Itelligent Business Research Services analyst James Turner said rootkits will be increasingly used in highly targeted attacks as they become more sophisticated and form a critical part of hacker arsenals. Turner stated: "We are going to see rootkits used in highly targeted attacks where hackers will source, for example, a CFO's operating system and the typical applications they use, and then find a specific vulnerability based on these which allows a rootkit to be inserted."

    A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in relatively benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. Rootkits can be classified as; kernel-mode, which intercept kernel interface calls and alter OS kernel data to conceal rootkits from process lists; persistent, which use the system registry to execute on boot; user-mode, which can use keyloggers and infect or masquerade as OS commands; and memory-based, which rely on manual user execution to operate.

    The security infrastructure is heating up through increased education and simulations of information security warfare. The biggest problem remains: how to get people who have been hacked to warn the public about it. Chris Gatford, senior security analyst at penetration testing firm Pure Hacking, sais that the most critical exploits can be found in unpatched in common applications.
Gatford said: "Microsoft Word has an unspecific exploit that has been unpatched for 47 days; if I were a hacker I would certainly target these kinds of exploits because the scope is so wide. Hackers are using the same spyware model but are distributing them with the next-level of rootkits."

In addition, Markets-Alert director Jeff McGeorge, said: "Rootkits are being dynamically inserted on-the-fly which means they can sit invisibly in a Web page's source code using a Windows cloaking function, and download on to your machine without raising any attention because they disable download warnings and spyware applications from flagging them. A TPM takes an initial encrypted sumcheck of a hard drive and crosschecks the result against the TPM chipset on each boot, which detects additions to the kernel. However TPMs don't work against dynamically inserted rootkits because you can't do a sumcheck against the TPM when you are on the Internet and surfing around which is where the rootkits install, infect and uninstall. There will never be a universal rootkit detector however the most powerful alternatives will be online-offline comparison scanners that integrate with anti-virus programs."