Root kit is the latest buzz word in the computer technology world. Root kit refers to a new more insidious kind of computer virus that cannot be detected by anti-virus software. Actually root kits have been known in Unix/Linux systems for many years. The word "root" comes from the "root" account (system administrator) in Linux.
It's just lately that the existence of root kits in Microsoft Windows systems has been exposed. Greg Hoglund, a computer security consultant and authority on Windows root kits believes intruders have been using Windows root kits covertly for years.
A root kit is a trojan horse virus that modifies operating system code to allow it to grant itself system administrator authority and create a backdoor through which the hacker can access your system. A root kit usually installs utilities that allow the hacker to spawn a remote Shell, login, and start processes to open ports, intercept keystokes, collect data, sniff for usernames and passwords, and scan a network for vulnerabilities to exploit.
Any average programmer can write a kernel mode root kit. Hoglund teaches a two-day course on root kits, and by the end of the course, every student is writing their own root kits.
Detecting root kits
Whereas the goal of a common computer virus is to spread itself to other systems, the primary goal of a root kit is self preservation. For example it may regularly check the integrity of it's components and reinstall them if necessary. Conventional viruses operate in user mode, which means they create processes and registry entries visible in system administration utilities.
When a system administrator uses a utility to check for a root kit, the root kit intercepts the system calls and filters out any messages that would expose the root kit. Normal indicators of a program running, such as executable file name, process name, memory usage, or registry settings are invisible. As a result, root kits cannot be detected by conventional detection tools including anti-virus and anti-spyware applications.
The root kit may remain hidden until a system crash reveals the name of one of it's processes as the component that caused the crash. There are several programs available to detect root kits on Unix systems, for example chkrootkit and rkhunter. Microsoft is working on a tool that can detect root kits on Windows systems, however, at the present time the only reliable way to remove a root kit from Windows is to completely erase the hard drive and reinstall Windows from scratch.
One promising Windows root kit detector is the Freeware program RootkitRevealer. RootkitRevealer runs on Windows NT 4 and higher and it lists any Registry, file system, or API discrepancies that may indicate the presence of a root kit. However, RootkitRevealer does not claim to detect every root kit.
Root kits are the ultimate backdoor, giving hackers ongoing and virtually undetectable access to the systems they exploit. Now, two of the world's leading experts have written the first comprehensive guide to root kits: what they are, how they work, how to build them, and how to detect them. Rootkit.com's Greg Hoglund and James Butler created and teach Black Hat's legendary course in root kits. In this book, they reveal never-before-told offensive aspects of root kit technology - learn how attackers can get in and stay in for years, without detection.
Hoglund and Butler show exactly how to subvert the Windows XP and Windows 2000 kernels, teaching concepts that are easily applied to virtually any modern operating system, from Windows Server 2003 to Linux and UNIX. Using extensive downloadable examples, they teach root kit programming techniques that can be used for a wide range of software, from white hat security tools to operating system drivers and debuggers.
After reading this book, readers will be able to;
• Understand the role of root kits in remote command/control and software eavesdropping
• Build kernel root kits that can make processes, files, and directories invisible
• Master key root kit programming techniques, including hooking, runtime patching, and directly manipulating kernel objects
• Work with layered drivers to implement keyboard sniffers and file filters
• Detect root kits and build host-based intrusion prevention software that resists root kit attacks
Learn more at amazon.com