What is RootKits?

What is RootKits? – Rootkits are software programs aimed to gain access to a computer without detection. These are malware that help the attackers to gain unauthorized acess to a remote system and perform malicious activities. The goal of the rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform any task such as installing software or deleting files, and so on.

It works by exploiting the vulnerabilities in the operating system and applications. It builds a backdoor login process in the operating system by which the attacker can evade the standard login process.

What is RootKits?

Once the user enables root access, a rootkit may attempt to hide the traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. Rootkits replace certaing operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system by executing malicious functions. A typical rootkit comprises backdoor programs, DDoS programs, packet sniffer, log-wiping utilities, IRC bots and others.

All files contain a set of attributes. There are different fields in the file attributes. The first field determine the time of the file creation, access, as well as its original length. The functions GetFileAttributesEx() and GetFileformationByHandle() are used for these purposes. ATTRIB.exe displays or changes the file attributes. An attacker can hide, or even change the attributes of a victim’s files, so that the attacker can access them.

Attacker Places a rootkit By:

  • Scanning for vulnerable computer and servers on the web
  • Wrapping it in a special package like games
  • Installing it on the public computers or corporate computers through social engineering.
  • Launching Zero-day attack (privilege escalation, Windows kernel exploitation, etc.

What is RootKits?

Objectives of rootkit:

  • To root the host system and gain remote backdoor access
  • To mask attacker tracks and presence of malicious application or processes
  • To gather sensitive data, network traffic, etc. form the system to which attackers migh be restricted or possess no access
  • To store other malicious programs on the system on the system and act as a server resource for bot updates

What is RootKits?

Type of Rootkits

A rootkit is a type of malware that can hide itself from the operating system and antivirus applications in the computer. This program provides the attackers with root-level access to the computer through the backdoor. These rootkits employ a range of techniques to gain control of a system. The type of rootkit incluences the choice of attack vectors. Basically there are six type or rootkits available. They are

Hypervisor Level Rootkit

Attackers create Hypivisor level rootkits by exploiting hardware feature such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkits works by modifying the system’s boot sequence and gets loaded instead of the original virual machine monitor.

Hardware/ Firmware Rootkit:

Hardware/Firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkits hides in firmware as the users do no inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion or rootkit malware.

Kernel Level Rootkit:

The Kernel is the core of the operaing system. Kernel level rootkits runs in Ring-0 with highest operaing system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit’s code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operaing systems.

Boot Loader Level Rootkit

Boot loader level (bootkit) rootkits function either by replacing or modifying the legitimate bootlaoder with another one. The boot loader level (bootkit) can activate even before the operating sytem starts. So, the boot-loader-level (bootkit) rootkits are serious threats to security because they can help in hacking encryption keys and passwords.

Application Level Rootkit

Application level rootkit operates inside the victim’s computer by replacing the standard application files (application binaries) with rootkits or by modifying behavior of prensent applications with patches, injected malicious code, and so on.

Library Level Rootkits:

Library level rootkits work higher up in the OS and they usually patch, hook, or suppliant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker.

For More Hacking Content Click Here

Related posts

Leave a Comment