A rootkit is malware which consists of a program (or combination of several programs) designed to hide or obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator access as it requires such access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables which may then be used to hide processes and files the attacker has installed along with the presence of the rootkit itself. Access to the hardware (e.g., the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are trojan horses as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a 'backdoor' in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination which in turn allows an attacker to access the system regardless of changes to the actual accounts on the system.
Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
A successfully-installed rootkit allows unauthorized users to maintain access as system administrators, and thus to take and keep full control of the 'rootkitted' - or 'rooted' - system. Most rootkits typically hide files, processes, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes. Nonetheless, the use of another person's or organization's computing resources without their consent is unethical - and quite probably illegal - in most cases.
Many rootkits hide utility programs. Those that do so usually aim to abuse a compromised system, and often include a so-called "backdoor" to give the attacker subsequent access at will. A simple example might be a rootkit which hides an application that spawns a command processing shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to run as though it were started by a privileged user (including the root user) and to carry out functions normally reserved for the superuser. Rootkits are hard to detect with common antivirus programs and therefore a complete scan of the system is necessary.
Many other utility tools used for abuse can be hidden using rootkits. These include tools for further attacks against computer systems with which the compromised system communicates, such as sniffers and keyloggers. A possible form of abuse is using a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system (or network) instead of the attacker's. Tools for such attacks can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam distribution. Rootkits are normally used in conjunction with other malicious programs as a means to keep them undetectable from the eyes of the user and antivirus scans.
It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is that they make it possible to hide malware from PC users and antivirus programs. Numerous source code samples for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various trojans or spyware programs et cetera.
However, rootkits are not always used to maintain control of a computer. Some software may use rootkit techniques to hide from 3rd party scanners to detect tampering or attempted breakins, for example in a honeypot. Some emulation software and security software is known to use rootkits. Alcohol 120% and Daemon Tools are commercial examples of the use of non-hostile rootkits. Kaspersky antivirus software also uses some techniques somewhat resembling rootkits to protect itself from malicious virus actions. It loads its own drivers to intercept system activity and then prevents other processes from doing harm to itself. So while its processes are not hidden, such processes cannot be terminated by standard methods.
wikipedia.org
Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
A successfully-installed rootkit allows unauthorized users to maintain access as system administrators, and thus to take and keep full control of the 'rootkitted' - or 'rooted' - system. Most rootkits typically hide files, processes, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes. Nonetheless, the use of another person's or organization's computing resources without their consent is unethical - and quite probably illegal - in most cases.
Many rootkits hide utility programs. Those that do so usually aim to abuse a compromised system, and often include a so-called "backdoor" to give the attacker subsequent access at will. A simple example might be a rootkit which hides an application that spawns a command processing shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to run as though it were started by a privileged user (including the root user) and to carry out functions normally reserved for the superuser. Rootkits are hard to detect with common antivirus programs and therefore a complete scan of the system is necessary.
Many other utility tools used for abuse can be hidden using rootkits. These include tools for further attacks against computer systems with which the compromised system communicates, such as sniffers and keyloggers. A possible form of abuse is using a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system (or network) instead of the attacker's. Tools for such attacks can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam distribution. Rootkits are normally used in conjunction with other malicious programs as a means to keep them undetectable from the eyes of the user and antivirus scans.
It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is that they make it possible to hide malware from PC users and antivirus programs. Numerous source code samples for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various trojans or spyware programs et cetera.
However, rootkits are not always used to maintain control of a computer. Some software may use rootkit techniques to hide from 3rd party scanners to detect tampering or attempted breakins, for example in a honeypot. Some emulation software and security software is known to use rootkits. Alcohol 120% and Daemon Tools are commercial examples of the use of non-hostile rootkits. Kaspersky antivirus software also uses some techniques somewhat resembling rootkits to protect itself from malicious virus actions. It loads its own drivers to intercept system activity and then prevents other processes from doing harm to itself. So while its processes are not hidden, such processes cannot be terminated by standard methods.
wikipedia.org
Posts
No comments:
Post a Comment