Dennis Faas's picture

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

Functions of a rootkit

A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.

Uses of rootkits

A rootkit is often used to hide utilities used to abuse a compromised system. These often include so called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality.

A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.

Types of rootkits

Rootkits come in two different flavours, kernel and application level kits.

Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker.

Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.

Removing rootkits

Many feel that removing a rootkit is forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.

This article is adapted from:

Rate this article: 
No votes yet