The root of the rootkit

A rootkit is software attackers install on systems in order to cover up traces of their presence. Most rootkits also include other advanced tools, such as tools to help the attacker build back doors to insure continued access to the compromised system. For example, a rootkit may intercept login requests and grant cloaked access to the attacker via a special user ID and password. It is not unusual to find keystroke loggers, packet sniffers and other exploit code in rootkits.

RELATED INFORMATION Learn how to ward off hackers with this resource guide Get the latest news and advice about hacker tools and techniques in our resource center Find out how to use defense-in-depth to create an (almost) invulnerable computing environment

Hidden attacks
Rootkits help attackers hide their presence by hiding or removing traces of login records, log entries and processes related to their activities. Some rootkits accomplish this task by replacing the binaries for system administration commands with modified versions designed to ignore attacker activity. For example, on a Unix or Linux system, the rootkit may replace the 'ls' command with one that does not list files located in certain directories. Or it may replace the 'ps' command, which lists the processes running on the system, with one that conveniently ignores processes started by the attacker. The programs responsible for logging activities are similarly modified to help the attacker stay inconspicuous. Therefore, when the system administrator looks at the system, everything looks normal, despite the fact that it has been subverted.

Rootkit styles
Rootkits that accomplish their task by replacing binaries are called user mode rootkits. These rootkits can be detected by looking for changes in the size, date and checksums of key system files. However, sophisticated attackers use kernel mode rootkits to work more stealthily. By taking advantage of Linux's ability to load kernel extensions on the fly, kernel mode rootkits take the deception to the core of the operating system. These rootkits sit silently at the heart of the machine and intercept legitimate programs' OS calls, returning only the data the attacker wants you to see. Detecting such a rootkit is very difficult since it controls the entire environment.

Although rootkits originated in the Unix/Linux world, there are many 'off the shelf' rootkits available for the Windows environment that provide the same functionality as their *nix predecessors. Some of these Windows rootkits are quite sophisticated; for a look at the state of the art, visit www.rootkit.com. If you are responsible for Windows system security, spending time at this site may induce some healthy paranoia.

Prevention
Rootkits are a second level security threat. In other words, you have to make some other security mistakes to allow the attacker to get inside in the first place, such as configuration mistakes, weak authentication, or unpatched vulnerabilities. Once a rootkit has been placed on your system, very bad things have already happened. The best defense against rootkits? Prevent them from being installed in the first place by maintaining a defense-in-depth strategy.

About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats Malware, Viruses, Trojans and Spyware The world's top 5 riskiest domains New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.