|
Page 1 of 3 Rootkits can be named the most technically sophisticated form of
malicious code (malware) and one of the most difficult to discover
and eliminate. Of all types of malware, probably viruses and worms
get the most publicity because generally they are wide-spread and
many people know to have been affected by a virus or a worm, but this
definitely does not mean that viruses and worms are the most
destructive malware variety. There are more dangerous types of
malware, because as a rule they operate in stealth mode, are
difficult to detect and remove and can go unnoticed for very long
periods of time, silently stealing data and modifying the files on
the victim's machine.
An example of such a stealth enemy are rootkits – a
collection of tools that replace or change executable programs or the
kernel of the operating system itself to gain administrator-level
access to the system, which can be used for installing spyware,
keyloggers and other malicious tools. Essentially, a rootkit allows
an attacker to gain complete access over the victim's machine (and
possibly to the whole network the machine belongs to). One of the
known uses of a rootkit to cause considerable damage was the theft of
the source code of Half Life-2.
Rootkits are not something new – they have been known for
decades and are known to have effected various operating systems
(Windows, UNIX, Linux, Solaris, etc.) - but if it was not for one or
two mass occurrences of rootkits (See the Famous Examples section),
which draw public attention to them, they might have again escaped
from being known, except to a small circle of security professionals.
As of today, rootkits have not unleashed their bad potential and are
not as wide-spread as viruses but this can be of little comfort.
Rootkits Mechanism Exposed
Similar to Trojan horses, viruses and worms, rootkits install
themselves exploiting flaws in the network security and the operating
system itself and often no action on user side is necessary, although
there are rootkits that come as an e-mail attachment or are bundled
with a legitimate software program and are harmless until the user
opens the attachment or installs the program. But unlike less
sophisticated forms of malware, rootkits infiltrate the operating
system very deep and make special efforts to disguise their presence
– for instance by modifying system files.
Basically, there are two types of rootkits: kernel and application
level. Kernel level rootkits add code to or modify the kernel
of the operating system. This is achieved by installing a device
driver or a loadable module, which alters system calls to hide the
presence of an attacker. Thus if you look in log files, you will see
no suspicious activity on the system. Application level rootkits
are less sophisticated and generally are easier to detect because
they modify the executables of applications, rather than the
operating system itself. Since Windows 2000 every change in an
executable file is reported to the user, thus making it more
difficult for the attacker to go unnoticed.
|
