jess LAND
       www.jessland.net		        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Malware > Rootkits Malware Section Map

Rootkits

Content Leader: Jess Garcia - Last Updated: January 20, 2007

General Information

What are Rootkits?

Wikipedia definition:

  • Rootkits are a collection of programs that enable administrator-level access to a computer or computer network allowing to mask intrusion and gain privileged access.

Rootkit Types

Rootkit Behaviour

Rootkits usually:

  • Hide files
  • Wipe logs
  • Leave trojanized programs
  • Hide processes
  • Leave covert channels
  • Hide netw connections
  • Leave pkt sniffers

Rootkits effects

Rootkits usually comprise tools to erase traces of the intrusion from audit logs, "backdoors" that allow easy access, once installed, and means to hide the rootkit itself from administrators (such as, e.g., a modified executables of 'ps' and 'ls' that will hide processes and files of the rootkit. Advanced rootkits will install such modified executables with the same sizes and timestamps as the original ones (which is quite easy - any executable can be padded to a larger size by simply adding random junk at the end), and also with the same CRC checksum (which also can be adjusted)."(http://la-samhna.de/library/lkm.html)"

Disconnecting the network cable may be dangerous: some rootkits run a sort of heartbeat utility that detects that the box was disconnected from the net and run somethings nasty (i.e. rm -rf /) in that case.

Tools

Rootkit Detectors

  • F-Secure BlackLight
    • Price: Free
    • Summary: A time-limited program that may soon be discontinued and folded into F-Secure Internet Security 2006, BlackLight nonetheless scans carefully and attempts to clean offending files from the system.
  • IceSword
    • Price: Free
    • Summary: A bit difficult to find due to its authorship, but a remarkably thorough and continually updated tool with some excellent pro-level features.
  • RKDetector
    • Price: Free
    • Summary: Composed of two separate applications that scan the file system and running processes, respectively, RKDetector suffers from not having the flexibility and breadth of features of the other programs here.
  • Trend Micro RootkitBuster
    • Price: Free
    • Summary: A spin-off / standalone version of the rootkit scanning technology from one of Trend Micro's commercial programs, which actually works quite well on its own.
  • RootkitRevealer
    • Price: Free
    • Summary: One of the first rootkit detectors, it's now overshadowed a bit by some of the other programs here but can still do some decent work.
  • Rootkit Unhooker
    • Price: Free
    • Summary: A Russian-authored tool that's the most comprehensive and powerful of those tested here.

Sources: Review: Six Rootkit Detectors Protect Your System

References

Introductory


Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.