One names rootkit a program or together of programs allowing a third (a Hacker, for example, but not necessarily) to maintain - in time - an access fraudulent to a Computing system. Thenecessary one of the rootkit is a compromised machine already .
Principle of a rootkit
A rootkit is used after an intrusion and the installation of a Hidden door in order to camouflage all the changes carried out during the intrusion. Thus one can preserve the access to the machine a maximum of time, indeed the rootkits are not easily detectable and only a forensic Analyze thorough can reveal the presence of it.
Role of the rootkit
The principal function of the “rootkit” is to camouflage the installation of one or more “hidden doors”. These hidden doors (usable in room or remote) makes it possible to the pirate to be again introduced in the middle of the machine without to exploit once again the fault with which it could obtain the initial fraudulent access, which late would early or be filled.The “rootkit” operate a succession of modifications, in particular on the level of the orders system, even of the core (Kernel).
With the difference of a Computer virus or a worm of new generation, a “rootkit” is not retorted.
The installation of a “rootkit” requires rights Administrateur on the machine, in particular because of the profound changes of the system which it generates. That means that the pirate must initially have a fraudulent access, with the rights of the “root” under Linux for example, in order to set up his “rootkit”.
A “rootkit” does not make it possible as such to be introduced in a fraudulent way on an operational machine. On the other hand, some “rootkit” allow the collection of the passwords which forward by the “corrupted” machine. Thus, a “rootkit” can indirectly give the access to other machines.
Some “rootkit” are also delivered with collections of “exploits”, these short periods of code dedicated to the exploitation of a well defined fault. The goal is to help the pirates in their conquest of still virgin machines.
The purpose of a “rootkit” is principal the furtivity, it makes it possible for example to hide certain processes, certain files and keys of register, etc It operates on the level of the core (most of the time charged as a driver) and can thus mislead with its own way the programs which are carried out as a user mode (antivirus, firewalls). The rootkit is often coupled with other programs such as a sniffor of striking, packages…
The “rootkit” has raison d'être only if one fault is present, if the conditions are met so that its exploitation is successful and if it allows an access with the rights administrator. Thus not of fault, not of rootkit.
The best means of protecting itself from the rootkit is to guard itself against the faults.
The “rootkit” have existed for several years. The project Chkrootkit dedicated to the development of a tool for detection of “rootkit” for the platforms Linux, * BSD, Solaris and HP-UX was started in 1997. The phenomenon is thus not new. In 2002, Securityfocus gave a report on advances as regards “rootkit” for the platforms Microsoft Windows.
Rootkit Sony-BMG
In October 2005, the specialist in safety Mark Russinovich (company Sysinternals ) discovered a rootkit installed like numerical component of Gestion of the rights (DRM), at the time of his listening, by a CD audio of mark Sony-BMG. This rootkit allowed once charged with hiding on the level of the core all the files whose name started with $sys$. This functionality was exploited by viruses to hide their malevolent code and to thus escape the antivirus programs. This business made an important wrong at Sony, as well on the level of its reputation, as financially. In several countries, Sony was obliged to take again its CD with rootkit and to compensate the customers.
Key Rootkit USB Sony
This year 2007, Sony reveals the presence of a rootkit in its key usb Biométrique. That was developed by their subcontractor FineArt Technology (http://www.fineart-tech.com/en/) at the request of Sony. The fault was discovered by F-Secure.Sony defends itself and affirms that it would not have aimed to provide information at certain organizations, or to give access to them information companies… According to several antivirus solutions editors, this business is indeed less serious than that of the rootkit being on their Audio CD. The principal one risks and reproach is that this rootkit creates a hidden repertory of the system, the ideal place being able to be exploited by viruses to escape the usual means of detections.
List nonexhaustive rootkits
- Ducoci rootkit
- MonKit
- OpticKit
- LOC rootkit
- Romanian rootkit
- Suckit rootkit
- Volc rootkit
- Gold2 rootkit
- Annonoying rootkit
- ZK rootkit
- ShKit rootkit
- AjaKit rootkit
- zaRwT rootkit
- Hacktool.Rootkit
- t0rn rootkit
Programmes of detection of rootkit
; Windows- RootkitRevealer of Windows Sysinternals
- IceSword
- DarkSpy
- RkU
- NOD32
- AVG Anti-Rootkit
- Avira AntiVir
- Blacklight F-secure
- Rootkit Hook Analyzer
; UNIX/Linux
- Chkrootkit of Nelson Murilo and Klaus Steding-Jessen (UNIX/Linux)
- Rkhunter of Michael Boelen (UNIX/Linux)
- Zeppoo de ZeppooTeam (UNIX/Linux), famous kernsh on May 15th, 2007, this project is now integrated in framework ERESI (September 18th, 2007).
See too
Related articles
- Hidden door
- Security breach
- Sniffer
| Random links: | Flax (plant) | Daniel Defoe | Rio Pardo (Mato Grosso C Sul) | Yacef Saadi |