You *can* write a rootkit in user-mode, but it won't be stealthy (compared to kernel-mode). In kernel-mode you have privileged access to the inner workings of windows. One example (given in the article) is hiding the binaries by intercepting the file io api. Another would be achieving network communications by tapping into the network stack, This would remove the necessity to leave of\pen ports waiting. eg: By monitoring incoming packets to closed ports, you could either: a) only open the "command" port after a certain "knock" pattern is detected, or simply run all communications through "dead" packets like these. Commands could be sent encrypted at the end of emails or any other medium which results in an incoming packet to the machine in question...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2879/18705#18705