The collective term, rootkit, refers to software tools that enable camouflage of processes and files and thus escape from detection by users or their antivirus software.
Rootkit technology does not contain any harmful functions in itself, however its use as a camouflage cover ensures that other software, including harmful software, remains imperceptible and thus can work in the background unnoticed by the user.
Even ostensibly harmless, commercial applications have made use of rootkits. The most famous example: Sony BMG used XCP, which was hidden using rootkit technology, on a wide range of music CDs.
Historically, the concept behind rootkit originates from the Unix world, where modified versions of certain system commands help to acquire the highest administrative rights (roots) on the system without leaving any trace.
Different technologies exist for the implementation of rootkits, which attach to different points in the system. E.g. application rootkits, which remain not very widespread up until now, as well as the more common application, kernel or userland rootkits.
The underlying application purpose, namely the hiding of certain files, network connections or processes, is common to all. For example, the output of the MS-DOS command "dir" (output of the contents of a directory) can be manipulated in such a way that the files containing malware are not displayed. A similar effect can be achieved when the Windows Registry is observed or existing network connections are listed.
The technical nature of rootkits is inherently responsible for the difficulty in detecting and removing them. When a computer whose operating system is infected with rootkits is running, i.e. booted up, the detection and particularly the removal of an active rootkit proves to be somewhere between difficult and impossible.
G DATA security products offer the possibility of creating a Linux-based boot CD, with which the computer can be booted without using the installed operating system. Using the virus scanner contained on the CD, the system can be scanned in a state, in which any rootkits, which may be present on the hard disk, are not active and thus can be more easily discovered.