|
|
|
|
|
|
|
|
|
|
|
RootkitsA rootkit is a general description of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Techniques used to accomplish this can include concealing running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Origin
The term rootkit originally referred to a Unix
tools that would carefully hide itself from display thus
allowing the intruders to maintain "root" access (the
highest level of privilege on a Unix system) without the
system administrator seeing them. Although originating
in Unix, the term is no longer restricted to Unix-based
operating systems, as tools that perform a similar set
of tasks now exist for a variety of operating systems,
such as Microsoft Windows, Mac OS X, Linux and Solaris.
Rootkits often modify parts of the operating system or
install themselves as drivers or kernel modules for
non-Unix operating systems such as Microsoft Windows,
regardless of the existence (or lack of existence) of a
"root" in the operating system. Rootkit is a term now
loosely applied to cloaking techniques and methods.
Common Use
A rootkit can take full control of a
system. A rootkit's purpose is typically
to hide files, network connections,
memory addresses, or registry entries
from other programs used by system
administrators to detect intended or
unintended special privilege accesses to
the computer resources. However, a
rootkit may be incorporated with other
files which have other purposes. It is
important to note that while the
utilities bundled with the rootkit may
be malicious in intent, a rootkit is
essentially a technology; it may be used
for both productive and destructive
purposes.
A rootkit is often used to hide utilities. These are often used to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the administrator/superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems which the compromised system communicates with, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks. A major use for rootkits is allowing the programmer of the rootkit to see and access user names and log-in information for sites that require them. The programmer of the rootkit can store unique sets of log-in information from many different computers. This makes the rootkits extremely hazardous, as it allows Trojans to access this personal information while the rootkit covers it up. There are presently five different kinds of rootkits: firmware, virtualized, kernel, library and application level kits. Preventative Solutions:Most real-time Anti-Virus and Anti-Spyware programs can prevent rootkits from becoming established. However special tools are usually needed to find an existing rootkit. These tools can detect if a rootkit is present but removing the rootkit does require special technical knowledge or the result may corrupt the operating system and render the computer unusable. [security/Anti-rootkit_Solutions.htm] |
|
|
||
|
|
All rights reserved WinHaven®
LLC |
