HOME
Accessorize
AMD
BareBones
Cases
Clearance
Cooling Fans
CPU / Processors
DVD / CD
Flash Drives
Hard Drives
How to Order
Keyboard & Mouse
Intel
Memory
Monitors
Motherboards
Networking
Notebooks
Printers
Power Supply
Review Board
Servers
Services
SUPPORT
Software
Speakers
TV Tunner Card
Video Cards
What's Hot

Rootkit

From Wikipedia, the free encyclopedia.

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

The word “rootkit” came to public awareness in the 2005 Sony CD copy protection controversy, in which Sony BMG music CDs placed a rootkit on Microsoft Windows PCs.

Origins of rootkits

The term “rootkit” (also written as “root kit”) originally referred to a set of recompiled UNIX tools such as “ps”, “netstat”, “w”, and “passwd” that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain “root” on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a “root” account).

Functions of a rootkit

A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.

Uses of rootkits

A rootkit is often used to hide utilities used to abuse a compromised system. These often include so called “backdoors” to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the super user. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker.  Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.

A recent example where a Rootkit was used on commercial CDs for digital rights management purposes is the 2005 Sony CD copy protection controversy.

Types of rootkits

Basic types

Rootkits come in two different flavors, kernel and application level kits. Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.

Examples

·        FU Rootkit[1]

·        SuckIT

·        T0rn

·        IntoXonia[2]

·        Ambient’s Rootkit (ARK)

·        Hacker Defender[3]

·        Sony BMG’s use of First 4 Internet XCP (Extended Copy Protection) DRM [4]

Detecting rootkits

There are inherent limitations to any program that attempts to detect rootkits while those programs are running under the suspect system. Rootkits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. Some rootkits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with Rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. Rootkit detectors which run on live systems currently only work because rootkits have not yet been developed which hide themselves fully.

The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM, USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls (which are supposedly doctored by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference the presence of a rootkit infection can be assumed. Rootkits try to protect themselves by monitoring running processes and suspending their activity until the scanning has finished, as non-stealthy malware will not be identified by rootkit scanners.

Security vendors envision a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defense may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses, the detection and elimination of rootkits will be an ongoing struggle between the creators of the tools on both sides of this conflict.

There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform a free for personal use stealth scanner, named Blacklight, is available in beta on F-Secure’s website. Another Windows detector is Rootkit Revealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from. So in essence, removing the differences between the two listings, the detector doesn’t report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. These features are now included in the latest release of Rkdetector and Rootkit Revealer so now there is no need to rename.

Removing rootkits

There is a body of opinion that holds this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch. “I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt this is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat. This is so even if the rootkit is very well known and can be removed 100%.” Rootkit Question

There is a way to delete a rootkit using another file system driver when the system is online. Rkdetector v2.0 implements a way to wipe hidden files when the system is running using its own NTFS and FAT32 filesystem driver. Once erased and after a system reboot, rootkit files will not be loaded because data contained is corrupted.

Rootkits vs. computer viruses and worms

The key distinction between a computer virus and a rootkit relates to propagation. Like a rootkit, a computer virus modifies core software components of the system, inserting code which attempts to hide the “infection” and provides some additional feature or service to the attacker (the “payload” of a virus).

In the case of the rootkit the payload may attempt to maintain the integrity of the rootkit (the compromise to the system) --- for example every time one runs the rootkit’s ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and “re-infecting” them as necessary. The rest of the payload is there to ensure that the intruder can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some rootkits may add port knocking checks to existing network daemons (services) such as inetd or the sshd

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general, a rootkit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the intruder through some sort of covert channel).

Of course there are hybrids. A worm can install a rootkit, and a rootkit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as “viruses.” So all of these terms have somewhat overlapping usage and can be easily conflated.

Publicly available rootkits

Like most software used by attackers lots of implementations are shared and are easily available on the Internet. It is not uncommon to see a compromised system where a sophisticated publicly available rootkit hides the presence of unsophisticated worms or attack tools that appear to be written by inexperienced programmers.

Most of the rootkits available on the Internet are constructed as a “proof of concept”. They prove the feasibility of a novel experimental way of hiding things within a computer system. However since these are experimental they are often not fully optimized for stealth. When such rootkits are used in an attack they are often very effective. However when they are discovered, for example by starting an operating system from a trusted medium such as a CD, they often show very obvious signs of their presence. For example, leaving files named “rootkit” on common places on the computer system.

 

Learn how to buy a computer

DAAY - GLOW COMPUTERS

Telephone: 1(951) 275-1406

 DAAY - GLOW

©Daglow Services 1994-2008 Disclaimer  Return Policy

*Trade ins are limited up to $100