Log in

I forgot my password


Display results as :

Rechercher Advanced Search


Latest topics
» IRC Server: IRC.HackersPlanet.Org
Mon Jul 18, 2011 5:28 am by JeSTeR

» Getting Someone's IP By One Single Link Click
Sat Nov 20, 2010 4:02 pm by TR0J4NX

» Request Info
Wed Sep 16, 2009 11:33 pm by JeSTeR

» winagent.exe
Mon Aug 31, 2009 9:13 pm by JeSTeR

» sissiBOT.exe
Mon Aug 31, 2009 8:42 pm by JeSTeR

» Posting Rules
Mon Aug 31, 2009 8:30 pm by JeSTeR

» There Are Hidden Posts Only Members Can Access
Sat Aug 22, 2009 10:05 pm by JeSTeR

» Rules For Posting
Wed Aug 19, 2009 6:35 pm by Shikamaru

» RootKit Downloads
Sat Jul 11, 2009 9:34 pm by JeSTeR

Most active topic starters

Social bookmarking

Social bookmarking digg  Social bookmarking delicious  Social bookmarking reddit  Social bookmarking stumbleupon  Social bookmarking slashdot  Social bookmarking yahoo  Social bookmarking google  Social bookmarking blogmarks  Social bookmarking live      

Bookmark and share the address of H4CK3D.US on your social bookmarking website

Bookmark and share the address of H4CK3D.US on your social bookmarking website

RSS feeds


RootKit Usage

Go down

RootKit Usage

Post  JeSTeR on Thu Jan 08, 2009 2:36 pm

A rootkit is Malware which consists of a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms, "Administrator" or "Admin" access) of a computer system, without authorization by the system's owners and legitimate managers. Access to the hardware (e.g., the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system.

Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.


The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system. If an intruder could replace the standard administrative tools on a system with a rootkit, the modified tools would give the intruder administrative control over the system while concealing his activities from the legitimate system administrator. The earliest known rootkit was written in about 1990 by Lane Davis and Steven Dake for SunOS 4.1.1.[citation needed] There was an earlier, quite famous, exploit equivalent to a rootkit which was perpetrated by Ken Thompson of Bell Labs against a Naval Laboratory in California to win a bet. Thompson subverted the C compiler in a distribution of Unix to the Lab.

Rootkits were so named because they allowed an intruder to become a root user (i.e., the system administrator) of a Unix system. Since then, similar software has been developed for other operating systems, and the term rootkit has been broadened to include any software that surreptitiously alters an operating system so that an unauthorized user can take arbitrary control of the system.

In 2005, Sony BMG caused a scandal by including rootkit software on music CDs that, in an attempt to enforce DRM,[2] opened a backdoor that allowed root access to anyone aware of the rootkit's installation.[3] The scandal raised the public's awareness of rootkits, while the public relations fallout for Sony was compared by one analyst to the Tylenol scare.

Common use

A successfully installed rootkit allows unauthorized users to act as system administrators, and thus to take full control of the 'rootkitted', or 'rooted' system. Secondary to this purpose, most rootkits typically hide files, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes.

A rootkit which hides utility programs, usually does so to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access at will. A simple example might be a rootkit which hides an application that spawns a command processing shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to run as though it were started by a privileged user (including the root user) and to carry out functions normally reserved for the superuser.

Rootkits can also take control of messenger programs such as Yahoo! Messenger and MSN Messenger and start random conversations with other users within or outside contact lists and send personal information about the user via these messages. Rootkits are hard to detect with common antivirus programs and therefore a complete scan of the system is necessary.

Many other utility tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems with which the compromised system communicates, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system (or network) instead of the attacker's. Tools for such attacks can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam distribution. A major malicious use for rootkits is to allow the rootkit's programmer to see and access user names and log-in information of systems requiring them. Collection of such information from many systems (thousands or more) is easily possible. This makes rootkits even more hazardous, as it allows trojans to access this personal information while the rootkit covers it up.

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is that they make it possible to hide malware from PC users and antivirus programs. Numerous source code samples for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various trojans or spyware programs etc.

However, rootkits are not always used to attack and gain control of a computer. Some software may use rootkit techniques to hide from 3rd party scanners to detect tampering or attempted breakins, for example in a honeypot. Some emulation software and security software is known to be using rootkits. Alcohol 120% and Daemon Tools are commercial examples of the use of non-hostile rootkits. Kaspersky antivirus software also uses some techniques somewhat resembling rootkits to protect itself from malicious virus actions. It loads its own drivers to intercepts system activity and then prevents other processes from doing harm to itself. So while its processes are not hidden, such processes can not be terminated by standard methods.

Rootkit is a term now somewhat loosely applied to cloaking techniques and methods.

There are at least five kinds of rootkits: firmware, hypervisor, kernel, library, and application level kits.

Hypervisor level

These rootkits work by modifying the boot sequence of the machine to load themselves as a hypervisor under the original operating system. By exploiting hardware features such as Intel VT or AMD-V, the rootkit is able to load the original operating system as a virtual machine, thereby enabling it to intercept all hardware calls made by the original operating system, which is now a guest. The "SubVirt" laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is an academic example of a virtual machine based rootkit (VMBR),[10] while Blue Pill is another.

Kernel level

Kernel-level rootkits add additional code and/or replace portions of an operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, that execute with the same privileges as the operating system itself.[11] As such, many kernel mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit is perceived as dangerous simply because of the unrestricted security access the code has obtained, regardless of the features the rootkit may employ. Any code operating at the kernel level may have serious impacts on entire system stability if bugs are present in the code. The first and original rootkits did not operate at the kernel level, but were simple replacements of standard programs at the user level. One of the first widely known kernel rootkit was developed for Windows NT 4.0 and released in Phrack issue 55 in the mid-1990s by Greg Hoglund.

Kernel rootkits can be especially difficult to detect and remove because they operate at the same level as the operating system itself, and are thus able to intercept or subvert any operation made by the operating system. Any software, such antivirus software, running on the comprised system is equally easily subverted. In a situation such as this, the whole system can no longer be trusted while it is running. One response in such a case is to perform system offline analysis from a second 'trusted' system by mounting the hard drive of the infected system as a secondary resource without executing anything on the untrusted volume, while another is to format the disk and re-install from trusted media. Lastly, a (known good) operating system can be booted from read-only removable media such as a CD-ROM. Investigation and rootkit removal actions can then be performed safely in trusted system without requiring another computer system. So called live CDs booting into read-only OS installation are useful for such tasks. Read-write media like HDD or USB Flash to boot systems while removing rootkits is dangerous due to chances that rootkit may affect this OS installation as well.

Application level

Application level rootkits may replace regular application binaries with Trojan fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

There are unscrupulous companies whose business consists of disseminating rootkits for the purpose of generating paid involuntary page referrals. One frequent victim is users of Google which has the largest number of deliberate visits and so can give them income by misdirecting searches.


Many hold this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch. Since drive imaging software makes the task of restoring a “clean” OS installation almost trivial, there is no good reason to try to dig a rootkit out directly.

' "I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt there is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat [and reinstall]. This is so even if the rootkit is very well known and can be removed 100%." —Rootkit Question'

While most Anti-Virus and Malware Removal tools remain ineffective against rootkits, tools such as BartPE and other Preinstallation Environment(PE) or Live Distros allow users to boot their computer with a fresh (presumably) "un-rooted" copy of the operating system. This allows users to examine and replace affected system files and delete offending rootkits of most types while keeping the underlying systems intact. Since most rootkits hook system files needed at the lowest level of the OS, booting into Safe Mode will not usually allow removal of the rootkit process. In contrast, PE's do not rely on the infected underlying system structure but instead load a clean read-only copy of the Operating System allowing full control and detection of the rootkit. While most Administrators prefer a clean reinstall, a skilled Administrator using a PE can often delete the rootkit and clean a rooted system if a reinstall is not a viable option.

Age : 35
Posts : 133
Join date : 2008-09-27
Location : Earth

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum