An attacker's job isn't complete until he or she can return to a compromised computer and use it at will--all while remaining deep in the shadows. To achieve this, attackers install rootkits on target systems. Malicious hackers call this "owning" your machine. While these nefarious tools have always been a problem, today's rootkits are becoming more sophisticated, harder to discover, and more difficult to remove. Here's what you need to know about them.
KNOW YOUR ROOTS
Rootkits occupy the pinnacle of the attacker's formidable tool set because they yield ultimate control over a target machine. They can be installed locally, or they can arrive via some other vector, such as a worm. In fact, virus code, worms, and rootkits have many things in common. They're all typically very small, tightly written pieces of code. They all employ stealth techniques, and they often use tricks such as call hooks, trampoline tables, and patches to obtain their goals. Because worms are really a category of mobile code, worm payload often uses many of these tricks to infect a target system. A worm usually infects a target and leaves code behind, in effect becoming a rootkit.
Early rootkits involved making subtle changes to standard executables on a system. A classic Unix rootkit from the 1980s involved installing a compromised version of the directory utility ls, a much-used command to list the contents of a directory. An attacker could return to a system and gain privilege by passing in the proper secret arguments and executing the backdoor planted in ls. Other commonly accessed executable files, such as ps and netstat, were also targeted.
Because this technique involved changing the size and makeup of target executables, early rootkits could be detected by file integrity-checking software such as Tripwire, but many of these defenses no longer work today.