1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to prevention of rootkit installations on a computer system.
2. Description of Related Art
A rootkit can be generally described as a set of programs or codes that allows the rootkit itself, and typically some additional programs or codes, to maintain an undetectable presence on a computer. Current computer system attackers use a variety of rootkit implementations to hide their activities on a computer system. When an attacker compromises a computer system the rootkit typically maintains an access point into the computer system, e.g., a backdoor, that can be used to access the computer system and to pull discovered information out over a hidden communication channel.
In order ensure its activity and access point remains available, the rootkit typically hides its presence on the computer system. For example, some rootkits hide their files and processes, erase their activity, and alter information returned to a user or the computer system to conceal their presence on the computer system. As a rootkit is typically undetected by a user of a computer system, rootkits are typically categorized as malicious code.
Rootkits can be differentiated as falling into either user mode rootkits that operate in user mode and kernel mode rootkits that operate in the kernel mode. Kernel mode rootkits are generally viewed as a more serious threat to a computer system than user mode rootkits because the kernel's code can itself be modified and the information obtained from the kernel can no longer be trusted either by the computer system or software utilizing information obtained using kernel systems.