Root-kits are malicious programs that give Internet attackers unlimited access to a system while hiding their presence at the same time. Rootkits, after accessing a system (usually exploiting a system vulnerability) use operating system features to avoid detection by antivirus software.
Rootkit features:
1. System utilities and daemons have identical behavior to original programs.
2. Additional programs are sniffers, encryption programs, scripts, file transfer utilities, etc.
3. Nucleus modules replace system calls, changing address
4. There are rootkit detection tools, but they can also be detected after some traces or by monitoring important files in the system.
Rootkits are different from a virus, especially through propagation: they are generally “implanted” by an attacker and are not interested in propagating on another system. Like a virus, a rootkit will try to keep the system under its control, which may mean, for example, that it does constant checks on the modules by which the rootkit maintains its control and reapplication of the changes if they have been “repaired” so the system can continue to be controlled.
Rookits in most cases provide the attacker with a backdoor through which he can enter the system whenever he wants and can perform any operations on the data. Rootkits are rarely destructive because their purpose is to gain control over a system in order to use their processing capabilities for other purposes or to access important information (passwords, PIN codes, credit card numbers).
The rootkit name comes from the administrator account on most UNIX distributions (and virtually all Linux distributions), that of “root”.
Rootkit once inserted into a system will have as a first priority the deletion of all the logs that could empty its success, as much as possible leaving no other logs, so as not to raise suspicions.
After this phase, the actual installation follows, which may involve changing some elements, from various user-level programs to the system kernel itself.
With these changes, rootkit ensures that:
1. Get administrator rights and access any system resource.
2. It can not be detected (or at least assures that its detection will be very difficult).
If the first part can be considered a relatively simple once known vulnerability of the system, the second part is more complicated. Rootkits will always try to use any trick to become “invisible”.
Some of the possible changes are:
1. A rootkit can modify the “ps” utility on a Linux system, a utility that displays active processes to make it NOT display the rootkit process.
2. A rootkit can modify the existing sniffing utilities on the system to “bypass” and not report the rootkit traffic (generally this is, of course, the traffic done between the attacker and the rootkit through which the attacker accesses/uses unknowns system resources).
3. A rootkit may hide certain files (in general) if an antivirus program scans the system in its search.
All of these changes make it very difficult to detect a rootkit since it has superuser rights and can modify any system function by manipulating the results of various scanners.
That’s why a huge number of computers on the internet are believed to be infected with rootkits without the owners having any idea of this, their resources being used by botnet networks that “reunite” these infected and easy- controllable remote, making them available to various cybercrime groups.
Although a rootkit can easily hide its traces, it is very complicated to hide all traces, rootkit scanners based on their scans to detect them.
However, “serious” attacks using well-tested and built rootkits are generally very effective.
There are various utilities, more or less good for rootkit detection. Some of them have an antivirus-style “signatures” that they try to detect some rootkits while others are more “heuristic” and try to detect abnormal behavior of a system or command (odd output, altered features, dubious files, sniffing enabled without user knowledge or suspicious traffic).
Also, considering that a rootkit software will always try to bring a system as it wants to keep it under control, a method of detecting a possible rootkit is the attempt of an anti-rootkit scanner to modify certain elements, services, utilities, daemons, followed by the detection of the changes that the rootkit will automatically make to stay active.
On Linux, there are at least the following 2 large scanners:
1. rkhunter
‘rkhunter rootkit scanner‘ is a scan tool that helps you make sure the system is not infected with malicious software. The program scans against rootkits, backdoors, and local exploits by running tests like:
– Comparing MD5 sums
– Search for files that are usually used by rootkits
– Incorrect permissions for binary files
– Look for suspicious strings in the LKM and KLD modules
– Search for hidden files
– Optionally scans inside plaintext and binary files
– Rootkit Hunter is free to use and is licensed under the GPL.
2. chkrootkit
chkrootkit is a rootkit local verification tool.