Talk:Rootkit

Non-obsolete talk

I have a question - isn't it (or why isn't it) a good solution to run one of those online virus scans of your computer. The online scan obviously hasn't been compromised, and would be able to find the compromised files quickly... right? —Preceding unsigned comment added by 99.24.196.106 (talk) 03:49, 14 April 2009 (UTC)

Because a good rootkit will not let you intentionally send it over the net. It'll strip out the bad parts of the file, so the online scanner will never see the malware. — trlkly 07:32, 29 December 2010 (UTC)

Jamie Madrox???

Hey guys! Did Jamie Madrox, the Multiple man, write the first rootkit? OMG, them Microsoft is secretly headed by Magneto, and Dmitriy Medvedev, the Russian president, is secretly Tzar Colossus! Does anyone know who was that Madrox for real? —Preceding unsigned comment added by 88.204.14.228 (talk) 04:54, 8 June 2009 (UTC)

Press Citation

This article was cited in The Australian Financial Review on Tuesday 15 November in an article called CD's that are rotten to the root by John Davidson (it was on page 32). I don't know which template to use for print articles rather than online ones, so it would be great if someone could put this into the proper format. Thanks. --Apyule 08:26, 23 November 2005 (UTC)

Paper

I wrote a paper about rootkits which resume most of their aspects. Feel free to report comments here or at the dedicated page -- KillerWhile 14:46, 24 April 2006 (UTC)

a question about the definition

In the first sentence "A rootkit is a set of software frequently used by a third party (usually an intruder) [...]", who are the first two parties supposed to be? The intruder's parents, maybe? --Mattdm 19:46, 11 December 2005 (UTC)

The first party is the likely the home internet user and the second party is the server from which the user is requesting information. The third party hacker uses the rootkit to infiltrate the user's computer undetected. uriah923^(talk) 07:27, 14 January 2006 (UTC)

................... Let's get realistic. With respect to the subject of this article, third-party refers to anyone who is not an authorized principal. It doesn't have anything to do with the number of entities. Additionally, a server could not be a party to a transaction, the server owner would.

Dictionary definition

When did the primary purpose of a rootkit become to hide/cloak? Until recently, I've heard that the purpose of a rootkit is to "give root" (yes, I know that can be interpreted humorously), with the cloaking part being a secondary requirement, needed in order for the rootkit to do its' primary function; some rootkits do NOT hide themselves explicitly. I see that someone changed the definition on Aug 8th. Scott McNay 21:51, 15 January 2006 (UTC)

I completely disagree with the initial definition on this page. Rootkits are used for retaining (and hiding) root access, not about obtaining it. To get root in the first place, an exploit is used. Following exploitation, a rootkit is loaded to hide the evidence of exploitation, conceal further activities on the system, and in some cases backdoor the system to provide easier access in the future. Exploits are short-lived; they are only good for as long as a particular vulnerability remains unpatched, while rootkits may remain essentially unchanged over a longer period of time. It would be a waste of time to bundle exploits into a rootkit, as they would need to be updated constantly. Dave au (talk) 03:22, 12 September 2008 (UTC)

I have to agree that it's not about initially obtaining root access (see privilege escalation), but rather surrepticiously keeping it without the user's knowledge. Rootkits don't advertise the fact that they are installing themselves when you've left the door open to them e.g. by running not your interactive desktop with an non-privileged account, or when you run an untrusted installer such as the one from Sony BMG. There's an implicit assumption that when someone runs an elevated process, such as an installer, that it stops its activity when you terminate the process, and that it does not use its window of opportunity when executed to do bad stuff. Socrates2008 (Talk) 07:05, 12 September 2008 (UTC)

Clarifying wording

I believe the sentance "thus allowing the intruders to maintain "root" on the system without the system administrator even seeing them." should be adjusted to say "thus allowing the intruders to maintain root-level access on the system without the system administrator even seeing them." Many people hearing about rootkits and coming to Wiki to find out what they are will have no idea what "root" really means. (Anonymous User, June 10, 2006)

I added a paragraph that I believe clarifies rootkits:
A rootkit's ONLY purpose is to hide files, network connections, memory addresses, or registry entries from other programs. However, a rootkit may be incorporated with other files which have other purposes. It is pmportant to note that the utilities bundled with the rootkit may be malicious in intent, but a rootkit is essentialy a technology; it may be used for both productive and destructive purposes. --Wng z3r0 18:49, 11 November 2006 (UTC)

What does this mean?

(in bold) "However, some rootkits started to add this particular program to a list of files it does not hide from. So in essence, removing the differences between the two listings, the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. These features are now included in the latest release of Rkdetector and Rootkit Revealer so now there is no need to rename."

I believe that that particular sentence needs some clarification, as I, for one, have no idea whatsoever what it means. --FrostyBytes 23:22, 16 June 2006 (UTC)

I don't see anything unclear about it. "This particular program" refers to the rootkit detector executable, for example rootkitrevealer.exe . Detection is done by comparing the file listings obtained from the infected operating system to the file listings obtained (at a lower level) from the storage medium. If these listings differ, that's an indication that a rootkit is installed. Now if the rootkit does not hide files from the detector (but from all other programs, and the user), the detector is tricked into believing that everything is fine. So the rootkit hides itself from the detector. It can only do this if it can spot the detector, for example by simply checking the task name (=filename). So if the detector in turn manages to hide itself from the rootkit by changing its filename, it works again.

(Of course this arms race will go on. There are other ways to detect a specific anti-rootkit program - many of the techniques used by antivirus software apply.) —Preceding unsigned comment added by 87.162.58.144 (talk) 01:11, August 29, 2007 (UTC)

Obsolete talk

I took the liberty of moving the historical stuff to the bottom so that people don't have to wade through stuff that's already been dealt with. Scott McNay 21:51, 15 January 2006 (UTC)

---

!Radiojon, why do want remove redirect? Trainthh 08:38, 4 November 2005 (UTC) -I am stupid... Please forgive. No-one please do not touch this page! Trainthh 08:43, 4 November 2005 (UTC)

This page has relevance and should not be deleted as it has transpired that Sony / BMG is using a rootkit to hide its Digital Rights Management software using a rootkit, when a person tries to access one of their music CD's. Admittedly the listener is prompted but this is still a possible help to others that might want to hack PC's. People should be aware of what a rootkit is.

Steve [4th Nov 2005]. The info is not offensive. It is what the internet is about. That is a free information source and should not be effected by the goings on of a huge corporate entity like Sony BMG. If the page goes then its censorship brought about by corporate politics and a shame for Wiki.

Why this page needs to be removed? For a technical reason

There is nothing political here. Let me explain what we try to achieve here.

1. Currently in Wikipedia there is a page called Root kit. Have look at it!
2. However, more commonly used term is Rootkit (without space). The objective is to move page "Root kit" with all its on contents to replace this current page (that used to be a redirection)
3. The above is possible only as soon as this page is removed by administrators.

-- Trainthh 14:42, 4 November 2005 (UTC)

• Thanks, Trainthh, well said. This is exactly the intent I had in mind. As I noted in the comment line, "rootkit" has more than fifty times the number of results that "root kit" (enclosed in quotation marks) has on Google, so it's extremely obvious (or so I thought!). This page has also been moved from "talk: rootkit" to "talk: rootkit/archive" for the same reason, so that talk: root kit can be moved to talk: rootkit.  –radiojon 16:22, 4 November 2005 (UTC)

Which Definition Should Rule?

I agree with the desire to consolidate it into one definition but should that definition be under "root kit" or "rootkit?" I feel like "rootkit" is the more proper form.

Agreed. This is not anyway a candidate for speedy deletion, which I for one oppose. Either this article should redirect to Root kit or Root kit should redirect here. As I came here looking for the article I strongly support moving Root kit here, SqueakBox 16:07, 4 November 2005 (UTC)

• That is what I am trying to do! An admin has to do this however, since someone changed the original redirect. Once this is done, root kit will point to rootkit instead of the other way around.  –radiojon 16:22, 4 November 2005 (UTC)

Until that moment this must be the talk page for Rootkit and there should just be a redirect to Root kit. This is a mess on a live encyclopedias, and we must be thinking of our readers now who (like me) will be looking for rootkit. Just let the admin do it and don't prepare for the future but focus on the present, SqueakBox 16:29, 4 November 2005 (UTC)

Rootkit and root kit are synonymous, however rootkit is the more common usage among those with domain knowledge.

Yes, it seems the consensus is very clear to move the article. On the other hand a speedy delete won't achiebve that, and really shoul;dn't be on the article as there proper procedures to go through in a case like this and using ther speedy is not one of them, SqueakBox 18:01, 4 November 2005 (UTC)

Yeah, but I don't much like the idea of validating radiojon's histrionics. --Golbez 18:23, 4 November 2005 (UTC)

Indeed not, SqueakBox 18:57, 4 November 2005 (UTC)

Timeline

This article says that Sony's rootkit was reported on November 1 but it was reported on Sysinternals and Slashdot on October 31, http://it.slashdot.org/it/05/10/31/2016223.shtml?tid=172&tid=158.

I agree and I will change it. Kindly note that F-Secure were also working on this (and possibly had informed the vendor(s) as per protocol). There have been sporadic reports as far back as August. I will also add a link to Cory Doctorow's Timeline

--Ben.the.mole 20:46, 15 November 2005 (UTC)

Rooted?

I belive that rooted could also apply to a box that had the administrator's (root's) password changed too, not just if it has a rootkit. Is this information accurate?

Rootkit symbol?

File:RK logo.png

The Rootkit symbol

What is this rootkit symbol that is displayed in the article? There's no mention of it anywhere else in the article nor does it appear if you do a google image search for it. —Umofomia 01:01, 6 June 2006 (UTC)

It looks like this was added back in January by 1() without any explanation [1]. When Fubar Obfusco tried to remove it [2] with the explanation, removing silly "logo" -- there isn't any logo for rootkits, any more than there's a logo for theft or embezzlement, it got reverted without explanation either [3]. What is the origin of this logo? We should remove it if its use is not commonly accepted (which I suspect since it's unlikely something like this would have a logo). —Umofomia 01:12, 6 June 2006 (UTC)

Seeing no response on this and no indication that the image is verified or legitimate, I'm going to take it down now. —Umofomia 06:18, 8 June 2006 (UTC)

common use

the current common use of rootkit is pretty tune to the abuse side pov, make it seems quite negative.

i wonder can we add another common use of rootkit which is to hide from 3rd party scanners from tampering, which emulation software and secure software now use?

sources:

http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/ GSPbeetle ^{complains Vandalisms} 10:41, 7 August 2006 (UTC)

What a rootkit is not

Recent stories about Sony rootkits that were, in fact, not rootkits at all should give us pause. The media (and some software security organizations) seem to want to paint all tools that use rootkit-originated techniques as rootkits. This substantially weakens the previous definition of rootkit: a system security subversion tool which hides itself to prevent detection and removal. I've updated the lead paragraph to reflect the more traditional usage with appropriate citation, but as terminology evolves we should keep an eye out and potentially document the shift in usage.

We must be very careful not to defend either usage, but to attempt to clarify the established and evolving use of the term. Right now, it's probably too soon to say for sure that the usage is evolving, but time will tell. -Harmil 18:27, 27 August 2007 (UTC)

I feel that the tools used by Sony/BMG for copy protection was a rootkit because it installed its self without prompting the user, or providing an easy uninstall. It may not have been intended to be a rootkit, but became one beacuse of the way it was executed. The fact that it hid files, registry entries and its process does not help to fight the fact that it is not a rootkit. (Adam H 00:06, 29 August 2007 (UTC))

How is it not? And why do you think it wasn't intended to be one? (If users can detect and remove it, it loses its functionality, so it's improbable that this was done by accident.) And why doesn't the article address this hot topic? Btw I don't think a silent install is a criterion for rootkits because a lot of spyware, adware, updaters,... install silently without actually hiding or trying to get root access. But a certain class of DRM tools such as Sony's go much further than that. They don't just use similar techniques, they're indistinguishable from rootkits. And yes, their purpose (not only effect) is to subvert system security. I try to secure my system against DRM, they subvert that. —Preceding unsigned comment added by 87.162.58.144 (talk) 01:29, August 29, 2007 (UTC)

It seems the SonyBMG Rootkit is not one by definition of this article "A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." It is NOT the first, but is the second. Rootkit also implies malicious intent, again, something the Sony "rootkit" was not. Therefore shouldn't the reference be removed? —Preceding unsigned comment added by 81.174.171.21 (talk) 22:40, 3 May 2011 (UTC)

Bioshock

At first some guy said that Bioshock contain and install a rootkit but later he retracted from it. But still you can find that bioshock installation indeed put some hidden registry values. So, bioshock install is a rootkit or not?.--Magallanes 17:45, 3 September 2007 (UTC)

I don't think so, but a sony USB drive has rootkit on software. 88.110.218.140 20:17, 9 September 2007 (UTC)

nope Securom is not a rootkit it is software, a rootkit takes root-access securom does not so not a rootkit Markthemac (talk) 02:18, 12 June 2008 (UTC)

List of anti-virus software which can detect a running rootkit?

Should we have one:

Last time I looked the list was short: For windows:

1. NOD32
2. AVG's tool

PiP 06:13, 3 December 2007 (UTC)

don't believe plain 'antivirus' software can detect a running rootkit at all, rather security suites which contain a seperate antirootkit component. anyway, ability to detect depends on the methods the rootkit uses.

also specialist tools like icesword and rku, but in any case, the most advanced ones even slip by these means.

78.86.18.55 (talk) 21:41, 20 December 2007 (UTC)

oh, and gmer is very good. the avg antirootkit component is not great from the tests i've done, and kaspersky has one that's alright. Haven't tried the nod32 one. rku now no longer in public distribution as well.

generally a rootkit element will rely on a trojan/malware (definition a little hazy here) to put itself into a position where it'll run anyway, this is where antivirus has a better chance of picking it up - i.e. picking up the file (s) that install it. AV can also pick up attempts via the web to get this onto your computer using exploits.

though if you're sure you're clean a properly used HIPS should prevent a rk from installing anyway. 78.86.18.55 (talk) 22:49, 13 January 2008 (UTC)

In principle, it's not possible to know that your system has not been rootkitted, for a serious value of know. Lots of rootkits may be caught by this or that package, but some new rootkit be missed by all available ones. It's in the logical situation of proving a negative. As a result, we should NOT put a list of such packages, with such a claim, in this article. ww (talk) 06:16, 14 January 2008 (UTC)

agreed, certainly that we shouldn't put a list of such packages, and that you can't be at a probability level 1 or 0. Preventative action is the best, though the new beta build of gmer is really quite nice at sniffing for evidence. rku was great as well though last version was buggy. 78.86.18.55 (talk) 00:32, 16 January 2008 (UTC)

what about ComboFix? 64.80.40.160 (talk) 00:54, 12 September 2008 (UTC)

Opinionated sentence

Check out the last sentence in the "History" section... does seem a bit opinionated to me. --Gleezus (talk) 17:33, 14 September 2008 (UTC)

I've reworded it and added some references. Socrates2008 (Talk) 07:32, 15 September 2008 (UTC)

Pointless link?

I checked http://www.antirootkit.com/ and it seems to have no actual information other than links to some other sites' articles, collected haphazardly. The "list of rootkits" is more of a sampling from Sophos' press release. I look to one of the regular editors to consider removal. 173.70.191.10 (talk) 15:56, 15 December 2008 (UTC)

Definition

First, in the definition that is given is says a rootkit is malware. This is not true. A rootkit is essential a combination of two words root and kit. Root meaning root access and kit a collection of tools. So a rootkit is a collection of tools that is designed to keep an unauthorized user access to the root (administrators) account undetected. How it got their is something totally different? A malware program might have a rootkit build inside of it; a trojen might as well, or a virus but the rootkit itself is not malware, a trojen or virus it is a rootkit!

I think it might be better to just remove malware from the definition and have it say "A rootkit is a collection of software which consists of a program (or combination of several programs) designed to hide or obscure the fact that a system has been compromised." etc.....

Have a look at What is a rookit article on about.com; it may clarify this a little - http://netsecurity.about.com/od/frequentlyaskedquestions/f/faq_rootkit.htm

Recovery Console is not mentioned

The article correctly states that Windows Safe Mode is inadequate to view hidden rootkit files. However, it fails to mention that it may be possible to view and delete a rootkit file using the Windows Recovery Console. Information on this topic is easily found on the Web. Omitting this topic is a serious flaw in an article on rootkits, even though the Windows Recovery Console may not be suitable for use by the average computer user. David spector (talk) 02:07, 9 June 2009 (UTC)

Which Mac OS?

The article states that a rootkit exists for Mac OS, but not whether for Mac Classic or Mac OS X. The two are completely separate operating systems. LokiClock (talk) 19:26, 9 January 2010 (UTC)

GameGuard

Is GameGuard a rootkit?--FifthCylon (talk) 11:28, 22 June 2010 (UTC)

WP:NOT Socrates2008 (Talk) 11:26, 15 August 2010 (UTC)

Cleanup

Have cleaned up the article - are there any specific suggestions for improvement before the article is readied for WP:FAC?

Rootkits vs copy-protection

One of the ways that a rootkit can be used to subvert a copy protection mechanism is to hide a virtual CD-ROM device driver so that the copy protection mechanism is tricked into believing that the user has inserted the original media into a physical CD-ROM device (thereby proving ownership of a licensed copy of the media). I'll modify the text once the copyedit by the Guild of CopyEditors is done. Socrates2008 (Talk) 22:10, 21 November 2010 (UTC)

Balance: Windows-centric

As currently written, this article tends to be very Windows-centric. Rootkits are available for other operating systems as well, most notably UNIX-like operating systems. Care should be used to ensure that the article isn't written primarily from the viewpoint of Windows running on a desktop system. This is especially noticeable with the terminology used in the article. The impact and use of rootkits on non-Windows OSes, and on server hardware, should be given more equal coverage. // ⌘macwhiz (talk) 23:31, 21 November 2010 (UTC)

Windows overtook other operating systems some years ago in terms of the number of rootkits in the wild, their sophistication, as well as the platform that is most targeted by rootkits. This weighting is mirrored in the sources that are available, as well as being stated explicitly in a number of them. I've tried to make concepts such as computer security rings as general as possible - they are not Windows-centric as both Apple and linux leverage this processr feature too. However I take your point that the article could include some more information from other platforms - the challenge will be digging it out.

A very big thank you for taking on the task of copyediting, and for doing it so quickly too. Socrates2008 (Talk) 08:18, 22 November 2010 (UTC)

GA Review

This review is transcluded from Talk:Rootkit/GA1. The edit link for this section can be used to add comments to the review.

Reviewer: Pnm (talk) 02:29, 13 December 2010 (UTC)

GA review (see here for criteria)

1. It is reasonably well written.

   a (prose): b (MoS for lead, layout, word choice, fiction, and lists):

   Prose is OK. Sometimes wordy.^[1][2][3] Difference-based contains a very long sentence.^[4] Uses and Installation and cloaking sections could benefit from copyediting. Minor word choice issues: unencyclopedic-sounding phrase in Alternative trusted medium: "the best and most reliable method;" weaselly: "there are experts."

2. It is factually accurate and verifiable.

   a (references): b (citations to reliable sources):

   Some sections don't cite enough sources:

   • the entire Detection section except except Alternative trusted medium
   • Installation and cloaking
   • Public availability

   c (OR):

   Several sections contain examples of original research, synthesis, or attributions not backed up by the cited sources:

   • Sony rootkit scandal under History
   • Installation and cloaking
   • Detection
   • Removal
   • Public availability

   Examples:

   • "The public-relations fallout for Sony BMG was compared by one analyst to the 1982 Chicago Tylenol murders.^[5]"

   Not in source. The source describes the seriousness of the incident, not the public-relations fallout.^[6]

    Fixed – Replaced specific mention of Tylenol incident with a quote from the article. --Pnm (talk) 00:37, 17 December 2010 (UTC)

   • "The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI) compensation method for distributors.^[7]"

   Dubious, unsupported by the source, and contradicts statements in Public availability. The source is about a single rootkit, which should be named.^[8]

   • "Given the stealth nature of rootkits, there are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.^[9][10]"

   Synthesis. The sources support "some believe the only reliable way..." but neither source credits "the stealth nature of rootkits."

    Fixed – Removed "Given the stealth nature of rootkits." --Pnm (talk) 01:26, 17 December 2010 (UTC)

   • "Most of the rootkits available on the Internet are constructed as an exploit or academic "proof of concept" to demonstrate varying methods of hiding things within a computer system and taking unauthorized control of it."^[11]

   Misattributed, and dubious. The source says "some," not "most", includes the phrase "for now," and uses tone which further implies tentativeness/qualification.

3. It is broad in its coverage.

   a (major aspects): b (focused):

   Good work improving this in recent months.

4. It follows the neutral point of view policy.

   Fair representation without bias:

   Two issues:

   1. The paragraph on the Sony rootkit scandal obscures what it's trying to say in order to sound NPOV. It should be rewritten to be more direct, less detailed, and more objective. Amazingly it buries the link to the main article Sony BMG CD copy protection scandal near the end of the paragraph, yet links to Sony BMG eight times. The mention of the 1982 Chicago Tylenol murders has a referencing problem (explained above).

    Fixed – Rewrote section. --Pnm (talk) 00:37, 17 December 2010 (UTC)

   1. The lead gives undue emphasis to the view that rootkits are beneficial. (The lead sentence does so by omitting "unauthorized." The end of the lead paragraph says rootkits have "negative connotations.") Using connotation implies merely subjective negativity The primary use of rootkits is gaining and preserving unauthorized access to a computer system. There are some rootkits that benefit the system owner, but in those cases the system owner installs the rootkit on purpose. These should be treated as the exceptional cases they are.

5. It is stable.

   No edit wars, etc.:

6. It is illustrated by images, where possible and appropriate.

   a (images are tagged and non-free images have fair use rationales): b (appropriate use with suitable captions):

   The caption on the illustration of security rings is confusing. After reading ring (computer security) I'm still confused. I don't understand whether it's possible to show the hypervisor ring (Ring -1) in such a diagram.

   Incidentally, I do think the image at ring (computer security) is slightly better.

7. Overall:

   Pass/Fail:

   The minor issues can be corrected quickly. However, the sourcing and OR issues are serious, and will require careful review, source verification, and additional research. I don't think these steps should be rushed, so at this time I will fail the review.

Notes

1. "Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms."
2. "It is not uncommon to see a compromised system in which a sophisticated, publicly-available rootkit hides the presence of unsophisticated worms or attack tools that appear to have been written by inexperienced programmers."
3. "System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to install. Applying security patches, implementing the principle of least privilege, reducing the attack surface and installing antivirus software are some standard security best practices that are effective against all classes of malware. Once these measures are in place, routine monitoring is required."
4. "For example, binaries present on disk can be compared with their copies within operating memory (as the in-memory image should be identical to the on-disk image), or the results returned from file system or Windows Registry APIs can be checked against raw structures on the underlying physical disks—however, in the case of the former, some valid differences can be introduced by operating system mechanisms like memory relocation or shimming. Difference-based detection was used by Russinovich's RootkitRevealer tool to find the Sony DRM rootkit."
5. "Sony's long-term rootkit CD woes". BBC News. 2005-11-21. Retrieved 2008-09-15.
6. It's not even a good example of bad public-relations fallout. On the contrary, J&J was widely praised for how it handled the Tylenol incident. The source doesn't contradict this.
7. Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). "TDL3: The Rootkit of All Evil?" (PDF). ESET. Retrieved 2010-08-17.
8. That is, unless it is verifiably typical. That would be a big deal.
9. Danseglio, Mike; Bailey, Tony (2005-10-06). "Rootkits: The Obscure Hacker Attack". Microsoft.
10. Messmer, Ellen (2006-08-26). "Experts Divided Over Rootkit Detection and Removal". NetworkWorld.com. Framingham, Mass.: IDG. Retrieved 2010-08-15.
11. Stevenson, Larry; Altholz, Nancy (2007). Rootkits for Dummies. John Wiley and Sons Ltd. p. 175. ISBN 0471917109.

RE:Your Removal of an Needed Clarification of the Misleading Rootkit Definition.

(Moved here from my talk page) Socrates2008 (Talk) 21:38, 30 May 2012 (UTC)

The Update indicated: Acknowledge existence of the valid software package which include privileged access and those which use this access for malicious purposes. Also acknowledge rootkit removal is sometimes possible. It is important to note that no "New" information has been added to the definition. It was almost entirely a rewording to address the misleading order. So your comment of "make wholesale changes to the meaning of the article" is inaccurate and you removed the change without reading it closely. The edit was "on-line" for over a week, and there were no negative comments of any nature.

You have removed an important update which makes the important distinction between "Legitimate Rootkits" or "Malicious Rootkits". All Anti-Virus utilities are themselves Rootkits, in that they have placed "hooks" in the OS in order to provide their "shield" functions. The AV utilities also maintain a long list of known Legitimate Rootkits, and those lists are constantly be updated.

Just visit any of the Forums run by the AV Developers in order to see the confusion of many of the users because of the assumption that a Rootkit is a "bad thing". The corrected definition is now being linked from new post on these forums in order to calm the fears after a user updates their software and discovers it has made, what are legitimate modifications to their system software.

While your list of contributions and acknowledgements is impressive, I am very surprised at your short sited and heavy handed manner of just replacing the corrected definition with the previous misleading definition. I have not had the luxury of time to record my accumulated knowledge in this venue, because I have been busy for the last forty years writing and maintaining system software. It does not appear that your specific experience is in this area of operating system software.

If there is a fixed requirement that all changes be first posted on "Talk" pages, then enforce that policy by removing direct Edit as a method available on the Edit Pages.

It may be more correct to divide this entry into three definitions: Rootkits, Legitimate Rootkits, and Malicious Rootkits. But if you are familiar of the term Data Normalisation, dividing things too many times will result in a loss of usefulness (or performance as is mentioned in the ref). If you would care to discuss any particular item in the re-worded definition, please contact me so that we may do so.

Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 20:51, 30 May 2012 (UTC)

• You are launching a personal attack in your very first interaction with other editors - that approach generally leads to a sanction. Discussion needs to be focused exclusively on article content.
• WP does not recognise forums as reliable sources and requires references for additions to article
• You changed the introduction and added new content that's not in the body. The intro is meant to be a summary of the article, not contain new information.
• You've substantially changed the article's description and meaning of what rootkits are to a minority view that says they are generally not associated with malware - major changes like this need consensus from other editors. It does not help that this was also your first edit on Wikipedia, as you have not yet established any crediblity with other editors.
• You added bold text that does not follow the manual of style
• I was not the first to flag your edits as controversial or lacking neutrality
• Some of your edits are original research - for example, the first rootkit for NT was not malicious
• If I gave you $1 for every "good" rootkit, and you likewise gave me $1 for every "bad" rootkit that I named, I'd be very wealthy. Find a reference that says that there are more good than bad rootkits and you'd have the beginning of an argument.
• WP's policy is that editors reached consensus - so please do that here on this page Socrates2008 (Talk) 21:58, 30 May 2012 (UTC)

---

• There was no intention of a personal attack. I only mentioned that from your contributions, your area of expertise is not system software. And no place did you indicate you were an Editor. If you took it that way I truly apologize. The removal of an entire edit, after eight days, was to say the least, very surprising.
• If WP does not accept the organizations which 1) produces of the most numerous legitimate rootkits (by installation), 2) whose purpose is to detect rootkits, and 3) maintains the lists which differentiates between legitimate and malicious rootkits, what authority would be acceptable? No better one, the combination of all the AV firms, exists.
• The article is Rootkits, that would be both Legitimate and Malicious. The article eludes to the fact that legitimate ones exists, but that is easily missed by a first time reader. While the body contains information mainly concerning the malicious versions, the introduction should certainly and clearly acknowledge that both exists. There is no new information in my edited version, with the exception of expanding the explanation that removal is possible without a complete system re-installation. An unquestionably accurate addition.
• If the majority is mistaken about a fact, does that then make that opinion now become "true"? Certainly not. The fact is undeniable that both Legitimate and Malicious rootkits exists. My understanding was that WP is exactly the place to correct a mistaken majority opinion and clarify it with the Truth. - - Should I take "this was also your first edit" as a personal attack? It certainly is not "focused exclusively on article content". My knowledge and experience on this subject is considerable. If, before a first edit, WP would like to perform some type of credibility check, that would be very reasonable. But that is not the policy, so I made this clarifying edit. - - Respect needs to go both ways.
• I will review and correct the use of bold text. Thank you, this is exactly the type of detailed suggestion I was hoping to receive.
• I would also beg to differ on this point. The existing article violated the lacking neutrality, because it clearly begins with Rootkit=bad, and then eluded to the fact the there are actually "good" ones, and the name rootkit comes from the original legitimate ones. If there are specific points or objections, please let's discuss them. (Please note, you admit "good" rootkits exists in your point making the wager.)
• Your sentence "the first rootkit for NT was not malicious", is absolutely true. But the article is not mentioning the first rootkit, it is mentioning a Trojan Horse released years after NT was released. (And thank you for making my point on how easily that distinction is confused.)
• If the number in question is the installed copies. Every PC has more than one, because almost everyone has an AV Utility, or two, or three (but that's another problem off this topic), and there are numerous other categories of application software which utilize rootkits, for example games, development tools, and many more. Only a small percentage of PCs are infected by a malicious rootkit. The first number would be time consuming to collect, but getting the legitimate list from an AV Utility maker, and then researching the number of sold copies is definitely possible. The second would be harder to ascertain, due to the fact that the newest infections are not detected for sometime, and let's not forget the most infections are not rootkits. - - Seriously if you are willing to make this wager, I will do the leg work. And to insure the winner would be paid, an escrow account can be set up into which we will both deposit, say $100,000, which represents only a small percentage of the One Billion PCs in use. But we better hurry, the number will double again in two years. (And thank you, again, for making my point on how easily the legitimate rootkits are overlooked.)
• Does "that editors reached consensus" mean that all their questions have been summarized in your list? Is eight days the normal period for this to occur?

Socrates, we have obviously gotten off to a bad start. You assumed because I'm a first timer that I do not know the subject matter. And your surprising removal of an 8 day old edit, with neither an indication that you are an Editor, nor supplying the details you have given above, was assumed to be unfounded. So again, for my presumptiveness, I apologize.

I believe I have answered these concerns, well beyond the "the beginning of an argument", and closer to the conclusion. You have yourself confirmed that both legitimate and malicious rootkits exists. And would you really question the sequence, that is eluded to but not clearly stated in the article, that: first privileged system code was written, and then someone modified this code for malicious purposes. Or to put it another way, first there was the egg, and then the rotten egg. I believe this is an irrefutable piece of common sense, which does not require a "Reference", even if a single creditable one should actually exist.

As I stated, there are numerous links to this Rootkit definition to calm the "chicken little" fears (not an attack, but an admission, because I am not exactly calm when I discover an infection on my PC). This clarification is both accurate and needed. Can we please restore this edit and then make any detailed adjustments you feel are necessary?

Thank You Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 02:02, 31 May 2012 (UTC)

P.S. If you wish to get into your area of expertise, was General Sickles justified in moving his unit, without orders, during the second day of the Battle of Gettysburg?

---

This is not my field, but I would suggest that there are going to need to be some clear reliable sources (and more than one) for a definition of rootkit that states it is malware, rather than it being defined as a type of software, one category of which is malware. The version I'm reading right now (ie. rootkit is malware, with really only a single sentence referring to its origin as meaning something broader) doesn't sound right to this layperson at any rate. hamiltonstone (talk) 23:13, 30 May 2012 (UTC)

Thank you Hamiltonstone for your agreement. Having written and supported systems for almost 40 years, I would have no idea what or where to look for some reference that the first use of the this word, Rootkit, was for Legitimate System Utilities. When Unix was first written in the '70's, we may forget, but at that time everything was on paper, and I would seriously doubt that anyone has scanned any manuals for those first utilities which have been obsolete and useless for more than thirty years. So there is no way to perform an electronic search: Most important to consider is this;

• Today, software which runs as privileged code, such as AV Utilities, are referred to as Rootkits.
• First the Privileged System code was written, then malicious modifications (Did you like the "1st Egg, then Rotten Egg"?)

Are not some things just undeniable common sense? ...for example, the sun is HOT, even though now we have the knowledge to estimate the temperatures in it's core and on its surface, the original statement is accepted without the original source, nor an exact quantitative value.

Thanks again, Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 02:35, 31 May 2012 (UTC)

---

Your assumptions about my profession are incorrect, so just stop there. Apparently both you and I have both been writing system software for decades, but this is irrelevant, as our personal experience and viewpoints actually count for nothing here. Wikipedia does not recognise original research, and requires reliable and verifiable secondary sources for any additions to the article.

To your point that all antivirus products are rootkits. Yes, Russinovich caught out Norton Systemworks & Kaspersky back in 2006, but they both subsequently removed the functionality under pressure. That incident involved two a/v vendors, not all a/v vendors, and I've seen nothing to suggest that any have reverted to this design pattern. Secondly, this is a scenario where rootkits were used by "good" software, but their use was widely considered to be "bad", hence the reason that so much pressure was put on them to re-architect their software. In other words, the view that rookits are generally malicious is universal, despite there being a handful of truly desireable and positive usage scenarios. Socrates2008 (Talk) 11:12, 31 May 2012 (UTC)

Before spending a lot of time trying to use logic to resolve this difference, let me ask you a straight forward question:

Is it possible you are incorrect?

First let me clarify that "right" and "wrong", is much different than "correct" and "incorrect", the former implies a moral component. If this is not possible then we need some higher level of conflict resolution.

Like you, I was originally mistaken as to the meaning of Rootkit, but after reading many references, which did not agree with my opinion, I did some simple research and found I was incorrect (not morally wrong), so I changed my opinion. Is that possible with you?

Allow me to attempt to succinctly state our different opinions.

Yours: - ROOTKIT = both are must be, 1st: "conceal itself". 2nd; "malicious", performs actions detrimental to network, system, or user(s).

(Do you think the first part, root means something which lies below the surface?)

Mine: -- ROOTKIT = Privileged Code, utilizing protected system resources and functions. The term originating with Unix System Utilities which supplied functions not in the operating system. The current use is for both legitimate privileged software, and malicious software which gains and utilizes privilege through unauthorized means.

Please let me know if this summary is accurate.

In the mean time, since you like Kaspersky (and your recent edit was incorrect and did not supply a reference), Downloadand run TDSSKiller on your system (the report is placed in the top folder of your system drive). It will list all of what is considered "rootkits". Review this list and you will find things like your AV utility, Adobe Flash Player, in my case my camera package, and lots more. Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 20:08, 31 May 2012 (UTC) Allow me to clarify, the items, drivers and libraries, are privileged components. Any of the listed items, not from the MS Distribution, are considered "rootkits".Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 21:11, 31 May 2012 (UTC)

What you keep missing is that it's not up to me (or you) to be "right" or "wrong" or "correct" or "incorrect", as our personal opinions count for nothing in the article. e.g. I don't need to have used Kaspersky myself to be able quote an authority like Mark Russinovich on this topic in the article.

Current article definition: Rootkit = 1) Code giving backdoor unauthorised access (original unix meaning) 2) Subsequently evolved to now mean code that implements cloaking behaviour (in user mode, or in privileged kernel mode). Usage may be good or bad, malicious or beneficial, but most people now view rootkits negatively because of their prolific use by malware, and scandals like the Sony fiasco.

Your definition: Rootkit = Anything that runs in Ring 0. You take the etymology quite literally, and don't recognise cloaking as being important, nor usermode function hooking that does not require any special privileges. By your definition, kernel drivers, and indeed most of the operating system itself, is a rootkit and presumably any hypervisor too?

Is it possible you are incorrect? Otherwise, please show us references that prove otherwise... Socrates2008 (Talk) 08:54, 1 June 2012 (UTC)

PS: Oh, and TDSSKiller finds nothing on my computer (and I have a lot of different software installed, including Adobe Flash) Socrates2008 (Talk) 10:33, 1 June 2012 (UTC)

PPS: Some background reading: "Originally, a rootkit was simply a collections of tools that enabled administrator-level (also known as root access in the Unix world) to a computer or network. The term referred to set of recompiled Unix tools, including ps, netstat, ls and passwd. Becase these same tools could be used by any attacker to hide any trace of intrusion, the term rootkit became associated with stealth. When these same strategies were applied to the Windows environment, the rootkit name transferred with them. Today, rootkit is a term commonly used to describe malware-such as Trojans, worms and viruses-that actively conceals its existence and actions from users and other system processes" (from Rootkits, Part 1 of 3: The Growing Threat)

Socrates, thank you for the additional information. I have personal issues which require my attention today, but will make a more detail response later.

PS: I never indicated that Malicious Rootkits would be detected (and am glad none were), my suggestion was to scan the list of privileged components in the log file to determine the non-Windows components that reside on your system. (I acknowledge and respected your reluctance to call them Legitimate Rootkits, so I did not.) Of course, you are aware that any of these added components may contain a dormant, yet to be recognized, piece of malware. And so that now not calling one of them a Malicious Rootkit, is just a matter of our (and Kaspersky's) ignorance. (check my signature)

Noul Edge - If "Ignorance is Bliss", What is Knowledge? (talk) 17:30, 1 June 2012 (UTC)

Deleting all files cannot be called a 'defence'

• This point concerns what I take to be a misstated claim since it is hard to believe the author intended it. (But I'm not sure what it should say unless it is mislocated from another part of the article - maybe removing rootkits, rather than defending against them?)

The article currently claims that "In most cases however, the only defense against a rootkit is to reformat your hard drive to completely delete all files". This is in the context of a discussion of system hardening, monitoring etc. to defend against rootkits. While it is true that wiping your hard drive and keeping it that way would be an even more certain defence against not only rootkits but much other malware as well, I am not sure that it should be included given its likely incompatibility with most users' purpose in defending themselves in the first place. (It would not, of course, defend against all the rootkits discussed on this page since you could still boot using a live media and thus activate a rootkit in BIOS etc.)

I removed this. The quote you mention is cited incorrectly and belongs in the removal section like you say. The ref for this quote is appropriate for the previous sentence but does not ref the sentence you mention. Ggpur (talk) 16:15, 16 February 2014 (UTC)

• This point is more opinionated. (I think I'm right but then I would, wouldn't I? It being my opinion and all.)

Also, any particular reason to make BitLocker and PrivateCore sound like The Solution You've All Been Waiting for? Note that closed-source code is an unknown. Indeed, it is a known vulnerability given recent revelations concerning NSA and GCHQ. This doesn't mean open code is invulnerable. Nor does it mean closed code is insecure. But open code is subject to scrutiny. This article seems oblivious to these debates. If anything, it suggests (with scant evidence as far as I can see) that transparency breeds exploits. — Preceding unsigned comment added by 62.255.73.246 (talk) 02:41, 16 February 2014 (UTC)

Yeah, and open code written by amateurs is more secure - like Heartbleed for instance. 122.106.249.198 (talk) 10:31, 15 July 2015 (UTC)

External links modified

Hello fellow Wikipedians,

I have just added archive links to 2 external links on Rootkit. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

• Added archive https://web.archive.org/20100610194454/http://www.nvlabs.in:80/archives/5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html to http://www.nvlabs.in/archives/5-BOOT-KIT-Custom-boot-sector-based-Windows-2000XP2003-Subversion.html
• Added archive https://web.archive.org/20101024164136/http://www.sans.org:80/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901 to http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers. —^{cyberbot II}_{Talk to my owner:Online} 10:59, 17 October 2015 (UTC)

External links modified

Hello fellow Wikipedians,

I have just added archive links to one external link on Rootkit. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

• Added archive http://web.archive.org/web/20120910164327/http://www.sans.org:80/reading_room/whitepapers/threats/kernel-rootkits_449 to http://www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—^{cyberbot II}_{Talk to my owner:Online} 03:08, 28 February 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified one external link on Rootkit. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Corrected formatting/usage for http://www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—^{cyberbot II}_{Talk to my owner:Online} 06:53, 23 June 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 2 external links on Rootkit. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20060814225723/http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html to http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html
• Added archive https://web.archive.org/web/20120425194643/http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf to http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 08:57, 3 September 2017 (UTC)

Removal of Rootkit#Public_availability

The section Rootkit#Public_availability feels very out of place, provides no encyclopedic value, and makes empty and dubious assertions. Unless someone raises an objection, I am going to delete the section and move the last sentence about GameGuard to the Rootkit#Uses section. Virtio (talk) 23:59, 5 November 2019 (UTC)

"SucKIT" listed at Redirects for discussion

A discussion is taking place to address the redirect SucKIT. The discussion will occur at Wikipedia:Redirects for discussion/Log/2020 August 17#SucKIT until a consensus is reached, and readers of this page are welcome to contribute to the discussion. Hog Farm _Bacon 14:16, 17 August 2020 (UTC)

"Rootkit/archive" listed at Redirects for discussion

An editor has identified a potential problem with the redirect Rootkit/archive and has thus listed it for discussion. This discussion will occur at Wikipedia:Redirects for discussion/Log/2022 December 1#Rootkit/archive until a consensus is reached, and readers of this page are welcome to contribute to the discussion. -- Tamzin^{[cetacean needed]} (she|they|xe) 05:20, 1 December 2022 (UTC)

Here's a perspective

People are focused on defining characteristics to write an encylopedic article on a notoriously recluse type of software.

And i offer this: to those whom spent any length of time reading policy agreements, licenses or other legally binding documents, you'll find the source the software (by name or word search) is registered and filed publicly for now at the US Patents and Trademark office.

One just need query the magic word...

See the following for some backstory https://en.wikipedia.org/wiki/Google_LLC_v._Oracle_America,_Inc.

It would seem cookies can be tracked both ways to some degree (manor of speak). 24.19.141.129 (talk) 06:19, 12 February 2023 (UTC)