Root Kit - The Hackers Backdoor to Your Computer
By Stephen Bucaro
Root kit is the latest buzz word in the computer technology world. Root kit refers to a new
more insidious kind of computer virus that cannot be detected by anti-virus software. Actually root
kits have been known in Unix/Linux systems for many years. The word "root" comes from the "root"
account (system administrator) in Linux.
It's just lately that the existence of root kits in Microsoft Windows systems has been exposed. Greg
Hoglund, a computer security consultant and authority on Windows root kits believes intruders have been
using Windows root kits covertly for years.
A root kit is a trojan horse virus that modifies operating system code to allow it to grant itself
system administrator authority and create a backdoor through which the hacker can access your system.
A root kit usually installs utilities that allow the hacker to spawn a remote Shell, login, and start
processes to open ports, intercept keystokes, collect data, sniff for usernames and passwords, and scan
a network for vulnerabilities to exploit.
Any average programmer can write a kernel mode root kit. Hoglund teaches a two-day course on root
kits, and by the end of the course, every student is writing their own root kits.
Detecting root kits
Whereas the goal of a common computer virus is to spread itself to other systems, the primary goal of
a root kit is self preservation. For example it may regularly check the integrity of it's components
and reinstall them if necessary. Conventional viruses operate in user mode, which means they
create processes and registry entries visible in system administration utilities.
When a system administrator uses a utility to check for a root kit, the root kit intercepts the system
calls and filters out any messages that would expose the root kit. Normal indicators of a program running,
such as executable file name, process name, memory usage, or registry settings are invisible. As a result,
root kits cannot be detected by conventional detection tools including anti-virus and anti-spyware applications.
The root kit may remain hidden until a system crash reveals the name of one of it's processes as the
component that caused the crash. There are several programs available to detect root kits on Unix systems,
for example chkrootkit and rkhunter. Microsoft is working on a tool that can detect root
kits on Windows systems, however, at the present time the only reliable way to remove a root kit from
Windows is to completely erase the hard drive and reinstall Windows from scratch.
One promising Windows root kit detector is the Freeware program
RootkitRevealer runs on Windows NT 4 and higher and it lists any Registry, file system, or API
discrepancies that may indicate the presence of a root kit. However, RootkitRevealer does not claim to
detect every root kit.
Root kits are the ultimate backdoor, giving hackers ongoing and virtually undetectable
access to the systems they exploit. Now, two of the world's leading experts have written the first comprehensive guide to root kits:
what they are, how they work, how to build them, and how to detect them. Rootkit.com's Greg Hoglund and
James Butler created and teach Black Hat's legendary course in root kits. In this book, they reveal
never-before-told offensive aspects of root kit technology - learn how attackers can get in and stay in for
years, without detection.
Hoglund and Butler show exactly how to subvert the Windows XP and Windows 2000 kernels,
teaching concepts that are easily applied to virtually any modern operating system, from Windows Server
2003 to Linux and UNIX. Using extensive downloadable examples, they teach root kit programming techniques
that can be used for a wide range of software, from white hat security tools to operating system drivers
After reading this book, readers will be able to;
• Understand the role of root kits in remote command/control and software eavesdropping
•Build kernel root kits that can make processes, files, and directories invisible
•Master key root kit programming techniques, including hooking, runtime patching, and directly manipulating kernel objects
•Work with layered drivers to implement keyboard sniffers and file filters
•Detect root kits and build host-based intrusion prevention software that resists root kit attacks