Rootkit – program to hide the traces of the attacker in the system

Posted: September 9, 2012 in Articles, Glossary
Tags: , , , , , , , , ,

RootkitRootKit term historically come from the world of Unix, where this term is a set of tools that a hacker installs them on a compromised computer after the initial access. This is usually hacking tools (sniffers, scanners) and Trojans, replacing the basic utilities Unix. RootKit allows a hacker to gain a foothold in the compromised system and conceal their activities.

In Windows, a RootKit is considered a program that penetrates into the system and hooks system functions, or shall replace the system libraries. Intercepting and modifying low-level API functions in the first place such a program can effectively hide its presence in the system, protecting it from detection by antivirus software and user. In addition, many RootKit can mask the presence of any system described in its configuration of processes, folders and files on a disk, registry keys. Many RootKit installed in your system drivers and services (which of course, are also “invisible”).

Recently, the threat of RootKit is becoming increasingly important, as developers of viruses, Trojans, and spyware start RootKit-embed technology into their malware. One classic example is the Trojan Trojan-Spy.Win32.Qukart, which masks its presence in the system by using RootKit-technology (the program is interesting in that it RootKit-mechanism works fine in Windows 95 \ 98 \ ME \ 2000 \ XP).

To effectively combat RootKit requires an understanding of the principles and mechanisms of its work. Conditionally all RootKit-technology can be divided into two categories – operating in user mode (user-mode) and kernel mode (kernel-mode). The first category is based on intercepting RootKit library functions the user mode, the second – to install the system drivers to intercept kernel functions. Next, the description of the methods to intercept functions description is applied to RootKit, but you have to remember, described techniques are universal and apply a number of useful programs and utilities.

The war against rootkits – a real armed struggle, in which the creators of rootkits are developing new ways to remain undetected, and anti-virus companies to take retaliatory measures to protect their customers.

For the detection of rootkits in the system, you can use the following technologies:

  •     Signature-based detection: an efficient technology that has been successfully applied by antivirus companies have for many years. This technology is based on the scanning of files and compare them with a collection of signatures of known malware.
  •     Heuristic or behavioral detection: identifies rootkits by recognizing any deviations in the normal computer activities.
  •     Detection based on compared: to the result returned by the operating system are compared with the results obtained by means of low-level queries – whether there is any evidence of the presence of differences in the system of the rootkit.
  •     Detection based on integrity: otpredelyaet rootkits by comparing files and memory test with a reliable status.

Each of these technologies has its limitations, so it is recommended to combine different technologies. Also, be aware that some of these rootkits are designed to avoid detection by antivirus market-leading companies.

The first line of defense against rootkits is to prevent them from entering into your computer. To do this, please always keep in mind the following tips to protect against malicious software:

    – Set your PC’s good antimalware solution and make sure that it always has been updated and active;

    – Install a firewall that will protect your computer from unauthorized access;

    – Always make sure that the software on your computer applications have been updated, and apply all available patches are issued by manufacturers.

Practice shows that the developers of malware (viruses, trojans, spyware) are increasingly being used RootKit-technology, which makes it difficult to detect and remove malicious programs they have created. The most commonly used method to intercept functions in user mode, but lately there have been a very efficient implementation of the driver. In this regard, according to statistics the most “famous”  Backdoor.Win32.Haxdoor, which installs a few drivers that allows it to effectively masked from detection by the user.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s