What's a Root Kit and How Hackers Are Getting Into Your Computer With It
A root kit is a set of tools used by an intruder after cracking a computer
system. These tools can help the attacker maintain his or her access to the
system and use it for malicious purposes. Root kits exist for a variety of
operating systems such as Linux, Solaris, and versions of Microsoft Windows.
The term "root kit" (also written as "rootkit") originally referred to a set
of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would
carefully hide any trace of the cracker that those commands would normally
display, thus allowing the crackers to maintain "root" on the system without the
system administrator even seeing them.
Generally now the term is not restricted to Unix based operating systems, as
tools that perform a similar set of tasks now exist for non-Unix operating
systems such as Microsoft Windows (even though such operating systems may not
have a "root" account). It is common for the term 'rootkit' to refer to a
"kernel-mode" program (that is, acting as part of the operating system), as
opposed to a "user-mode" program (that is, programs that operate as normal
applications or tools).
The key distinction between a computer virus and a root kit relates to
propagation. Like a root kit a computer virus modifies core software components
of the system, inserting code which attempts to hide the "infection" and
provides some additional feature or service to the attacker (the "payload" of a virus).
In the case of the root kit the payload may attempt to maintain the integrity of
the root kit (the compromise to the system) - for example every time one runs
the root kit's ps command it may check the copies of init and inetd on the
system to ensure that they are still compromised, and "re-infecting" them as necessary.
The rest of the payload is there to ensure that the cracker (attacker) can
continue to control the system. This generally involves having backdoors in the
form of hard-coded username/password pairs, hidden command-line switches or
magic environment variable settings which subvert the normal access control
policies of the uncompromised versions of the programs. Some root kits may add
port knocking checks to existing network daemons (services) such as inetd
or the sshd.
A computer virus can have any sort of payload. However, the computer virus also
attempts to spread to other systems. In general a root kit limits itself to
maintaining control of one system.
A program or suite of programs that attempts to automatically scan a network
for vulnerable systems and to automatically exploit those vulnerabilities and
compromise those systems is referred to as a computer worm. Other forms of
computer worms work more passively, sniffing for usernames and passwords and
using those to compromise accounts, installing copies of themselves into each
such account (and usually relaying the compromise account information back to
the cracker/attacker through some sort of covert channel).