biology daily - the biology and biochemistry encyclopedia
biology daily articles and research Encyclopedia Dictionary Forums biology research links Weblinks Pictures Articles Blogs Newsletter
shortcuts ask a question suggest a weblink upload pictures publish articles new blog entry

Root kit

(Redirected from Rootkit)

A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows.

Contents
1 Origins of root kits
2 Functions of a root kit
3 Types of root kits
4 Detecting root kits

Origins of root kits

The term "root kit" originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the cracker to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems, even though they may not have a "root" account.

Functions of a root kit

A root kit typically hides logins, processes, and logs and often includes software to intercept data from terminals, network connections, and the keyboard. In many sources root kits are counted as trojan horses.

A rootkit may also include utilities to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system.

Types of root kits

Rootkits come in two different flavours, kernel and application level kits. The idea of kernel level rootkits is to replace a portion of kernel code with modified code that helps the intruder cover his tracks. This is often accomplished by existing means of adding new code to the kernel such as Loadable Kernel Modules in Linux. One common tactic of kernel root kits is to replace system calls with versions that hide information about the attacker. With Application level rootkits regular application binaries are replaced with trojaned fakes.

Detecting root kits

There are several programs available to detect root kits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter . On Windows NT/XP/2000 based systems two rootkit detectors currently available rootkitrevealer are at available from Sysinternals and unhackme from Greatis software http://greatis.com/unhackme/. An additional powerful tool for detecting Ring 0 (kernel level) rogue processes is taskinfo, the mothers of all process listing utilities at http://www.iarsn.com/taskinfo.html.



Contents
07-14-2008 23:18:10
The contents of this article are licensed from Wikipedia.org under the GNU Free Documentation License. How to see transparent copy
BiologyDaily.com 2005. Legal info   Privacy