Types Of Rootkits

Rootkits can be divided into 1) firmware, 2) virtualized, 3) kernel, 4) library and 5) application level kits.

Firmware

Firmware rootkit implies use of creating a permanent illusion of rootkit malware. It can remain hidden in firmware as this is not checked for code integrity. This was proved by John Heasman in ACPI[8] and also PCI expansion of ROM. [9]

Virtualized

The lowest level of rootkits produced is virtualized rootkits. These rootkits function by the modification of the systems boot sequence, to be loaded instead of the original virtual machine monitor or operating system. A virtualized rootkit is able to intercept all hardware calls made by the guest operating system by loading the original operating system as Virtual Machine. An example of such a Virtual Machine Based Rootkit (VBMR) is the Subvert laboratory rootkit, which was created by Microsoft and the University of Michigan.

Kernel level

Kernel level rootkits cover backdoors on a computer system by writing additional code or by replacing portions of kernel code with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux) These rootkits can have a serious effect on the stability of the system if the kit’s code contains mistakes.

Kernel rootkits can be difficult to detect making them even more dangerous.

Library level

Library rootkits usually patch, hook, or supplant system cells with versions that seek the keep the attacker unknown.

Application level

Application level rootkits function by substituting standard application binaries with trojanized fakes, or the behavior of present applications can be modified by hooks, patches, injected code or some other manner.