What is Rootkit and How to Detect and protect from Rootkits

| More

Rootkit is a technique that enables administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker gain root or privileged access to the computer and, possibly, other machines on the network without the actual administrators knowing about it.

 

 

Why Rootkit

   

·         The hacker requires root access to the system by installing a virus, trojan horse program, orspyware, in order to exploit it.

·         To maintain the root access, the attacker needs to hide tracks from the system administrator by modifying the system commands.

·         Rootkit allows the hacker to maintain hidden access to the system.

 

The primary purpose of a Rootkit is to allow an attacker repeated and undetected access to a compromised system. Installing a backdoor processes or replacing one or more of the files that run the normal connection processes can help meet this objective. Once attackers have accessed a target system, they may want to revisit the system for various reasons, including using as a launch pad for other nefarious activities. Naturally, a hacker would like to secure his or her base so that probability of detection remains minimal. In such cases Rootkits can be used.

 

Rootkit may be a bundle of tools such as a network sniffer or log-cleaning scripts or utilities. Rootkits can crack the password at the Administrator level as well as exploit the system’s vulnerability. Thus, the rootkit compromises the existing security of the affected system and violates its integrity. A rootkit is designed to monitor traffic, as well as create log files and back doors so the attacker can maintain constant access to the comprised system. The tool hides malicious programs from system administrator’s notice. Rootkits modify the operating system commands to function according to the hacker’s instructions.

 

 

Types of Rootkits

   

There are three basic types of rootkits – Library, Application and Kernel. There are also two subtypes – Memory Based and Persistent depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

 

Library level Rootkits will most commonly patch or replace system calls with versions that hide information so the rootkit is not visible by normal means. It is difficult to find the files with a normal file search, or by going to the task manager to check what applications are running.

 

Application level Rootkits usually operate by replacing normal application binaries with Trojan, or modifying program behavior through the use of hooks, patches, or other injected code.

 

Kernel level Rootkits cover backdoors on a computer system by writing additional code or by replacing portions of kernel code with modified code via device drivers in Windows or Loadable Kernel Modules in Linux. Kernel rootkits can be difficult to detect making them even more dangerous.

 

Persistent Rootkits are designed to easily survive a system re-boot. In order to survive a re-boot, this kind of rootkit must have some means of permanently storing its code on the victims’ machine, usually on the hard drive. It must also use some form of a hook in the system boot sequence so it will be loaded from disk into memory each time the machine starts so it can begin execution again.

 

Memory-based Rootkits code exists only in volatile memory and they may be installed covertly via a software exploit. When attacker wants to perform a quick, one-time, in-and-out procedure of some sort, remain undetected, and then leave un-noticed without intending to return, usually uses memory-based rootkits. These types of attacks are usually used as information gathering missions by an attacker that has already discovered when a machine is normally turned on or running. These rootkits can also be reserved for use only against server machines that are left running for long periods of time, and by an attacker that wants to remain completely undiscovered and untraceable.

 

 

How to Detect and protect from Rootkits

 

The fight against rootkits is a real armed struggle. The following techniques can be used to detect the existence of rootkits within a system:

 

·         Signature-Based Detection

·         Detection-By Comparison

·         Heuristic-Based Detection

·         Integrity-Based Detection

 

Signature-Based Detection: This technology is based on scanning files and comparing them with a collection of signatures from known malware.

 

Detection By comparison: It compares results returned by the operating system with those obtained through low-level calls – if any differences are detected; a rootkit is present in the system.

 

Heuristic or Behavior-Based Detection: Identifies rootkits by recognizing any deviations in the computer’s normal activity.

 

Integrity-Based Detection: It shows the existence of a rootkit by comparing files and memory with a test status that is known to be reliable.

 

The first line of defense against rootkits consists in preventing them from entering your computer. To do this, please bear in mind the following basic advice on protection against malware:

 

·         Install a good antimalware solution on the computer, and always keep it activated and updated.

·         Install a personal firewall that will protect against unauthorized access to your computer.

·         Always ensure that the applications installed on computer are kept up-to-date, and make sure to install any security patches supplied by manufacturers.

·         However, the task of protecting against rootkits is not to be taken lightly, and cannot be limited to a series of generic protection measures.

 

 

 

Blog Widget by LinkWithin

Related posts:

  1. What is Sniffer and how to detect sniffing in computer network
  2. Protect pornography on computer
  3. How to Block or Disable USB Port to Protect your Computer or Laptop
  4. System Restore can protect your computer from spyware
  5. How to Password protect Files and Folder in Windows
  6. CTunnel-Access Blocked websites and protect your identity online
  7. Shorten and Password-Protect URL’s
  8. Encrypt or Password Protect your Videos with Video Sanctuary
  9. Protect your mobile from Theft and secure your content
  10. Password Protect Compressed Folder

Tagged as: Security

Email
Print
Twitter Facebook Google
Delicous Stumble Digg
More Destinations...

Get Freeware updates just like this one in your email inbox every day - for free! Just enter your email address below:

 

Comments on this entry are closed.

Binary Head | About us |  Copyright Policy |  Privacy Policy |  Disclaimer |  Subscribe us |  Advertise |  Contact us |  RSS Feed |  Sitemap