What is a rootkit?
Posted by cotojo on August 2, 2007
What is a rootkit?
A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.
Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.
Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.
A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.
By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.
In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.
Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.
Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.
Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.
Rootkits are hard to detect. But there are programs – including a free one from Panda which I have covered in another post.
Panda Anti-Rootkit – Free
© Free PC Security 2007 – 2008
This entry was posted on August 2, 2007 at 1:10 pm and is filed under PC Security, Rootkits, trojans. Tagged: detection, elusive, kernel mode, operating system, program, proxy, rootkit, signature file, trojans, Web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.