How To Defeat A Rootkit... The Types
In this first of two articles on how to defeat a rootkit, we'll take a look at what a rootkit is, the types, where they hide and their dangers.
In the second part, we'll discuss how rootkits can be detected.
1. How To Defeat A Rootkit...
What Are Rootkits?
Rootkits came to prominence in 2005, when Sony
placed a root kit on their music CDs. There was no mention of the root kit by Sony, and when it was discovered, there was an outcry about Sony's spying and deceit. To read more about this episode that tarnished Sony's
reputation, see HowTo Detect Sony Rootkit Installations
Rootkits are not destructive software programs in their own right... but they are designed to conceal the presence of malicious programs on a computer while other programs are running.
Rootkits are similar to viruses in the way they modify the core code of the software installed on the computer. Both root kits and viruses insert additional code which is meant to hide the infection and keep the system administrator and users in the dark.
However, root-kits are there for one reason only... to ensure that an intruder can access the system and take control whenever they wish -- much like a backdoor Trojan horse.
Rootkits have coded user/password backdoors that allow the intruder access to the system -- unlike viruses, they are limited to allowing the intruder access and they do not need to propagate on the entire system. This is a key point and an important step in learning how to defeat a rootkit.
In other words, root-kits enable someone to disable or use your computer, or steal information from it, without detection by your defenses to guard privacy and security.
So, unless your antivirus or antispyware is combined with anti-rootkit technology, you will be informed your system is clear, when, in fact, you could be infected.
Unfortunately, the wide range of rootkits makes them a common problem for any operating system... they work both on Windows and Linux operating systems.
2. How To Defeat A Rootkit...
Why Are Rootkits Used?
In understanding how to defeat a rootkit, it's useful to know where they are commonly used and for what purposes...
Rootkits are used to hide different utilities which the intruder uses to gather data or to abuse of the system.
Often, root kits are used to create easier entry for the intruder -- by what computer security experts call the "back door". Rootkits can create shells at the moment when the intruder uses a network port to connect to the system. Abusing a system with the help of root-kits is easy, since the intruder has the same level of access as the administrator while his/her presence goes undetected.
One of the most common and worrying uses of rootkits is to use the compromised computer as a platform to launch attacks against other computers or networks. The attacker basically launches spam, tools that relay chat sessions or even denial of service attacks from the compromised computer.
If the attacks are traced back, they will lead investigators to the computer infected with the rootkits, not the original attacker.
Another use of rootkits is that of hiding Trojans as they infiltrate a system. The programmer of the root kit can easily use it to extract different data such as,
- login details
- credit card data
- personal data for identity theft and fraud
While the Trojans access the personal information, the rootkit hides them from view.
3. How To Defeat A Rootkit...
The Types Of Rootkit And Where They Hide
It can be useful to identify the exact type to know how to defeat a rootkit. However, this knowledge is only really useful for those who want to remove a rootkit with specific software targeted for that rootkit
There are four main types of rootkits...
- Application level rootkits
They operate at the application level -- the part which performs common services for the application processes -- and replace real applications with fake ones
- Virtualized rootkits
They change the booting sequence of the system, so that they are loaded before the operating system does. Once on the machine, the virtualized rootkit enables the intruder to intercept all the hardware calls initiated by the user
- Kernel level rootkits
The kernel is the core of the computer system. These rootkits help the intruder hide back doors to the operating system by changing pieces of kernel code
- Library level rootkits
This type of rootkit replaces or patches system calls with its own versions that hide the attacker's actions
That completes this first article on how to defeat a rootkit. However, there is more information on anti-rootkit detection software and manually detecting rootkits in the following articles...
3. How To Defeat A Rootkit...
More Rootkit Information
- How To Defeat A Rootkit... How To Manually Detect A Rootkit
- Commercial And Free Rootkit Scanner Downloads
- HowTo Detect Sony Rootkit Installations