Sunday, February 12, 2006

what is a rootkit?

a rootkit is a collection of one or more programs that aid in gaining and/or regaining (sometimes expressed as maintaining) root/administrative access on a system....

by gaining access i mean that they provide an attacker with credentials for a user with administrative privileges or a user whose privileges can be escalated (by use of some additional exploit) to administrative priviledges... usually this is performed with network sniffing from other compromized machines or some other password stealing technique...

by regaining access i mean that they provide an attacker with an easy means of re-entering the system with their administrative priviledges at a later date... usually this is done with a backdoor of some kind...

rootkits originated in the unix domain but have since been brought into the windows fold with an unfortunate twist - many in the industry have taken to redefining rootkits under windows to be basically anything that hides files, registry keys, alternate datastreams, etc... they ignore the concept of root/administrative privilege entirely (that's where the root in rootkit comes from - root is the administrative user account under unix/linux), instead focusing exclusively on what might otherwise be called stealth...

stealth is not an attack in it's own right but rather it is a technique for keeping the window of opportunity open longer, thereby improving the likelihood of success of the actual attack... virtually all classes of malware have employed stealth techniques (as they used to be called before the year 2000) at some point or another, not just rootkits - rootkits are not special in that regard... the application of stealth techniques helps to hide the programs that comprise the rootkit, allowing the rootkit more time to steal passwords and other sensitive information, and allowing the attacker more time to use the compromized system...

stealth became such an important part of rootkits (especially under unix where security-aware admins monitor system integrity carefully) that the stealth techniques themselves became the means by which the presence of a rootkit could be detected... perfect stealth, it turns out, is hard if not impossible to acheive and by using multiple techniques to examine system resources and comparing the results it is often possible to detect when something is being actively hidden from sight... unfortunately this a generic detection technique and as such is prone to alert on anything that hides things whether they're rootkits or something else, so the choice to categorize all things detected this way as rootkits is curious and a little troubling... and considering there are also software products out there that hide things in order to protect them from malware (instead of being malware) it can lead to a great deal of fear, uncertainty, and doubt among users...

in short - stealth isn't what makes a rootkit a rootkit, it's what makes a rootkit a successful rootkit... that's why virtually all of them use it...

(see these two usenet articles for additional analysis of what a rootkit is, and thanks to roger wilco for the debate)

back to index

0 comments: