits

A virus must change things in order to infect a system. In order to avoid detection, a virus will often take over system functions likely to spot it and use them to hide itself. A virus may or may not save the original of things it changes so using anti-virus software to handle viruses is always the safest option.

A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.

A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what’s really there (the virus). Of course, the virus must be resident in memory and active to do this.

Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.

Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what’s in the partition table and can’t access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).

Never use undocumented commands (e.g., FDISK /MBR to fix virus contamination.
Always use an anti-virus package that can deal with the particular virus in question.
Undocumented commands are undocumented for a reason!


Under Windows, installing a rootkit is a new way of creating a form of stealth virus or other malware. Rootkits are usually installed via a Trojan but once installed can hide most any type of malware. The rootkit gets its name from the Unix term “root” access which is the access level able to interact with any part of the operating system.

Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it’s a system file that has been replaced it’s much easier to mask and hide the malware process from anti-virus software. Indeed, some anti-virus and anti-spyware/adware software has taken on some of the characteristics of a rootkit in order to find other rootkits that might be running. This, itself, can create problems (see the acronym ADVEISWeb Popup).

Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X, Linux and Solaris. The earliest known rootkit was written about 1990 by Lane Davis and Riley Dake for SunOS 4.1.1.

Rootkits can also establish themselves in alternate data streams. The spambot MailbotWeb Link is one example of a rootkit that establishes itself in an alternate data stream associated with a system directory (yes, alternate data streams can attach to a directory as well as a file).

Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user’s computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit.

Many malicious rootkits will hide backdoor programs which then allow the maker of the rootkit (or others he might sell access to) to access and control the infected system at will. The system can then be used as part of a botnet or for other malicious purposes (e.g., sniffers, keyloggers, etc.).

Rootkits may not be malicious all the time. Some security software and some programs that use virtual disk emulation (e.g., Alcohol 120% and Daemon Tools) use rootkits for non-hostile purposes.

It can be difficult to detect a rootkit as once it is running on the system it can grab control over the operating system routines that might be used to detect it and deflect such detection. In short, an operating system running with a rootkit can’t really be trusted to do the expected when it comes to detecting running processes. The most reliable method for detecting rootkits involves booting from some known-good alternate medium (e.g., boot CD) to install a known-good version of some anti-malware program that checks for non-standard operating system behavior. In short, you install anti-malware software before installing the operating system so that it can monitor everything going on. This, of course, carries risks of improper interaction with the operating system that may even cause more problems than it was meant to fix. Thus, there is a constant battle between the white hats and black hats regarding how to infect a system and how to detect that infection.

When and if operating systems are designed with “fingerprinting” built in and trusted install mechanisms the rootkit problem may be minimized as this would allow the operating system, at the lowest level, to use cryptography to monitor the integrity of the system itself. The fingerprints of files in their known good state can then be compared with new fingerprints (usually hash values or some similar method) and the user alerted if any unauthorized changes occur. This is basically having integrity checking built into the operating system.


  • In order to infect, a virus must change something.
  • A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
  • To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk or CD and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
Polymorphic Viruses Fast and Slow Infectors

Comments from Original Post:

angelica cajimat
Said this on 2011-09-15 At 05:56 am
what are the examples of rootkit viruses

[Just go to any anti-virus site and search their database for the term rootkit and many descriptions will pop up. –DaBoss]