offline
- nulti.korisnik
- Legendarni građanin
- Pridružio: 20 Feb 2005
- Poruke: 4505
- Gde živiš: planeta Zemlja
|
A root kit is a set of tools frequently used by an intruder after razbijacing a computer system. These tools are intended to conceal running processes and files or system data, which helps an intruder maintain access to a system for malicious purposes. Root kits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.
The term "root kit" (also written as "rootkit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the razbijacer that those commands would normally display, thus allowing the razbijacers to maintain "root" on the system without the system administrator even seeing them.
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
======================================================================================
Root kits vs. computer viruses and worms
The key distinction between a computer virus and a root kit relates to propagation. Like a root kit, a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus).
In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the razbijacer (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd
A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.
A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the razbijacer/attacker through some sort of covert channel).
Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated.
=============================================
Root kits as copy protection
There are reports as of November 1, 2005 that Sony is using a form of copy protection, or digital rights management, on its CDs called "XCP-Aurora" (a version of Extended Copy Protection from First 4 Internet) which constitutes a root kit, surreptitiously installing itself in a cloaked manner on the user's computer and resisting attempts to detect, disable, or remove it. Much speculation is taking place on blogs and elsewhere about whether Sony might be civilly or criminally liable for such actions under various anti-computer-hacking and anti-malware legislation. Ironically, there is also speculation to the effect that the bloggers who point out what Sony CDs do, with technical details, may also be committing a civil or criminal offense under anti-circumvention provisions of laws such as the Digital Millennium Copyright Act in the United States.
On November 2, 2005 Sony released a patch to remove this rootkit, while continuing to maintain that it is not malicious and does not pose a security risk. To activate this patch, you are required to go to their Web site with Microsoft Internet Explorer; users of other browsers, such as Mozilla Firefox, get a message to the effect that their browser is incompatible, because of the use of ActiveX controls which Mozilla omits by design due to it being a proprietary Microsoft technology with security risks.
Informed opinions differ on the security implication of this Sony 'XCP-Aurora' technology as there is evidence that the software has caused Blue Screen (BSOD) errors on Windows systems while in normal use. In addition the software is poorly implemented and the file hiding scheme could be used to hide arbitrary files on a PC simply by prefixing the filename with $sys$.
Further commentary including security implications can also be found on the Security Now! podcast #12 with Steve Gibson and Leo Laporte (titled "Sony's "Rootkit Technology" DRM (copy protection gone bad) at.
izvori:
http://www.wikipedia.org
http://www.sysinternals.com
Najpoznatiji rootkit removeri:
*Hacker Defender rootkit remover by Microsoft
*UnHackMe
*F-Secure BlackLight
*Rootkit Revealer
*HiddenFinder
*IceSword
*Rootkit Hunter (ovo je program za Linux)
takodje posetite i:
http://www.mycity.rs/phpbb/viewtopic.php?t=24604
|
