Do not open the door for a rootkit

A rootkit is a tool to assist in the break-ins to computer systems. It hides the malicious files and processes that allow to maintain control over the system. Historically, rootkits were packets (ang. Kit) containing modified key system binaries of Unix systems (inetd, sshd, ps) and replacing the original binaries just after the break-in. Modified binaries contained the original code with the rootkit modifications. It did not show certain processes or enabled root login for giving special password. The rootkit infects the kernel and removes hidden programs from the process list and files returned to the programs. They can for example hide themselves and Trojan horses from the administrator and antivirus software. Hiding is done mostly by the acquisition of selected operating system, serving for example. List of processes or files in a directory generated by the original code is censored by these functions, so names hidden by the rootkit were not visible in the results. There are rootkits for various operating systems, including Microsoft Windows, Solaris, Mac OS X and FreeBSD. Rootkits can operate in user mode (usermode) or operating system mode (kernel-mode). Rootkit can get to your computer with the application that is actually a Trojan.

Rootkits in the form of binary files are detected by most of antivirus programs, but only until they will be run on your system. Detection of a rootkit on the infected system is extremely difficult. The rootkit is able to control the operation of specialized tools for the detection and deceive them so as to falsely inform the user that the system is clean. Such techniques were applied, inter alia, in commercial version Antidetection Hacker Defender to early 2006, when the project was closed. The most common used root detection technique is  cross-comparisons (ang. Cross-checking), wherein we compare the list of files in the directory returned by the API of the operating system and read directly from the file system. Similarly, Windows register can be verified (the result of the API, and directly from the log file). In healthy system, this two results should be identical. Records which are on the second list and are not returned by the API are likely hidden by the rootkit.


Do you like this article? Please share on Facebook or back to Knowledge Base index