Rootkits in userland use variety of methods to hide their presence from detectors. This includes hiding their processes, injected modules, registry keys, files, window, handles etc. Typical rootkit may employ one or more of these techniques to keep its operations under cover. As rootkit techniques gets more and more advanced, its detection becomes equally difficult and challenging.
In this context, we present you overview of various techniques used by user land rootkits to hide themselves and the detection mechanisms used by Anti Rookit softwares. All the techniques explained here are from userland and nothing from kernel land is mentioned.
In the ring terminology, userland rootkits run on ring3 [userland]. Ring3 is where user apps run, and since this is where every untrustworthy program runs, operating systems give this layer the least privilege that makes monitoring/detection and prevention easier as opposed to kernel rootkits. Userland rootkits modifies processes, network connections, files and events. Certain detection techniques would have a big time issue of determining, what is true and what is false? This is because everything you see is what is modified to avoid indication of compromise.
Detection techniques in userland rootkits falls under few main categories such as heuristics based, anomaly based, signature based, cross-view based, etc. This does not mean that it is simple to detect the userland rootkits. Rootkit hiding is one of the major properties of a rootkit to remain in the box that is compromised sustaining the administrator privileges for it's functioning. Rootkits need "root" or administrator privileges, and they are not the tools that provide the attackers with root/administrator privileges. This means that before a userland rootkit is entering the system, the attacker would have already breached into the perimeter and the system security and would have performed privilege escalation to obtain administrator privileges and finally install rootkit, which retains the root/admin privilege.
NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.