Bio
Russell Mickler, Principal Consultant, has over 14 years of professional experience leading and managing IT organizations.
Contact Information
- Mickler & Associates
- Vancouver, WA
- Voice: 360.216.1784
- Fax: 360.397.0468
What are Rootkits?
Written on February 5, 2006
Leave a Comment
|
A lot of buzz about rootkits recently so I thought I’d join-in on the bandwagon. Sony recently came under controversy for their XCP (Extended Copy Protection) Rootkit (http://searchsecurity.techtarget.com/
originalContent/0,289142,sid14_gci1140633,00.html)
Defining Rootkits
First, the concept of “root” comes from the golden days of UNIX where the “root” was the beginning point of the system’s understanding of file-level security. Root can be described in two contexts: one, inheriting super-user security permissions within an operating system, or two, the macro beginning of a directory structure.
Second, a “rootkit” is a suite of binary tools that can be used to maliciously infect a target computer to gain unauthorized access to the host – perhaps in terms of administrative authority, or, to the native file system (example: c:\). If that doesn’t unnerve you enough, rootkits can be downloaded for free or at cost from various locations, the most notorous being the Hacker Defender Project (hxdef.czweb.org); the rootkit for the Windows platform can be downloaded for free at http://www.megasecurity.org/trojans/h/hackerdefender
/Hackerdefender1.00.html. They are common instruments and some would argue that a rootkit is an effective tool in an arsenal needed to protect a corporate security environment.
What Does a Rootkit Do
Once installed, rootkits attempt to mask their presence from antivirus scanners by renaming components of themselves and critical system files. They will then attempt to load programs into runtime memory (RAM) with administrative priviledge. This access can service the hacker in a myriad of ways: executing in-state processes that cause harm to the computer, or, may serve as a back door for remote control attacks, or, it may allow the hacker to use the host as a zombie to perform some undesirable function (example: hosting porn files without the owner’s knowledge or permission).
Because they attempt to mask their presence, rootkits are sometimes difficult to find with traditional antivirus mechanisms. Some sites recommend performing a port scan on suspect hosts to see if new services are running on a computer that shouldn’t be (http://bagpuss.swan.ac.uk/comms/hxdef.htm); the same site also makes recommendations for examining a registry location for references to executables launched in a suspect area. There are also software tools – http://www.snapfiles.com/get/unhackme.html or http://www.sysinternals.com/blog/
2005/03/updated-rootkitrevealer.html- that can be used to detect the presence of a rootkit and eventually delete it.
How to Protect Yourself
Rootkits must be installed. The NT (Windows) Rootkit from holy_father, for example, uses two components: an executable that must be ran on the suspect host in conjunction with an *.ini file; the executable processes the instructions provided by the hacker in the *.ini file. That means that the hacker must first have this kind of access on the target computer, or, the legitimate user with appropriate access permissions is tricked into executing the code on their behalf, or, the installation is batched without legitimate user knowledge.
Practicing good computing practices – avoid visiting websites you’re entirely unfamiliar with, avoid double-clicking on questionable email attachments, avoid downloading free applications that haven’t been expressly compiled without spyware, installing a good firewall and anti-virus and anti-spyware products – are the best routes for protection. Detection and elimination are another thing – you may want to find a responsible technology professional to assist in detecting and removing rootkit malware.