A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.[1] The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.[1]
Rootkit installation can be automated, or an attacker can install it once they've obtained root or Administrator access. Obtaining this access is a result of direct attack on a system (i.e. exploiting a known vulnerability, password (either by cracking, privilege escalation, or social engineering). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root/Administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.
History
The first documented computer virus to target the personal computer marketplace, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.[1] Over time, DOS-virus cloaking methods became more sophisticated, with advanced techniques including the hooking of low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files.[1]
The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.[2] If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information.[3][4] Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems' SunOS UNIX operating system.[5] Ken Thompson of Bell Labs, one of the creators of Unix, subverted the C compiler in a Unix distribution and discussed the exploit in the lecture he gave upon receiving the Turing award in 1983. The modified compiler would detect attempts to compile the Unix "login" command and generate altered code that would accept not only the user's correct password, but an additional password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the "login" command or the updated compiler would not reveal any malicious code.[6] This exploit was equivalent to a rootkit.
The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund.[7] It was followed by HackerDefender in 2003.[1] The first rootkit targeting Mac OS X appeared in 2009,[8] while the Stuxnet worm was the first to target programmable logic controllers (PLC).[9]
Sony BMG copy protection rootkit scandal
. Retrieved 2010-11-22.
^ "How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system". Microsoft. Archived from the original on 2012-07-20. http://support.microsoft.com/kb/927069. Retrieved 2010-11-13. ^ Seshadri, Arvind et al (2005). Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems. Carnegie Mellon University. Retrieved 2010-11-22. ^ Dillard, Kurt (2005-08-03). "Rootkit battle: Rootkit Revealer vs. Hacker Defender". Archived from the original on 2012-07-13. http://searchenterprisedesktop.techtarget.com/news/column/0,294698,sid192_gci1112754,00.html. ^ "The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP". Microsoft. 2010-09-14. Archived from the original on 2012-09-21. http://support.microsoft.com/?kbid=890830. ^ Hultquist, Steve (2007-04-30). "Rootkits: The next big enterprise threat?". InfoWorld (IDG). Archived from the original on 2012-09-21. Retrieved 2010-11-21. ^ "Security Watch: Rootkits for fun and profit". CNET Reviews. 2007-01-19. Archived from the original on 2012-07-18. http://reviews.cnet.com/4520-3513_7-6686763-1.html. Retrieved 2009-04-07. ^ Bort, Julie (2007-09-29). "Six ways to fight back against botnets". PCWorld. San Francisco: PCWorld Communications. Archived from the original on 2012-09-07. http://www.pcworld.com/businesscenter/article/137821/six_ways_to_fight_back_against_botnets.html. Retrieved 2009-04-07. ^ Hoang, Mimi (2006-11-02). "Handling Today's Tough Security Threats: Rootkits". Symantec Connect. Symantec. Archived from the original on 2012-09-21. http://www.symantec.com/connect/blogs/handling-todays-tough-security-threats-rootkits. Retrieved 2010-11-21. ^ a b Danseglio, Mike; Bailey, Tony (2005-10-06). "Rootkits: The Obscure Hacker Attack". Microsoft. Archived from the original on 2012-09-21. http://technet.microsoft.com/en-us/library/cc512642.aspx. ^ Messmer, Ellen (2006-08-26). "Experts Divided Over Rootkit Detection and Removal". NetworkWorld.com (Framingham, Mass.: IDG). Archived from the original on 2012-09-03. Retrieved 2010-08-15. ^ Stevenson, Larry; Altholz, Nancy (2007). Rootkits for Dummies. John Wiley and Sons Ltd. p. 175. ISBN 0-471-91710-9. ^ Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting Malicious Code. Prentice Hall PTR. p. 335. ISBN 0-13-101405-6. ^ Hannel, Jeromey (2003-01-23). "Linux RootKits For Beginners - From Prevention to Removal" (PDF). SANS Institute. http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901. Retrieved 2010-11-22.[dead link] Further reading
- Blunden, Bill (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Wordware. ISBN 978-1-59822-061-2.
- Hoglund, Greg; Butler, James (2005). Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional. ISBN 0-321-29431-9.
- Grampp, F. T.; Morris, Robert H., Sr. (October 1984). "The UNIX System: UNIX Operating System Security". AT&T Bell Laboratories Technical Journal (AT&T) 62 (8): 1649–1672.
- Kong, Joseph (2007). Designing BSD Rootkits. No Starch Press. ISBN 1-59327-142-5.
- Veiler, Ric (2007). Professional Rootkits. Wrox. ISBN 978-0-470-10154-4.
External links
|
|---|
| | | Infectious malware | |
|---|
| | | Concealment | |
|---|
| | | Malware for profit | |
|---|
| | | By operating system | |
|---|
| | | Protection | |
|---|
| | | Countermeasures | |
|---|
|
