Unless you’ve been sleeping under a rock, you know that rootkits are bundles of code that act as invisible cloaks for other software. When doing its job properly, a rootkit allows the cloaked software to operate without interference or detection by users, managers, or protective software, including antivirus, antispyware and rootkit detectors.

It is critical to note that rootkits irrevocably change your operating system. As top rootkit author Greg Hoglund says, a rootkit “inserts backdoors into existing programs, and patches or breaks the existing security system.”

For this reason, rootkits are often deployed for projects most users don’t appreciate, like trojans, viruses, spyware and Digital Rights Management (a la Sony BMG). As an operating system that enjoys a huge audience, Microsoft Windows is a giant target. And the best rootkit for Windows?

Rootkit.com lists Hacker Defender as “the most popular and wide spread rootkit today.” Hacker Defender’s creator, holy_father (hf), offers several versions of the Hacker Defender rootkit. All are aimed at all versions of Windows NT, XP, 2000 and 2003. hf has graciously agreed to answer a number of questions about rootkits and Windows security for Email Battles readers. We have edited his comments only as required to form a bridge between his understanding of english and yours. The hope from both sides: You will better understand the how-and-why of rootkits, and how to protect yourself from them.

While Hacker Defender does not subvert Windows 95, 98 or Millenium, hf offers plenty of insight into those products:

Since we know the NT architecture, we don’t want to waste time with something like 9x/ME. These systems are useless. There is no reason to use them any more.

But rootkits for these systems exist. They are downloadable on the net. We are just not interested in these systems because there is no reason.

We can’t force security companies to try to secure 9x/ME boxes when we know it is impossible unless they implement the NT kernel again. That’s the reason we are coding NT rootkits - because we know it is possible to secure an NT box and so we want companies to do it.

Nevertheless, a lot of companies are still using Windows 98 and Windows Millenium (ME). Is it possible to protect 98 and ME from rootkits? The response is not encouraging:

Simple to answer - No it is not possible. But of course, that is not 100% true. I’ll try to explain.

Unlike the NT kernel, Windows 98, ME (95 too) implements no security. There is nothing like process protection, or even kernel protection.

Your application that runs in usermode can directly access kernel structures and code.

That’s why these 9x and ME systems crash a lot. They are unstable because, if there is a bug in any userland
application, it may damage other processes or even kernel memory, directly without any special code.

You can write a tiny application - like three lines of code - to rewrite all kernel memory and this is a 100% OS crash.

Now, why is this not 100% true?

You can always implement the code that will make NT from your 9x systems.

If you understand that, you also know that it is not very smart to do. A much much cheaper way is to get some “real” OS - with standard protection mechanisms, security etc., like NT OS or *nix OS or many others.

There is no reason to use Windows 9x/ME in today’s world because of this. There is no security. And if one tries to implement security there, he would just try to implement whole NT kernel again.

Upshot: If you absolutely must use Windows 95, 98 or Millenium, keep them as far away from the Internet as possible.

Background: