Whats a Rootkit?
In addition to providing an unauthorized way into the system, a malicious backdoor may include additional functionality to hide itself or provide additional capabilities to the attacker. For example, backdoors are often paired with software packages known as rootkits. Rather than attaching themselves to application programs and running on top of the host operating system, rootkits attempt to drill down to the kernel level or OS utility level and replace, modify or divert core operating system functions. A rootkit is not a type of attack, but rather a set of utilities that an attacker can install on a system once compromised. In effect, they support the use of a system by intruders through a backdoor. These utilities alter system data files, configuration/registry entries, and even system-supplied programs and operating system libraries. As a basic example, a rootkit with a filename rootkit.exe may contain programs to prevent any process (like Windows Task Manager) from showing this file in its output.
This makes them very difficult to detect, as they are operating at the kernel level and effectively filtering what applications and users are allowed to see. Normally, rootkits are seen under (and originally come from) UNIX based operating systems, however, versions are available for Windows69.
Rootkits take their name from the UNIX system administrator name root, which has complete control over the system they literally are kits to provide you with root access and ways to maintain it by hiding your activities and the existence of the rootkit itself on your system.
One of the more insidious facets of rootkits (also true of Trojans, worms and viruses, described in section 1.5) is their creation and purpose. To code a Trojan or rootkit requires a detailed understanding of the target systems architecture and some considerable coding ability. But to use these tools requires only a few point-and-click type operations, which again makes them favorite tools of the script kiddie. Searching Yahoo for +rootkit +download returned almost 1,400 matches, which seemed to be split between tools to detect rootkits, and tools to create them.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.