Explain rootkits and how they can be used to attack your sys

Explain rootkits and how they can be used to attack your systems. Please type your response: Thanks.

Solution

A Rootkit virus is a stealth type of malware that is designed to hide the existence of certain processes or programs on your computer from regular detection methods, so as to allow it or another malicious process privileged access to your computer.

Rootkits for Windows are typically used to hide malicious software from, for example, an antivirus program. it is used for malicious purposes by viruses, worms, back doors and spyware. A virus combined with a rootkit produces what as known as full stealth viruses. Rootkits are more common in the spyware field and they are now also becoming more commonly used among virus authors as well.

They are now an emerging type of Super Spyware which hide themselves effectively & impact the operating system kernel directly. They are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide itself it is very hard to find the malware on your PC.

Rootkits in themselves are not dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether this is normal software, or malware programs.

There are basically three different types of Rootkit. The first type, the “Kernel Rootkits” usually add their own code to parts of the operating system core, whereas the second kind, the “Usermode Rootkits” are especially targeted to Windows to startup up normally during the system start-up, or injected into the system by a so-called “Dropper”. The third type are MBR Rootkits or Bootkits.

When you find your AntiVirus & AntiSpyware failing, you may need to take the help of a good Anti-Rootkit Utility. Rootkit Revealer from Microsoft Sysinternals is an advanced rootkit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer\'s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren\'t malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG\'s attempt to prevent copyright violations. Sony BMG didn\'t tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

Rootkits can\'t propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit\'s installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

IM. One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it\'s from a friend), that computer becomes infected and has a rootkit on it as well. Rich content. The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it\'s all over.