|
DADDY BOB'S COMPUTER Q & A
May 16, 2010
Q.
What is a rootkit?
A.
By definition, a rootkit is a collection of
tools or programs that enable
administrator-level access to a computer or
computer network. The word rootkit comes
from two words- "root" and "kit". Root
refers to the all-powerful, "Administrator"
account on a Unix or Linux systems, and kit
refers to a set of programs or utilities
that allow the access at the root-level
access to a computer. There is also one
other requirement of a rootkit. its presence
should be undetectable.
Unfortunately, these characteristics make it
very attractive for malware writers.
Typically, malware installs a rootkit on a
computer after first obtaining administrator
privileges access, either by exploiting a
known vulnerability or cracking a password.
Once the rootkit is installed, it allows the
attacker to do just about anything he wants
to do with that computer. Things like
monitoring traffic and keystrokes; stealing
passwords and account numbers, obtaining
personal preferences for the purpose of
targeted advertising, making the computer a
zombie, etc., etc.
Some
malicious rootkit programs contain routines
to defend against removal, not merely to
hide themselves, but actually try to prevent
their removal. An early example of this
behavior was found in the an incident known
as the Jargon File tale. In this case, there
were two ghost type programs installed that
kept a check on each other.
Each one
could detect the fact that the other had
been removed, and would then within a few
milliseconds, create another copy of the
deleted program. The only way to completely
remove the malware was to delete both ghost
copies at preciously the same instant.
Similar techniques have been expounded upon
by some modern malware, wherein the malware
starts many processes that monitor and
restore one another as needed.
Many of
the newer up to date anti-virus/anti-malware
programs can detect a rootkit's presents on
a computer. But, because of the ability of
the rootkit to reproduce any of its many
parts almost instantly, the only sure way to
get rid of it is to completely wipe the
computer's hard drive, reformat it and
install the Operating System and software
from scratch.
Now, not
all rootkits are malware or bad. There are
legitimate uses for rootkits by law
enforcement, parents or employers who just
want to control the computers they own. They
may want to monitor their children's use,
their employees use and many other lawful
activities. Products such as eBlaster or
Spector Pro are essentially rootkits which
allow for such monitoring.
Sony used
a rootkit type program to prevent copying of
CDs and DVDs, but due to public outcry over
the possibility that it could open the door
for more malware installations, they have
since stopped using them for this purpose.
Most of
the media attention given to rootkits is
aimed at malicious or illegal rootkits used
by attackers or spies to infiltrate and
monitor a computer for illegal purposes.
But, while a rootkit might somehow be
installed on a system through the use of a
virus or Trojan of some sort, the rootkit
itself is not really malware. |
