LogiCL |
---|
Services Informatiques |
LogiCL IT Services
Activity dissimulation tool
Rootkit (activity dissimulation tool)
A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes
or programs from normal methods of detection and enable continued privileged access to a computer. The
term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating
systems) and the word "kit" (which refers to the software components that implement the tool). The term
"rootkit" has negative connotations through its association with malware.
Rootkit installation can be automated, or an attacker can install it once they've obtained root or
Administrator access. Obtaining this access is a result of direct attack on a system (i.e. exploiting a known
vulnerability, password (either by cracking, privilege escalation, or social engineering). Once installed it
becomes possible to hide the intrusion as well as to maintain privileged access. The key is the
root/Administrator access. Full control over a system means that existing software can be modified,
including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it.
Detection methods include using an alternative and trusted operating system, behavioral-based methods,
signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or
practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the
operating system may be the only available solution to the problem. When dealing with firmware rootkits,
removal may require hardware replacement, or specialized equipment.
Uses
Modern rootkits do not elevate access, but rather are used to make another software payload undetectable
by adding stealth capabilities. Most rootkits are classified as malware, because the payloads they are
bundled with are malicious. For example, a payload might covertly steal user passwords, credit card
information, computing resources, or conduct other unauthorized activities. A small number of rootkits may
be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation
driver, allowing video game users to defeat anti-piracy measures that require insertion of the original
installation media into a physical optical drive to verify that the software was legitimately purchased.
Rootkits and their payloads have many uses:
- Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal
or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the
/bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function
normally, but also accepts a secret login combination that allows an attacker direct access to the system
with administrative privileges, bypassing standard authentication and authorization mechanisms.
- Conceal other malware, notably password-stealing key loggers and computer viruses.
- Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack
originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers
are typically members of large botnets that can launch denial-of-service attacks and distribute e-mail
spam.
- Enforcement of digital rights management (DRM).
In some instances, rootkits provide beneficial functionality, and may be installed intentionally by the
computer owner:
- Conceal cheating in online games from software like Warden.
- Detect attacks, for example, in a honeypot.
- Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial
examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and
SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from
malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes
from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods (It
can be terminated with Process Hacker).
- Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a
central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it
is stolen.
- Bypassing Microsoft Product Activation.
Defences
System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able
to install. Applying security patches(Patch Tuesday), implementing the principle of least privilege, reducing the attack
surface and installing antivirus software are some standard security best practices that are effective against
all classes of malware. Once these measures are in place, routine monitoring is required. In most cases
however, the only defense against a rootkit is to reformat your hard drive to completely delete all files.
New secure boot specifications like Unified Extensible Firmware Interface are currently being designed to
address the threat of bootkits.
From Wikipedia, the free encyclopedia.