|
|
|
        |
RootkitsA rootkit is a general description of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Techniques used to accomplish this can include concealing running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. OriginThe term rootkit originally referred to a Unix tools that would carefully hide itself from display thus allowing the intruders to maintain "root" access (the highest level of privilege on a Unix system) without the system administrator seeing them. Although originating in Unix, the term is no longer restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for a variety of operating systems, such as Microsoft Windows, Mac OS X, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules for non-Unix operating systems such as Microsoft Windows, regardless of the existence (or lack of existence) of a "root" in the operating system. Rootkit is a term now loosely applied to cloaking techniques and methods.Common UseA rootkit can take full control of a system. A rootkit's purpose is typically to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources. However, a rootkit may be incorporated with other files which have other purposes. It is important to note that while the utilities bundled with the rootkit may be malicious in intent, a rootkit is essentially a technology; it may be used for both productive and destructive purposes.A rootkit is often used to hide utilities. These are often used to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the administrator/superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems which the compromised system communicates with, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks. A major use for rootkits is allowing the programmer of the rootkit to see and access user names and log-in information for sites that require them. The programmer of the rootkit can store unique sets of log-in information from many different computers. This makes the rootkits extremely hazardous, as it allows Trojans to access this personal information while the rootkit covers it up. There are presently five different kinds of rootkits: firmware, virtualized, kernel, library and application level kits. Preventative Solutions:Most real-time Anti-Virus and Anti-Spyware programs can prevent rootkits from becoming established. However special tools are usually needed to find an existing rootkit. These tools can detect if a rootkit is present but removing the rootkit does require special technical knowledge or the result may corrupt the operating system and render the computer unusable. [security/Anti-rootkit_Solutions.htm] |
|
|
||
|
|
All rights reserved WinHaven®
LLC |