Scribd
Upload
129 views7 pages

Batch:2020 Kamra Submitted To: MR - Khwaja Bilal Submitted By: Abdul Moiz Satti

A rootkit is malicious software that allows unauthorized access to a computer system and hides its presence. Rootkits can contain tools like keyloggers and password stealers. The first rootkit was theorized in 1983 and targeted Unix systems. A notable early rootkit was Sony BMG's 2005 rootkit that was intended to protect copyrights but damaged Sony's reputation. Rootkits continue to pose cybersecurity threats.

Uploaded by

SumreenSatti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
129 views7 pages

Batch:2020 Kamra Submitted To: MR - Khwaja Bilal Submitted By: Abdul Moiz Satti

A rootkit is malicious software that allows unauthorized access to a computer system and hides its presence. Rootkits can contain tools like keyloggers and password stealers. The first rootkit was theorized in 1983 and targeted Unix systems. A notable early rootkit was Sony BMG's 2005 rootkit that was intended to protect copyrights but damaged Sony's reputation. Rootkits continue to pose cybersecurity threats.

Uploaded by

SumreenSatti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Batch:2020

Air University Aerospace & Aviation Campus


Kamra

SUBMITTED TO: MR.KHWAJA BILAL

SUBMITTED BY: ABDUL MOIZ SATTI

Topic: Rootkit
Rootkit: - Introduction
Everything has a beginning – including computer viruses. In this regard, rootkits can be
thought of as the origin of all malicious software. Although malware did exist before the
term “rootkit” was coined, it typically involved either subverting vulnerabilities such as
default passwords. Rootkits were something different.

Essentially, a rootkit is a piece of software that includes built-in tools to create a second
administrator on a targeted system. This is where the “root” of rootkit comes from – in
UNIX, “root” refers to a super user or system administrator, someone with the privilege to
install or modify software, move or delete files, and create other privileged accounts. The
rootkit then hides itself from other admins.

Rootkit: - Definition
A rootkit is a malicious software that allows an unauthorized user to have privileged access
to a computer and to restricted areas of its software. A rootkit may contain a number of
malicious tools such as key loggers, banking credential stealers, password stealers, antivirus
disablers, and bots for DDoS attacks. This software remain hidden in the computer and
allow the attacker remote access to the computer.

The term rootkit is derived from the combination of two words – "root" and "kit". "Root"
refers to the administrator account in UNIX and LINUX operating systems, which is an all-
powerful account with full privileges and unrestricted access. It is equivalent to the
administrator account in Windows systems. The term "kit" refers to the programs that
allow a threat actor to obtain unauthorized root/admin-level access to the computer and
restricted areas. The rootkit enables the threat actor to perform all these actions
surreptitiously without the user's consent or knowledge.

SOURCE: https://enterprise.comodo.com/rootkit-definition/#:
ROOTKIT Tools
• key loggers
• banking credential stealers
• password stealers
• antivirus disablers
• bots for DDoS attacks
This software remain hidden in the computer and allow the attacker remote
access to the computer.
Source: https://blog.emsisoft.com/en/29468/rootkits/

History / Most impactful attack of Rootkit


Software:-
 Back in 1983, a man named Ken Thompson – one of the creators of the Unix
operating system – theorized an exploit that would subvert a login command to allow
an attacker to use an additional password to access an administrator account. This
was a conceptual model of a rootkit.

 Historically, rootkits were confined to the world of Unix and Linux, but eventually
made their way over to the Windows operating system, starting with NTRootkit, a
tool targeting Windows NT that was first spotted back in 1999. Since then, rootkits
have rapidly grown in popularity on Windows and today are a common, stubborn
blight on the digital world.
 First Rootkit ever made was made by SONY Entertainment, and had quite bad impact
on SONY’s reputation. SONY BMG Rootkit was born in year 2005, as idea of SONY to
protect copyright of their publications. They had idea to detect and disable coping of
their publications using this Rootkit to other media. Sony BMG Rootkit was part of 52
publications of Sony amongst them albums by Ricky Martin and Kelly Minogue.
When CD was inserted in normal CD player or Discman nothing would happen.
However, when CD was inserted in PC, Rootkit would be installed, hide itself and all
files starting with $sys$. Also it would control how user accesses music. If user tries
to copy Rootkit would prevent it. Functionality to hide all files starting with $sys$
used other malware writers to hide their files on system calling malware files with
starting $sys$. When Rootkit was detected, there was great scandal because
Thomas Hesse, Director of global sales in Sony BMG made statement in which he
said "Most people, I think, don't even know what a rootkit is, so why should they
care about it?". This caused heavy public reaction and had bad impact on SONY
image. This is also shown as good example of bad public relations. There was also
a law suit which epilogue was that SONY offered customers refund and free music
downloads from website.
Source: https://blog.emsisoft.com/en/29468/rootkits/
https://www.researchgate.net/publication/235666537_History_of_malware

TYPES OF ROOTKIT
Some types of rootkit are:
PERSISTENT Rootkits

• launched every time the system is rebooted

• every time you restart the system the rootkit will reappear, even after you
think you may have cleaned it off your system

• commonly found deep within the file system or in the system Registry

Memory-based Rootkits

• resides only in memory (RAM)

• when the system is rebooted after it’s cleaned, the rootkit should be gone

User-mode Rootkits
• very tricky because they try to evade detection by antimalware programs

• By intercepting system calls, the rootkit is able to trick the system into
believing that it is no longer installed

Kernel-mode Rootkits
• quite worst
• evade detection and directly manipulate the system’s kernel

Source: https://softwarelab.org/what-is-a-rootkit/
Protection Mechanisms used

In the chapter Information Security Management Handbook, Sixth Edition, Volume


2, security researchers E. Eugene Schultz and Edward Ray recommend that
enterprises consider the following measures to prevent rootkit infections:

 using intrusion detection and prevention tools such as rootkit scanners


 applying vulnerability patches in a timely manner
 configuring systems according to security guidelines and limiting services that can run
on these systems
 adhering to the least privilege principle
 deploying firewalls that can analyze network traffic at the application layer
 using strong authentication
 performing regular security maintenance
 limiting the availability of compiler programs that rootkits exploit

https://en.wikipedia.org/wiki/Rootkit

Notable Examples of Rootkit Attacks

Over the last 25 years, innumerable rootkits have left their mark on cybersecurity. A few of
them were legitimate, like the one released by Sony in 2005 to improve copy protection of
audio CDs or a similar one released by Lenovo in 2015 to install undeletable software on
their new laptops. Most rootkits, however, were developed by unknown hackers with the
goal of compromising the victims’ computers and obtaining their sensitive information for
personal gain (mostly financial) of the hackers.

Some of the most notable examples of rootkits include the following:


 In 2008, organized crime rings from China and Pakistan infected hundreds of
credit card swipers intended for the Western European market with firmware
rootkits. The rootkits were programmed to record the victims’ credit card info
and send it all directly to a server located in Pakistan. On the whole, the
hackers behind this plot managed to steal at least 10 million pounds by cloning
credit cards and withdrawing funds from the unsuspecting victims’ accounts.
 In 2011, cybersecurity experts discovered ZeroAccess, a kernel mode rootkit
that went on to infect more than 2 million computers around the world. Rather
than directly affecting the functionality of the infected computer, this rootkit
silently downloads and installs malware on the infected machine and makes it
part of a worldwide botnet used by hackers to carry out cyber attacks. Despite
a few serious attempts to destroy it, ZeroAccess remains active to this day.
 In 2012, experts from Iran, Russia, and Hungary discovered Flame, a rootkit
that was primarily used for cyber espionage in the Middle East. Affecting the
whole of the computer’s operating system, Flame has the ability to monitor
network traffic, capture screenshots and audio from the computer, and even
log keyboard activity. Although the culprits are still unknown, research
revealed that 80 servers across three continents were used to access the
infected computers.

Source:-https://softwarelab.org/what-is-a-rootkit/

Well-Known Rootkit Examples


 Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s.
 NTRootkit – one of the first malicious rootkits targeted at Windows OS.
 Hacker Defender – this early Trojan altered/augmented the OS at a very low level of
functions calls.
 Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit
creates hidden system calls and kernel threads.
 Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's
AXE PBX.
 Zeus, first identified in July 2007, is a Trojan horse that steals banking information by
man-in-the-browser keystroke logging and form grabbing.
 Stuxnet - the first known rootkit for industrial control systems
 Flame - a computer malware discovered in 2012 that attacks computers running
Windows OS. It can record audio, screenshots, keyboard activity and network traffic.

Source: https://www.veracode.com/security/rootkit

You might also like