Many of our friends do not understand the term... Simply defined,
Rootkit is a special type of malware that hides itself in targeted
installation files, processes or web links. Rootkit is generally used in
conjunction with other malicious programs like trojan horses and
back-doors. When Rootkit loads onto a hard drive, it modifies the system
kernel and thus achieves its purpose of hiding information. Rootkit
technology is a double-edged sword, it can be used for research purposes
to make our system more robust and secure, but it also allows hackers
to create back-doors into a system, and capture passwords or messages
from a computer.
Some people misunderstand and think that Rootkit is a tool used to gain
root access. No, not directly. Rootkit is an attacker that can hide its
tracks and keep root access tools. Typically, the attacker remotely
gains root access through password guessing or password enforcement, for
first deciphered acquisition of system access. After entering the
system, if it has yet to gain root privileges, it will wait for other
users to log on and collect the required information for back door
access. If it is the only one who accessed the system, it will clear the
log of related information so no one realizes the system has been
hacked.
The first version of Rootkit was used for bona fide purposes but later,
hackers modified it to attack computer systems. As a result, most
anti-virus applications have classified Rootkit as a harmful malware.
Linux, Windows, Mac OS and other operating systems have the potential to
become victims of Rootkit.
Rootkit Protection
1. Do not use clear text passwords, instead replace with hidden
passwords (e.g. *****) on the network or use a one-time password. This
way, even if a rootkit has been installed in your system, the attacker
cannot perform network monitoring, or access additional user names and
passwords.
2. Scan for Rootkit with Tripwire, AIDE application, or other testing
tools that can help users find the intruder with system integrity
checks. Intrusion detection tools are different from other protection
tools in that they do not trace attackers through security logs, but
monitor and check for system changes. Tripwire was the first to perform
specific function scans and clone fake system files and directories. If a
file was modified by Rootkit, even if the file size remains the same,
it is easy to discover system changes.
3. There are limited remedial methods after the discovery of Rootkit.
Because the Rootkit can hide itself, you may not be able to determine
how long it has existed in the system. In addition, you don't know what
type of Rootkit has been causing the damage. The best solution is to
wipe and reinstall the system. Although it is a tough step, it is the
only way to completely remove a Rootkit.
