A root kit is a set of tools frequently used by an intruder after cracking a computer system. These tools are intended to conceal running processes and files or system data, which helps an intruder maintain access to a system for malicious purposes. Root kits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. It has been suggested that this article or section be merged into black hat. ... A computer system consists of a set of hardware and software which processes data in a meaningful way. ... Jump to: navigation, search Tux, a cartoon penguin frequently featured sitting, is the official Linux mascot. ... Jump to: navigation, search The Solaris Operating System is a computer operating system, based on the open-source UNIX SunOS developed by Sun Microsystems. ... Jump to: navigation, search Microsoft Windows is a range of operating environments and operating systems for personal computers and servers. ...

Origins of root kits

The term "root kit" (also written as "rootkit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the crackers to maintain "root" on the system without the system administrator even seeing them. Jump to: navigation, search It has been suggested that List of Unixes be merged into this article or section. ... Jump to: navigation, search In most Unix-like operating systems, the ps command line program gives a snapshot of the currently running processes, including ps itself. ... netstat is a commandline tool that displays a list of the active connections a computer currently has, both incoming and outgoing. ... passwd is a tool on most Unix and Linux systems used to change a users password. ... It has been suggested that this article or section be merged into black hat. ... It has been suggested that this article or section be merged into black hat. ... On many computer operating systems, superuser is the term used for the special user account that is controlled by the system administrator. ... Jump to: navigation, search The term system administrator (abbreviation: sysadmin) designates a job position of engineers involved in computer systems. ...

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account). Jump to: navigation, search In computing, an operating system (OS) is the system software responsible for the direct control and management of hardware and basic system operations. ...

Functions of a root kit

A root kit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many sources, root kits are counted as trojan horses. Jump to: navigation, search A login (also log in, log on, signon, sign on) is the process of accessing a computer by identification of the user in order to obtain credentials to permit access. ... In computing, a process is, roughly speaking, a task being run by a computer, often simultaneously with many other tasks. ... Data logging is the practice of recording, in some medium, sequential data, often in a time-associated format. ... Jump to: navigation, search A computer terminal is an electronic or electromechanical hardware device used for entering data into, and displaying data from, a computer or a computing system. ... Jump to: navigation, search A computer keyboard is a peripheral modelled after the typewriter keyboard. ... In the context of computer software, a Trojan horse is a malicious program that is disguised as legitimate software. ...

Common uses of root kits

A root kit is often used to hide utilities used to abuse a compromised system. These often include so called "backdoors" to help the attacker subsequently access the system more easily. For example, the root kit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sort of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include (D)DoS tools and tools to relay chat sessions, (spam)E-mail or attacks. A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. ... Jump to: navigation, search It has been suggested that this article or section be merged into Shell_(computing). ... In computing, a port (derived from seaport) is usually a connection through which data is sent and received. ... Jump to: navigation, search Packet sniffers (also known as Network Analyzers or Ethernet Sniffers) are software programs which can see and/or log traffic passing over a network or part of a network. ... Keystroke logging is a diagnostic used in software development that captures the users keystrokes. ... Jump to: navigation, search A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources... Jump to: navigation, search This Soviet war poster reads: Dont chatter! Gossiping borders on treason (1941). ... Jump to: navigation, search Spamming is the use of any electronic communications medium to send unsolicited messages in bulk. ... Wikipedia does not yet have an article with this exact name. ...

Recently, some spyware and even commercial CD DRM software have started using root kit technology to hide themselves from the anti-spyware software and make uninstallation difficult. Jump to: navigation, search Malicious Web sites may attempt to install spyware on readers computers. ... Jump to: navigation, search Digital rights management (DRM)1 is an umbrella term referring to any of several technical methods used to control or restrict the use of digital media content on electronic devices with such technologies installed. ...

Types of root kits

Basic types

Rootkits come in two different flavours, kernel and application level kits. Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect. It has been suggested that Microkernel be merged into this article or section. ... Jump to: navigation, search Application software is a loosely defined subclass of computer software that employs the capabilities of a computer directly to a task that the user wishes to perform. ... Linux Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel. ... Jump to: navigation, search Tux, a cartoon penguin frequently featured sitting, is the official Linux mascot. ... A device driver, often called a driver for short, is a computer program that enables another program, typically, an operating system (OS) (e. ... Jump to: navigation, search Microsoft Windows is a range of operating environments and operating systems for personal computers and servers. ... In computing, a system call, or software interrupt is the mechanism used by an application program to request service from the operating system. ...

Examples

• FU Rootkit
• SuckIT
• T0rn
• Ambient's Rootkit (ARK)
• Hacker Defender

Detecting root kits

There are inherent limitations to any program that attempts to detect root kits while those programs are running under the suspect system. Root kits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. Some root kits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. In Microsoft computing, a VxD is a virtual device driver. ...

The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM, USB-stick). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits arned via standard OS calls (which are supposedly doctored by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference the presence of a rootkit infection can be assumed. Rootkits try to protect themselves by monitoring running processes and suspending their activity until the scanning has finished as non-stealthy malware will not be identified by rootkit scanners.

Security vendors envision a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defence may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses the detection and elimination of root kits will be an ongoing struggle between the creators of the tools on both sides of this conflict. Jump to: navigation, search In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. ...

There are several programs available to detect root kits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform a free for personal use stealth scanner, named Blacklight, is available in beta on F-Secure's website. Another Windows detector is Rootkit Revealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from. So in essence, removing the differences between the 2 listings, the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. It is an ongoing battle between the rootkits and the detectors. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. ... This is a unix-based rootkit hunter that scans for rootkits, backdoors and local exploits. ... F-Secure (former DataFellows) is an anti-virus and computer security software company based in Finland. ... Jump to: navigation, search In computing, an operating system (OS) is the system software responsible for the direct control and management of hardware and basic system operations. ...

Root kits vs. computer viruses and worms

The key distinction between a computer virus and a root kit relates to propagation. Like a root kit, a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus). Jump to: navigation, search In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. ...

In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. ... In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. ...

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel). Jump to: navigation, search A computer worm is a self-replicating computer program, similar to a computer virus. ... In information theory, a covert channel is a communications channel that does a writing-between-the-lines form of communication. ...

Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated. Jump to: navigation, search Packet sniffers (also known as Network Analyzers or Ethernet Sniffers) are software programs which can see and/or log traffic passing over a network or part of a network. ... A port scanner is a piece of software designed to search a network host for open ports. ...

Publicly available root kits

Like most software used by attackers lots of implementations are shared and are easily available on the Internet. It is not uncommon to see a compromised system where a sophisticated publicly available root kit hides the presence of unsophisticated worms or attack tools that appear to be written by inexperienced programmers. Jump to: navigation, search A computer worm is a self-replicating computer program, similar to a computer virus. ...

Most of the root kits available on the Internet are constructed as a “proof of concept”. They prove the feasibility of a novel experimental way of hiding things within a computer system. However since these are experimental they are often not fully optimized for stealth. When such root kits are used in an attack they are often very effective. However when they are discovered, for example by starting an operating system from a trusted medium such as a CD, they often show very obvious signs of their presence. For example, leaving files named “rootkit” on common places on the computer system. A proof of concept is a short and/or incomplete realization of a certain method or idea(s) to demonstrate its feasibility. ...

Root kits as copy protection

There are reports as of November 1, 2005 that Sony is using a form of copy protection, or digital rights management, on its CDs which constitutes a root kit, surreptitiously installing itself in a cloaked manner on the user's computer and resisting attempts to detect, disable, or remove it. Much speculation is taking place on blogs and elsewhere about whether Sony might be civilly or criminally liable for such actions under various anti-computer-hacking and anti-malware legislation. Ironically, there is also speculation to the effect that the bloggers who point out what Sony CDs do, with technical details, may also be committing a civil or criminal offense under anti-circumvention provisions of laws such as the Digital Millennium Copyright Act in the United States. [1] [2] Jump to: navigation, search November 1 is the 305th day of the year (306th in leap years) in the Gregorian Calendar, with 60 days remaining. ... Jump to: navigation, search 2005 (MMV) is a common year starting on Saturday of the Gregorian calendar. ... Jump to: navigation, search Sony Corporation (Japanese katakana: ソニー) (TYO: 6758), NYSE: SNE is a global Japanese consumer electronics corporation based in Tokyo, Japan. ... Copy prevention, also known as copy protection, is any technical measure designed to prevent duplication of information. ... Jump to: navigation, search Digital rights management (DRM)1 is an umbrella term referring to any of several technical methods used to control or restrict the use of digital media content on electronic devices with such technologies installed. ... Jump to: navigation, search Interference colors. ... Jump to: navigation, search The Digital Millennium Copyright Act (DMCA) is a controversial United States copyright law. ...

On November 2, 2005 Sony released a patch to remove this rootkit, while continuing to maintain that it is not malicious and does not pose a security risk. To activate this patch, you are required to go to their Web site with Microsoft Internet Explorer; users of other browsers, such as Mozilla Firefox, get a message to the effect that their browser is incompatible, because of the use of ActiveX controls which Mozilla omits by design due to it being a proprietary Microsoft technology with security risks. [3] Jump to: navigation, search November 2 is the 306th day of the year (307th in leap years) in the Gregorian Calendar, with 59 days remaining. ... Jump to: navigation, search 2005 (MMV) is a common year starting on Saturday of the Gregorian calendar. ... Jump to: navigation, search Sony Corporation (Japanese katakana: ソニー) (TYO: 6758), NYSE: SNE is a global Japanese consumer electronics corporation based in Tokyo, Japan. ... Internet Explorer, abbreviated IE or MSIE is a web browser from Microsoft currently sold as part of Microsoft Windows. ... Jump to: navigation, search Mozilla Firefox (originally known as Phoenix and briefly as Mozilla Firebird) is a free, cross-platform, graphical web browser developed by the Mozilla Foundation and hundreds of volunteers . ... In programming, the Component Object Model (COM), also known as ActiveX, is a Microsoft technology for software components. ... Jump to: navigation, search Microsoft Corporation (NASDAQ: MSFT) (HKSE: 4338) is the worlds largest software company, with global annual sales in the tens of billions of US dollars and nearly 60,000 employees in more than 90 countries. ...

See also

• Hacker con
• Computer virus
• Host-based intrusion-detection system
• SANS

Hacker con is a term that describes a hacker convention. ... Jump to: navigation, search In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. ... Host-based intrusion-detection is the art of detecting malicious activity within a single computer. ... The SANS Institute (System Administration, Networking, and Security) is an organization focusing on providing computer education and information security training It was founded in 1989. ...

External links

• ROOTKIT.COM - a rootkit-developer community
• Linux Kernel Rootkits
• Analysis of the T0rn root kit
• Windows & Linux Rootkits and Rootkit-Detection Software
• Example of a Rootkit dropped by a virus
• Anti-trojan.org: Information on trojan rootkits and removal software
• Strider GhostBuster Rootkit Detection

Root kit detection software

Freeware

• chkrootkit (UNIX/Linux)
• rkhunter (UNIX/Linux)
• RootkitRevealer (Windows) is available from Sysinternals and constantly updated
• klister is a simple set of utilities in rougher form
• flister proof-of-concept code for detecting files hidden by both usermode and kernelmode Windows rootkits
• IceSword Here is a review

Shareware

• Blacklight (beta-release) from F-Secure also has commandline and GUI-based versions as well.
• Security Task Manager is an enhanced Task Manager that can reveal hidden processes and services
• TaskInfo by Igor Arsenin is an enhanced Task Manager
• unhackme from Greatis software
• Trojanhunter from Mischel Internet Security AB
• ProcessGuard from Diamond Computer Systems Pty. Ltd.
• Rootkit Downloads Anti-Rootkit and Rootkit Downloads. (de)