Rootkits

From ITS Wiki - Information Technology Services - University of Rhode Island

Jump to: navigation, search
Poke.png Malware

This page is part of a category. To see more pages like this, go to the Malware index.
Important.png ATTENTION
This article is for experienced users ONLY. Do not attempt the following if you are unfamiliar with the material. If in doubt, please contact the Help Desk at 874-HELP.


A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems including Linux and Windows.

Malicious Uses

A rootkit's main purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators. Such programs include so-called "backdoors", sniffers, and keyloggers to help attackers access the system more easily. A possible abuse is to use a compromised computer as a staging ground for further abuse (see Botnets). This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.

Detection

The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive).

There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform there are many free detection tools such as Blacklight. Another Windows detector is RootkitRevealer from Sysinternals.

Removal

The only effective method of removing a rootkit is to completely reinstall the operating system.

There is a way to delete a rootkit using another filesystem driver when the system is online. Rkdetector v2.0 implements a way to wipe hidden files when the system is running using its own NTFS and FAT32 filesystem driver. Once erased and after a system reboot, rootkit files will not be loaded because data contained is corrupted.