What are user-mode vs. kernel-mode rootkits?

All modes of rootkits are difficult to detect, but one type is preferred by hackers over another. Read about different rootkits in this tip.

Learn how to detect and remove rootkits in Windows systems with this collection of tips, written by Microsoft's Kurt Dillard. Read one of the several tips below, or return to the main page for the complete list.

What are user-mode vs. kernel-mode rootkits?

The concealment aspect is what distinguishes rootkits from other types of malware, and it's what makes them so difficult to detect and remove. Rootkits can provide the attacker with a backdoor for future attacks, launch and hide other applications, and gather sensitive data to be collected by the attacker at a later time.

Today's common rootkits usually run in user mode with administrative privileges. Breaking the integrity of the trusted computing base, they alter the security subsystem and display false information to legitimate administrators of the compromised computer. They intercept system calls and filter output application programming interfaces (APIs) to, for example, hide processes, files, system drivers, network ports, registry keys and paths, and system services.

There are many user-mode rootkits available, including HE4Hook, Vanquish, Aphex and currently the most widespread, Hacker Defender. Each of these rootkits is persistent in that its files must be copied to the target operating system's hard drive and launched automatically each time the system boots.

The drawback to user-mode rootkits is that they can be detected by code running in kernel mode. What is a rootkit author to do about that? He loads his kit into the kernel of course! That, however, is easier said than done.

It is exceedingly difficult to create a kernel-mode rootkit that remains hidden because, should your code crash, Windows will bluescreen. Kernel-mode rootkits tend to cause many system crashes, and this is often how Microsoft support personnel determine that their systems have been victimized.

FU is a non-persistent kernel-mode rootkit that is very difficult to detect. Since it is not persistent, no files are stored on the compromised system. Since it is a kernel-mode rootkit, it is very hard to detect. On the other hand, rebooting the system will remove it, forcing the attacker to compromise the target all over again.

Unfortunately, other types of malware, besides rootkits, are hidden. Attackers hide keystroke loggers and other types of spyware using the same methods as some of the rootkits described earlier. A few months ago, my colleagues assisted a very unhappy customer whose company's computers were crashing frequently. The underlying cause was a piece of spyware trying to hide itself as a kernel-mode rootkit.

About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.

Click for the next tip in this series: How can I detect and remove rootkits from Windows?

Dig deeper on Network intrusion detection and prevention and malware removal



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: