A rootkit is a general description of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Techniques used to accomplish this can include concealing running processes, files or system data from the operating system.^[1] Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X^{[2] [3]} , Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. A computer program is a collection of instructions that describe a task, or set of tasks, to be carried out by a computer. ... This article describes how security can be achieved through design and engineering. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ... Look up Benign in Wiktionary, the free dictionary. ... Malware is software designed to infiltrate or damage a computer system without the owners informed consent. ... “Windows” redirects here. ... Mac OS X (IPA: ) is a line of graphical operating systems developed, marketed, and sold by Apple Inc. ... This article is about operating systems that use the Linux kernel. ... Solaris is a computer operating system developed by Sun Microsystems. ... A device driver, or software driver is a computer program allowing higher-level computer programs to interact with a computer hardware device. ... In computing, loadable kernel modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel, of an operating system. ...

Origins

The term rootkit (also written as root kit) originally referred to a set of precompiled Unix tools such as ps, netstat, w and passwd that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain root access (highest privilege) on the system without the system administrator even seeing them. Filiation of Unix and Unix-like systems Unix (officially trademarked as UNIX®, sometimes also written as or ® with small caps) is a computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs including Ken Thompson, Dennis Ritchie and Douglas McIlroy. ... To meet Wikipedias quality standards, this article or section may require cleanup. ... This article or section includes a list of works cited or a list of external links, but its sources remain unclear because it lacks in-text citations. ... The command w on many Unix-like operating systems provides a quick summary of every user logged into a computer, what that user is currently doing, and what load all the activity is imposing on the computer itself. ... passwd is a tool on most Unix and Linux systems used to change a users password. ... On many computer operating systems, superuser, or root, is the term used for the special user account that is controlled by the system administrator. ... A system administrator, or sysadmin, is a person employed to maintain, and operate a computer system or network. ...

The first rootkit (that was ever called a rootkit) was written by Lane Davis and Riley Dake for SunOS 4.1.1. The term is no longer restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows, regardless of the existence (or lack of existence) of a root in the operating system. An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ...

For a short time in 2005, Sony BMG introduced a CD copy protection program that would automatically install on Microsoft Windows users' computers. The copy protection measures included by Sony BMG on several compact discs. Sony BMG included the Extended Copy Protection (XCP) and MediaMax CD-3 software on music CDs. XCP was put on 52 titles^[4] and MediaMax was put on 50 titles.^[5] The software interferes with the normal way in which the Microsoft Windows operating system plays CDs, opening security holes that allow viruses to break in, and causing other problems. The rootkit was found to be malicious forcing Sony BMG to recall all CDs that included this software and publicly releasing a patch on their website to repair the damage caused by the program. Copy prevention, also known as copy protection, is any technical measure designed to prevent duplication of information. ... Bertelsmann is a transnational media corporation founded in 1835, based in G tersloh, Germany. ... CD redirects here. ... XCP-Aurora Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet, (which on 20 November 2006, changed its name to Fortium Technologies Ltd - see links below), and sold as a copy protection or digital rights management (DRM) scheme for compact discs. ... MediaMax CD-3 is a software package created by SunnComm and sold as a form of copy protection for compact discs. ... “Windows” redirects here. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ...

Common use

A rootkit can take full control of a system. A rootkit's purpose is typically to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources. However, a rootkit may be incorporated with other files which have other purposes. It is important to note that while the utilities bundled with the rootkit may be malicious in intent, a rootkit is essentially a technology; it may be used for both productive and destructive purposes.

A rootkit is often used to hide utilities. These are often used to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems which the compromised system communicates with, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks. A major use for rootkits is allowing the programmer of the rootkit to see and access user names and log-in information for sites that require them. The programmer of the rootkit can store unique sets of log-in information from many different computers. This makes the rootkits extremely hazardous, as it allows trojans to access this personal information while the rootkit covers it up. A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication or securing remote access to a computer, while attempting to remain hidden from casual inspection. ... It has been suggested that this article or section be merged into Shell_(computing). ... It has been suggested that this article or section be merged into Computer port (software). ... A kernel connects the application software to the hardware of a computer. ... A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. ... Keystroke logging (often called keylogging) is a diagnostic tool used in software development that captures the users keystrokes. ... A zombie computer (often abbreviated zombie) is a computer attached to the Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. ... DoS redirects here. ... Look up chat in Wiktionary, the free dictionary. ... Wikipedia does not yet have an article with this exact name. ... This article is about electronic spam. ...

Rootkits are not always used to attack and gain control of a computer. Some software may use rootkits to hide from 3rd party scanners to prevent detection or tampering. Some emulation software and security software is known to be using rootkits.^[6] Alcohol 120% and Daemon Tools are commercial examples of the use of non-hostile rootkits. Alcohol 120% is an optical disc authoring program and disk image emulator created by Alcohol Soft. ... This article is about the disk image emulator. ...

Rootkit is a term now loosely applied to cloaking techniques and methods.^[7]

Types

There are five different kinds of rootkits: firmware, virtualized, kernel, library and application level kits. A microcontroller, like this PIC18F8720 is controlled by firmware stored inside on FLASH memory In computing, firmware is a computer program that is embedded in a hardware device, for example a microcontroller. ... In computer science, a virtual machine is software that creates a virtualized environment between the computer platform and its operating system, so that the end user can operate software on an abstract machine. ... A kernel connects the application software to the hardware of a computer. ... Illustration of an application which may use libvorbisfile. ... This article does not cite any references or sources. ...

Firmware

A firmware rootkit uses device or platform firmware to instantiate a persistent image of rootkit malware. The rootkit can hide in firmware because firmware often is not inspected for code integrity. John Heasman demonstrated viability of creating firmware rootkits in both ACPI^[8] and in a PCI expansion ROM.^[9]

Virtualized

Virtualized rootkits are the lowest level of rootkit currently produced. These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original virtual machine monitor or operating system. Once loaded into memory a virtualized rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS. The SubVirt laboratory rootkit developed jointly by Microsoft and University of Michigan researchers is an example of a Virtual Machine based rootkit or VMBR. In general terms, a virtual machine in computer science is software that creates an environment between the computer platform and the end user in which the end user can operate software. ...

Kernel level

Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. These rootkits often have serious impacts on entire system stability if mistakes are found to be present in the kit's code. Linux Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel. ... This article is about operating systems that use the Linux kernel. ... A device driver, or software driver is a computer program allowing higher-level computer programs to interact with a computer hardware device. ... “Windows” redirects here. ...

Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.

Library level

Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. In computing, a patch is a small piece of software designed to update or fix problems with a computer program or its supporting data. ... Hooking in programming is a technique employing so called hooks to make a chain of procedures as a handler. ... In computing, a system call is the mechanism used by an application program to request service from the operating system. ...

Application level

Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

Detecting

Rootkit binaries are usually detected by most^{[citation needed]} signature or heuristics based antivirus programs, at least until they're run by a user. There are inherent limitations to any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs that modify many of the tools and libraries upon which all programs on the system depend. Some rootkits modify the running kernel via loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms. The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. Rootkit detectors that run on live systems currently only work because the rootkits detectable have not yet been developed to hide themselves fully. In Microsoft computing, a VxD is a virtual device driver. ...

The best^{[citation needed]} and most reliable^{[citation needed]} method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative medium (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are supposedly^{[citation needed]} doctored by the rootkit) and lower level queries, which ought to remain reliable. If^{[citation needed]} there is a difference, the presence of a rootkit infection can be assumed. Rootkits attempt^{[citation needed]} to protect themselves by monitoring running processes and suspending their activity until the scanning has finished.^{[citation needed]} The CD-ROM (an abbreviation for Compact Disc Read-Only Memory (ROM)) is a non-volatile optical data storage medium using the same physical format as audio compact discs, readable by a computer with a CD-ROM drive. ... “JumpDrive” redirects here. ...

Security vendors envision^{[citation needed]} a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defense may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses, the detection and elimination of rootkits will be an ongoing struggle between the creators of the tools on both sides of this conflict. A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ...

There are several programs available to detect rootkits. On Unix-based systems, two of the most popular are chkrootkit and rkhunter. For the Windows platform there are many free detection tools such as F-Secure Blacklight and AVG Anti-Rootkit Free from Grisoft. Another Windows detector is RootkitRevealer from Sysinternals which will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself (cross-checking). However, some rootkits started to add RootkitRevealer to a list of files it does not hide from--so in essence, they remove the differences between the two listings, and the detector doesn't report them (most notably commercial rootkit Hacker Defender Antidetection). Another method is to compare content of binaries present on disk with their copies in operating memory - some differences can be introduced by legal operating system mechanisms (e.g. relocations), but some can be very likely classified as system call hooks introduced by a running rootkit (System Virginity Verifier). The correct title of this article is . ... The correct title of this article is . ... Grisoft is a software house that specialises in anti-virus software. ... RootkitRevealer is a tool for rootkit detection on Microsoft Windows by Mark Russinovich at Sysinternals. ... Sysinternals (formerly using name Winternals) is a website, operated by developers Bryce Cogswell and Mark Russinovich, that has several freeware tools to administrate and monitor Microsoft Windows computers. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ...

As always^{[citation needed]}, prevention is better than cure. If the integrity of the system install disks is trusted, cryptography may be used to monitor the integrity of the system. By "fingerprinting" the system files immediately after a fresh system install and then again after any subsequent changes made to the system (e.g. installing new software), the user or administrator will be alerted to any dangerous changes to the system's files. In the fingerprinting process a cryptographic hash function is used to create a fixed-length number that is dependent on every bit of data contained in the file being fingerprinted. By calculating and comparing hash values of files (the essence of the fingerprint) at regular intervals, changes not made by any intended user of the system can be detected. In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ...

Detection in firmware can be achieved by computing a cryptographic hash of firmware and comparing hash values to a whitelist of expected values, or by extending the hash value into TPM (Trusted Platform Module) configuration registers, which are later compared to a whitelist of expected values. Code that performs hash, compare, and/or extend operations must itself not be compromised by the rootkit. The notion of an immutable (by a rootkit) root-of-trust ensures that the rootkit does not compromise the system at its most fundamental layer. Rootkit detection using a TPM is further described in Stopping Rootkits at the Network Edge, January 2007. In computing, Trusted Platform Module (TPM) is both the name of a published specification detailing a microcontroller that can store secured information, as well as the general name of implementations of that specification, often called TPM chip or TPM Security Device (Dell). ...

Removing

There is a body of opinion that holds this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch. Since drive imaging software makes the task of restoring a “clean” OS installation almost trivial, there is no good reason to try to dig a rootkit out directly. "I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt this is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat. This is so even if the rootkit is very well known and can be removed 100%." Rootkit Question Disk cloning is a category of software which copies the contents of one computer hard disk to another. ... Formatting a hard drive using MS-DOS This article needs cleanup. ...

While most Anti-Virus and Malware removal tools remain ineffective against rootkits, tools such as BartPE and other Preinstalled Environment(PE) or Live Distros allow users to boot their computer into a fresh "un-rooted" copy of the operating system. This allows users to replace affected system files and delete offending rootkits while keeping their underlying systems intact. Since most rootkits hook system files needed at the lowest level of the OS, booting into Safe Mode does not allow removal of the rootkit process. In contrast PE's do not rely on the infected underlying system structure but instead load a clean read-only copy of the Operating System allowing full control and detection of the rootkit. While most Administrators prefer a clean reinstall, a skilled Administrator using a PE can delete and clean a rooted system where a reinstall is not a viable option and in a fraction of the time. BartPE (Barts Preinstalled Environment) is a Live CD version of the Microsoft Windows XP or Windows Server 2003 operating systems. ... Gnoppix 0. ... Safe Mode is a diagnostic mode used by certain computer operating systems, including Microsoft Windows and Mac OS X, as well as other complex electronic devices. ...

Comparison with computer viruses and worms

The key distinction between a computer virus and a rootkit relates to propagation. Like a rootkit, a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus). A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ...

In the case of the rootkit the payload may attempt to maintain the integrity of the rootkit (the compromise to the system) --- for example every time one runs the rootkit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the intruder can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some rootkits may add port knocking checks to existing network daemons (services) such as inetd or the sshd. A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication or securing remote access to a computer, while attempting to remain hidden from casual inspection. ... In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. ...

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general, a rootkit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromised account information back to the intruder through some sort of covert channel). A computer worm is a self-replicating computer program. ... In information theory, a covert channel is a communications channel that does a writing-between-the-lines form of communication. ...

Of course there are hybrids. A worm can install a rootkit, and a rootkit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated. A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. ... A port scanner is a piece of software designed to search a network host for open ports. ...

Publicly available

Like most software used by attackers, lots of implementations are shared and are easily available on the Internet. It is not uncommon to see a compromised system where a sophisticated publicly available rootkit hides the presence of unsophisticated worms or attack tools that appear to be written by inexperienced programmers. A computer worm is a self-replicating computer program. ...

Most of the rootkits available on the Internet are constructed as an exploit or "proof of concept" to demonstrate varying methods of hiding things within a computer system. Since these are often not fully optimized for stealth, they sometimes leave evidence of their presence on a system. Even so, when such rootkits are used in an attack they are often very effective. A proof of concept is a short and/or incomplete realization of a certain method or idea(s) to demonstrate its feasibility. ...

See also

• Hacker con
• Computer virus
• Host-based intrusion detection system
• The SANS Institute
• 2005 Sony BMG CD copy protection scandal

Hacker con is a term that describes a hacker convention. ... A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ... A Host-based Intrusion Detection System (HIDS), as a special category of an Intrusion-Detection System, focuses its monitoring and analysis on the internals of a computing system rather than on its external interfaces (as a Network Intrusion Detection System (NIDS) would do). ... The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. ... The 2005 Sony BMG CD copy protection scandal was a public scandal dealing with Sony BMG Music Entertainments surreptitious distribution of rootkit software on audio compact discs. ...

References

This article is about the year. ... is the 320th day of the year (321st in leap years) in the Gregorian calendar. ... The USENIX Association is the Advanced Computing Technical Association. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 196th day of the year (197th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 196th day of the year (197th in leap years) in the Gregorian calendar. ... is the 326th day of the year (327th in leap years) in the Gregorian calendar. ... Year 2006 (MMVI) was a common year starting on Sunday of the Gregorian calendar. ... is the 326th day of the year (327th in leap years) in the Gregorian calendar. ... Year 2006 (MMVI) was a common year starting on Sunday of the Gregorian calendar. ... Mark Russinovich is a software engineer and author who works for Microsoft as a Technical fellow. ... Year 2006 (MMVI) was a common year starting on Sunday of the Gregorian calendar. ... is the 243rd day of the year (244th in leap years) in the Gregorian calendar. ... Year 2006 (MMVI) was a common year starting on Sunday of the Gregorian calendar. ... is the 225th day of the year (226th in leap years) in the Gregorian calendar. ...

External links

• rootkit.com (online rootkit magazine)
• A test of anti-rootkit software made by InformationWeek, January 2007
• Steve Gibson's Security Now! Episode #9 (on rootkits)
• Steve Gibson's Security Now! Episode #12 (on rootkits)
• Sony, Rootkits and Digital Rights Management Gone Too Far (Mark Russinovich's first blog entry about the Sony DRM rootkit, from which the scandal ensued)
• Designing BSD Rootkits An Introduction to Kernel Hacking (book by Joseph Kong)
• How to remove spyware from your PC: rid yourself of rootkits
• Glossary of malware terminology ("Rootkit" has a negative connotation)
• White paper on hypervisor rootkit technology