Rootkit
A rootkit (English as: " Administrators kit ", root is for Unix-like operating systems, the user with administrator rights ) is a collection of software tools that will be installed on the compromised system after breaking into a software system for future logins ( " logins" ) of the intruder to conceal and hide processes and files.
The term is no longer confined to unix based operating systems, as there are long rootkits for other systems. Anti -virus programs try to discover the cause of the compromise. Purpose of a rootkit is to hide malicious software ( " malware " ) before the anti -virus software and the user through camouflage.
Another collection of software tools or bootloaders is the " bootkit ".
History
The first collections of Unix tools for the purposes mentioned above consisted of modified versions of the programs ps, passwd etc., then every trace of the attacker, they would normally leave, hide, and so allowed the attacker with the privileges of the system administrator root to act without the rightful administrator could notice this.
Backdoor functions
A rootkit typically hides logins, processes and logs and often contains software to capture data from terminals, network connections and Tastauranschläge and mouse clicks and passwords from the compromised system. In addition to Backdoors ( Backdoors ) may occur, it is easier for the attacker in the future to access the compromised system by, for example, a shell is started when a connection request has been made on a specific network port. The boundary between rootkits and Trojan horses is fluid. Where this Trojans has a different approach when infecting a computer system.
Technical implementation
The feature of a rootkit is that it is installed without the knowledge of the administrator and the attacker provides the basis to install such as virus or the ability to DDoS ( " Distributed Denial of Service ", engl. Much as distributed services blockade ). Rootkits can open new backdoors ( " backdoors "). Moreover, rootkits attempt to disguise the path of their smuggling, so they are not removed by others.
Application rootkits
Application rootkits consist only of modified system programs. Because of the trivial ways to detect this type of rootkits they hardly find use today.
Today, almost exclusively rootkits of the following three types:
Kernel Rootkits
Kernel rootkits replace parts of the kernel by its own code in order to disguise himself ( " stealth " ), and the attacker to provide additional functions ( "remote access" ) that only in the context of the kernel ( "ring - 0") can be performed. This is most commonly caused by loading of kernel modules. We call this class of rootkits therefore LKM rootkits ( LKM is short for. " Loadable kernel module "). Some kernel rootkits come from without LKM, as they manipulate the kernel memory directly. On Windows Kernel Rootkits are often realized by integrating new. Sys driver.
Such a driver can intercept function calls of programs, list the example files, or view running processes. In this way, the rootkit hides its own presence on a computer.
Userland Rootkits
" Userland rootkits " are especially popular on Windows, because they do not require access to the kernel level. They each represent a DLL ready to attaches itself using various API methods ( SetWindowsHookEx, Force Library) directly into all processes. Is this DLL loaded once in the system, it modifies selected API functions and directs their execution on itself to ( "redirect "). This rootkit gets targeted information, which can then be filtered or manipulated.
Memory rootkits
Memory rootkits exist only in memory of the running system. After restarting ( "reboot" ) of the system these rootkits are no longer available.
Prominent rootkits in recent years
- The company Sony BMG made headlines and had to call back several music CDs, after it became known that the copy protection used by Sony XCP ( " Extended Copy Protection" ) for music CDs nesting for using methods of rootkits on Windows systems. Although not itself a virus or Trojan horse, whose existence alone other malicious programs opened the floodgates.
- Meanwhile, there was also a USB stick with fingerprint reader from Sony, whose software the full functionality of a rootkit hidden in the Windows directory. However, according to a press release from Sony has ceased production and distribution of this USB sticks end of August 2007.
- The company sold 2006 Germany world cinema DVDs with copy protection developed by Settec, which is also installed on Windows a userland rootkit for hiding processes.
- Researchers at the University of Michigan have developed a variant to use virtual machines as rootkits ( " Virtual Machine Based Rootkits" ). The work on this project with name SubVirt was also supported by Microsoft and Intel. The rootkit, which has now been developed by scientists and Microsoft employees, should be presented at the " IEEE Symposium on Security and Privacy" in May 2006.
- At the conference, Black Hat in January 2006, a possible rootkit type was presented, which survives even reinstall the operating system or reformatting the hard disk by manipulating the ACPI ( " Advanced Configuration and Power Interface " ) or becomes fixed in the PC BIOS.
- The company EA has brought in its published in September 2008 game titles in Spore DRM package of the program, a rootkit is used, which has the purpose to hide the copy with online authentication from the user. In a far more controversial debate has arisen.
Removal of rootkits
As a wholly owned rootkit detection is impossible, is the best method to remove the complete reinstallation of the operating system. Since certain pieces of rootkits in the BIOS, even this method offers no absolute certainty about the removal of rootkits. To prevent infecting the BIOS in the outset, the BIOS should be the hardware side provided with a write protection, eg by a jumper on the motherboard.
However, there are many rootkits from official manufacturers, such as the Sony Rootkit, already programs for detection and removal.