Rootkits are powerful programs that alter -- or patch -- the kernel of an operating system. This allows them to hide the existence of certain files or applications from the underlying OS. This practice dates back to UNIX systems in the mid 1980s but it is now commonly being used by malware authors to hide viruses and spyware from Windows-based security applications.
In April, antivirus firm McAfee said the number of rootkits found by its emergency response team in the first quarter of this year was up 700 percent compared to the same period last year.
This growing threat has driven security companies to develop rootkit detection techniques and forced Microsoft to develop methods for protecting the kernel of its operating system.
In a phone interview, Austin Wilson, director of product management for Windows Vista Security, told ZDNet Australia on Thursday that the software giant has developed a number of defences against rootkits. But, the most effective will not be included in the most common versions of Windows Vista.
Two techniques -- Kernel Patch Protection and driver signing -- will be available in 64-bit versions of Windows Vista, which are mostly used in servers rather than desktops, so most users will miss out, admitted Wilson.
The most powerful technique is Kernel Patch Protection, which basically blocks any application from altering the Vista kernel.
"Kernel patching is exactly what a load of rootkits do," said Wilson, who explained that rootkits alter the kernel to hide malware. "It changes the kernel so that if you do something like a directory command and look in Explorer, what you get returned back isn't really there."
"Basically, the rootkit will patch the kernel so they can hide and you can't find them when Windows is running. In 64-bit versions [of Windows Vista] we don't allow software to patch the kernel at all," he said.
When asked why kernel patch protection will not be available in 32-bit versions of Vista, he said: "In the 32-bit version it is something we would like to do in the longer term ... there are many legitimate applications out there today ... that do some kind of kernel patching."
However, Wilson said Microsoft is encouraging software vendors to move away from this technique.
"We are working with the vendors of those applications today so they can successfully port those to 64-bit and not use the kernel patching techniques.
"Kernel patching is something that is used for good things by legit software vendors but it is also something that is used by rootkit authors as well. We need to disable kernel patching to stop rootkit authors from patching the kernel," said Wilson.
Wilson did stress that the 32-bit version of Vista will include alternatives features to reduce the risk of rootkit infestation -- such as User Account Control, where users do not work in administrator mode and Internet Explorer protected mode, where the browser is not given enough privileges to install malware.
The fact that the strongest rootkit protection is only available on server versions of vista shows that Microsoft are not really trying to make life easier for the ordinary user. I have a strong sense of deja-vu when it comes to Microsoft and security.