Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a definition d’antivirus of direct attack on a system, i. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it.
Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted “root” access. The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund. In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet. Modern rootkits do not elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities.
Did not find what they wanted? Try here
Most rootkits are classified as malware, because the payloads they are bundled with are malicious. Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. Conceal other malware, notably password-stealing key loggers and computer viruses. Appropriate the compromised machine as a zombie computer for attacks on other computers.
The attack originates from the compromised system or network, instead of the attacker’s system. Conceal cheating in online games from software like Warden. Detect attacks, for example, in a honeypot. Enhance emulation software and security software. Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode. User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes.
For example, Windows Explorer has public interfaces that allow third parties to extend its functionality. Function hooking or patching of commonly used APIs, for example, to hide a running process or file that resides on a filesystem. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs’ memory space before they fully execute. This method can be used to hide processes.