The root of the rootkit

What you will learn from this tip: Rootkits are hard to detect and can give hackers full control of your system. Find out how these popular black hat tools are used and how to detect if someone is hiding in your system.

Pretend you're a hacker.

    Requires Free Membership to View

You just found a system that is no match for your 'leet skillz' and gained root access. Now what? Sooner or later, the system administrator is going to notice his box is 'owned' and you'll be kicked out after the system is patched. That's why you install a rootkit.

A rootkit is software attackers install on systems in order to cover up traces of their presence. Most rootkits also include other advanced tools, such as tools to help the attacker build back doors to insure continued access to the compromised system. For example, a rootkit may intercept login requests and grant cloaked access to the attacker via a special user ID and password. It is not unusual to find keystroke loggers, packet sniffers and other exploit code in rootkits.


Learn how to ward off hackers with this resource guide

Get the latest news and advice about hacker tools and techniques in our resource center

Find out how to use defense-in-depth to create an (almost) invulnerable computing environment

Hidden attacks
Rootkits help attackers hide their presence by hiding or removing traces of login records, log entries and processes related to their activities. Some rootkits accomplish this task by replacing the binaries for system administration commands with modified versions designed to ignore attacker activity. For example, on a Unix or Linux system, the rootkit may replace the 'ls' command with one that does not list files located in certain directories. Or it may replace the 'ps' command, which lists the processes running on the system, with one that conveniently ignores processes started by the attacker. The programs responsible for logging activities are similarly modified to help the attacker stay inconspicuous. Therefore, when the system administrator looks at the system, everything looks normal, despite the fact that it has been subverted.

Rootkit styles
Rootkits that accomplish their task by replacing binaries are called user mode rootkits. These rootkits can be detected by looking for changes in the size, date and checksums of key system files. However, sophisticated attackers use kernel mode rootkits to work more stealthily. By taking advantage of Linux's ability to load kernel extensions on the fly, kernel mode rootkits take the deception to the core of the operating system. These rootkits sit silently at the heart of the machine and intercept legitimate programs' OS calls, returning only the data the attacker wants you to see. Detecting such a rootkit is very difficult since it controls the entire environment.

Although rootkits originated in the Unix/Linux world, there are many 'off the shelf' rootkits available for the Windows environment that provide the same functionality as their *nix predecessors. Some of these Windows rootkits are quite sophisticated; for a look at the state of the art, visit www.rootkit.com. If you are responsible for Windows system security, spending time at this site may induce some healthy paranoia.

Rootkits are a second level security threat. In other words, you have to make some other security mistakes to allow the attacker to get inside in the first place, such as configuration mistakes, weak authentication, or unpatched vulnerabilities. Once a rootkit has been placed on your system, very bad things have already happened. The best defense against rootkits? Prevent them from being installed in the first place by maintaining a defense-in-depth strategy.

About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.