Pretend you're a hacker. You just found a system that is no match for your 'leet skillz' and gained root access....
Now what? Sooner or later, the system administrator is going to notice his box is 'owned' and you'll be kicked out after the system is patched. That's why you install a rootkit.
A rootkit is software attackers install on systems in order to cover up traces of their presence. Most rootkits also include other advanced tools, such as tools to help the attacker build back doors to insure continued access to the compromised system. For example, a rootkit may intercept login requests and grant cloaked access to the attacker via a special user ID and password. It is not unusual to find keystroke loggers, packet sniffers and other exploit code in rootkits.
Rootkits help attackers hide their presence by hiding or removing traces of login records, log entries and processes related to their activities. Some rootkits accomplish this task by replacing the binaries for system administration commands with modified versions designed to ignore attacker activity. For example, on a Unix or Linux system, the rootkit may replace the 'ls' command with one that does not list files located in certain directories. Or it may replace the 'ps' command, which lists the processes running on the system, with one that conveniently ignores processes started by the attacker. The programs responsible for logging activities are similarly modified to help the attacker stay inconspicuous. Therefore, when the system administrator looks at the system, everything looks normal, despite the fact that it has been subverted.
Rootkits that accomplish their task by replacing binaries are called user mode rootkits. These rootkits can be detected by looking for changes in the size, date and checksums of key system files. However, sophisticated attackers use kernel mode rootkits to work more stealthily. By taking advantage of Linux's ability to load kernel extensions on the fly, kernel mode rootkits take the deception to the core of the operating system. These rootkits sit silently at the heart of the machine and intercept legitimate programs' OS calls, returning only the data the attacker wants you to see. Detecting such a rootkit is very difficult since it controls the entire environment.
Although rootkits originated in the Unix/Linux world, there are many 'off the shelf' rootkits available for the Windows environment that provide the same functionality as their *nix predecessors. Some of these Windows rootkits are quite sophisticated; for a look at the state of the art, visit www.rootkit.com. If you are responsible for Windows system security, spending time at this site may induce some healthy paranoia.
Rootkits are a second level security threat. In other words, you have to make some other security mistakes to allow the attacker to get inside in the first place, such as configuration mistakes, weak authentication, or unpatched vulnerabilities. Once a rootkit has been placed on your system, very bad things have already happened. The best defense against rootkits? Prevent them from being installed in the first place by maintaining a defense-in-depth strategy.
About the author:
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.