computerwoche.de

Archiv

Rootkits

30.01.2006
If an illegal hacker wants to do something to your system, such as plant a virus, a Trojan horse program or spyware, he has to gain access to the system's root directory and the unlimited power that goes with that access. Once established as root, the intruder can modify system commands to hide his tracks from the systems administrator and preserve his root access. The easiest way to do this is via a rootkit.

Generally, a hacker obtains normal, user-level access to a computer or network by guessing or stealing a password or exploiting some known vulnerability. Then he finds a way to collect user identities and passwords to other machines on that network while simultaneously erasing all evidence of his activity. Years ago, the hacker would have done this by exploiting his direct knowledge of and experience with the system and his personal programming skills. Today the job is simplified -- the hacker can use one of many available rootkits that pretty much automate the process.

Originally, the term rootkit referred to a set of modified and recompiled Unix tools (typically including ps, netstat and passwd) designed to hide any trace of the intruder's presence or existence. David O'Brien has traced the lineage of rootkits back to the early 1990s, when Solaris and Linux operating systems were the primary targets. Rootkits are no longer limited to Unix-like systems; similar tools are available for other operating systems, including Microsoft Windows.

The name rootkit may suggest a set of canned attack scripts for obtaining root access, but this is not really the case. A rootkit may include programs to monitor traffic, create a back door into the system, alter log files and attack other machines on the network. In almost all cases, a rootkit itself causes no direct damage. Instead, its function is to mask the presence of other types of (usually malicious) software, such as keylogging Trojan horses, viruses or worms. Rootkits do this by hiding or removing traces of log-in records, log entries and related processes.

Some rootkits replace the binary files for system commands with modified versions designed to ignore attacker activity in order to escape detection. For example, on a Unix or Linux system, the rootkit may replace the list files command (ls) with one that ignores files located in specified directories. Or it may replace the ps command, which lists processes running on the system, with a similar command that ignores any processes that the attacker has started. Programs that log system activities can be similarly modified, so that when the systems administrator checks the logs, everything looks normal despite the fact that the system has been compromised.

Finding Rootkits, Viruses