Rootkit

Dennis Faas's picture

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. The tools are are intended to conceal running processes, files or system data, which allows the intruder maintain access to a system without the user's knowledge.

Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

Functions of a Rootkit

A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are referred to as Trojan horses.

Uses of Rootkits

A rootkit is often used to hide utilities used to abuse a compromised system. These often include so called "backdoors" to help the attacker subsequently access the system more easily.

For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality.

A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser.

Rootkits Prepend Attacks

All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers.

A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.

2 Types of Rootkits: Kernel and Application Level

Rootkits come in two different flavors, kernel and application level kits.

Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.

Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

Removing rootkits

Many feel that removing a rootkit is forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.

This document is licensed under the GNU Free Documentation License (GFDL), which means that you can copy and modify it as long as the entire work (including additions) remains under this license.

Rate this article: 
Average: 5 (1 vote)