Root kit
|
de:Rootkit A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows.
Contents |
Origins of root kits
The term "root kit" originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the cracker to maintain "root" on the system without the system administrator even seeing them.
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems, even though they may not have a "root" account.
Functions of a root kit
A root kit typically hides logins, processes, and logs and often includes software to intercept data from terminals, network connections, and the keyboard. In many sources root kits are counted as trojan horses.
A rootkit may also include utilities, known as backdoors to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel root kits may provide functionality that allows processes started by a non-privileged user to execute functions normally reserved for the superuser.
Types of root kits
Basic Types
Rootkits come in two different flavours, kernel and application level kits. The idea of kernel level rootkits is to replace a portion of kernel code with modified code that helps the intruder cover his tracks. This is often accomplished by existing means of adding new code to the kernel such as Loadable Kernel Modules in Linux. One common tactic of kernel root kits is to replace system calls with versions that hide information about the attacker. With Application level rootkits regular application binaries are replaced with trojaned fakes.
Examples
- SuckIT
- T0rn
- Ambient's Rootkit (ARK)
Detecting root kits
There are several programs available to detect root kits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. On Windows NT/XP/2000 based systems some rootkit detectors currently available are:
Freeware
- rootkitrevealer (http://www.sysinternals.com/Utilities/RootkitRevealer.html) is available from Sysinternals (http://www.sysinternals.com/)
Shareware
- unhackme (http://greatis.com/unhackme/) from Greatis software (http://greatis.com/)
- Blacklight (beta-release) (http://www.f-secure.com/blacklight/) from F-Secure (http://www.f-secure.com/)
- TaskInfo (http://www.iarsn.com/taskinfo.html) by Igor Arsenin (http://www.iarsn.com/)
- See also: Host-based intrusion-detection system SANS
Resources
- Linux Kernel Rootkits (http://la-samhna.de/library/rootkits/index.html)
- Analysis of the T0rn root kit (http://www.sans.org/y2k/t0rn.htm)sv:Rootkit