2.6.5 Rootkits

A rootkit is software installed by attackers on a computer once the attacker gains access to that computer, which could be through a backdoor, using the user-level password, or another method. This gives the account what is known as root access, gaining the privileges and permissions of an administrator. After root access is attained, the computer system will be completely available to the attacker. Hackers often establish these accounts using names such as “rewt” for root. Other times they stick to the same type of logins used by system shares. Some, or all, of the code needed to create this type of an account is usually called a rootkit.

The rootkit enables remote administrator-level access to the computer so that the attacker can do virtually anything to the device. By this point, the attackers have most likely dispatched the files that will result in their desired effects. The affected machines will perform various functions on command for the attackers. The attacker can alter files and configurations, access applications such as email programs and send worms or viruses, and uninstall anti-virus and anti-spyware software. The attacker can modify how components with the system work including the kernel or hypervisor. The rootkit may contain other malicious software, such as spyware to capture keystrokes and information. The user will typically not know that another person can remotely control and modify the device.

Detection and removal of rootkits is particularly difficult. This does not mean that detection is impossible. Creating users, sending out malicious code, and running repetitive scripts all contribute to the noise level of an attack. More noise means that an Intrusion Detection System (IDS) has a better chance of picking up on the attack and alerting an administrator. Signature or difference scanning may work as well as memory dump analysis. The quick and easy fix is to reinstall the operating system.