2. What is a rootkit?
a collection of tools used by hackers to gain administrative privileges on
compromised machines
used to help hide other forms of malware.
3. What does it do?
allows someone, either legitimate or malicious, to maintain command and
control over a computer system, without the computer system user knowing
about it.
owner of the rootkit can execute files and changing system configurations on
the target machine.
Can access log files or monitor activity to covertly spy on the user's computer
usage.
**There are legitimate uses for rootkits too.
4. How does it work?
rootkits are just one component of what is called a blended threat.
Blended threats typically consist of three snippets of code:
1. a dropper
2. loader
3. rootkit.
The dropper is the code that gets the rootkit's installation started.
Once initiated, the dropper launches the loader program and then deletes itself.
the loader causes a buffer overflow, which loads the rootkit into memory.
5. How blend threat get to your computer?
through social engineering
exploiting known vulnerabilities
even from brute forcing.
6. Types of rootkits
User-mode rootkits
run on a computer with administrative privileges.
This allows to alter security and hide processes, files, system drivers, network ports, and even system
services.
These rootkits remain installed on the infected computer by copying required files to the computer's
hard drive, automatically launching with every system boot.
**These rootkits will be detected by the anti-malware software.
7. Kernel-mode rootkit
Will place the rootkit on the same level as the operating system and rootkit detection software.
OS can no longer be trusted.
One kernel-mode rootkit that's getting lots of attention is the Da IOS rootkit
**windows blue screen error might be caused by these rootkits.
User-mode/kernel-mode hybrid rootkit
A hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode
characteristics (stealthy).
The hybrid approach is very successful and the most popular rootkit currently.
8. Firmware rootkits
Can hide in firmware when the computer is shut down.
Restart the computer, and the rootkit reinstalls itself.
The altered firmware could be anything from microprocessor code to PCI expansion card firmware.
If a removal program remove these rootkits, the next time the computer starts, the firmware rootkit is
there.
Virtual rootkits
They acts like a software implementation of hardware sets in a manner like that used by VMware.
virtual rootkits are almost invisible.
**The Blue Pill is one example of this type of rootkit.
9. How to detect it?
There are various ways to scan memory or file system areas or look for hooks
into the system from rootkits.
By system monitoring.
It’s hard to detect rootkits.