Root kit

Contents

1 Origins of root kits 2 Functions of a root kit 3 Types of root kits 3.1 Basic Types 3.2 Examples 4 Detecting root kits 5 Resources

Origins of root kits

The term "root kit" originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the cracker to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems, even though they may not have a "root" account.

Functions of a root kit

A root kit typically hides logins, processes, and logs and often includes software to intercept data from terminals, network connections, and the keyboard. In many sources root kits are counted as trojan horses.

A rootkit may also include utilities, known as backdoors to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel root kits may provide functionality that allows processes started by a non-privileged user to execute functions normally reserved for the superuser.

Types of root kits

Basic Types

Rootkits come in two different flavours, kernel and application level kits. The idea of kernel level rootkits is to replace a portion of kernel code with modified code that helps the intruder cover his tracks. This is often accomplished by existing means of adding new code to the kernel such as Loadable Kernel Modules in Linux. One common tactic of kernel root kits is to replace system calls with versions that hide information about the attacker. With Application level rootkits regular application binaries are replaced with trojaned fakes.

Examples

• SuckIT
• T0rn
• Ambient's Rootkit (ARK)

Detecting root kits

There are several programs available to detect root kits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. On Windows NT/XP/2000 based systems some rootkit detectors currently available are:

Freeware

• rootkitrevealer is available from Sysinternals

Shareware

• unhackme from Greatis software
• Blacklight (beta-release) from F-Secure
• TaskInfo by Igor Arsenin

• See also: Host-based intrusion-detection system SANS

Resources

• Linux Kernel Rootkits
• Analysis of the T0rn root kit

See also: Root kit, Application software, Backdoor, Chkrootkit, Computer keyboard, Computer process, Computer system, Computer terminal, Data logging, Host-based intrusion-detection system