History Of Rootkit
Rootkit was first introduced in SunOS operating system by Lane Davis and Steven Dake. This technology is used by Root on Unix (equivalent to System Administrator on Windows) to recovery (restore) that they forget the root password. To be able to restore the root password is not easy because it requires authorization and unlimited access to a system. Finally a special technology was found able to do that in the future this is known as rootkits.
Various Rootkit
At least there is some kind of rootkit, starting from the lowest level to the most special
As with any virus, rootkit also has many variants. Classified according to the target attacked, rootkit distributed into 6 types, namely:
1. Application Rootkit
Rootkits are made by modifying the binary code of an application directly or commonly referred to as binary code patching. This type of rootkit typically found in malware trojan type viruses to inject into an object or system.
2. Library rootkit
This is a rootkit that target library. Library file itself is like a library function that has been gathered into one in order to memermudah programmer to create and develop an application. Library is marked with the suffix "etc" like "Kernel.dll".
3. Kernel Rootkit
Kernel rootkit is a type of rootkit which is more terrible than the previous types. Kernel rootkits run at the kernel level (mode
not protected), or on x86 architecture systems known as ring 0.
4. Bootloader Rootkit
Is a type of rootkit that resides in the MBR (Master Boot Records), so as to control the course of booting the operating system. This type of rootkit also known bootkit or "Evil Maid Attack",
5. Level Hypervisor Rootkit
This type of rootkit is able to virtualize the operating system native to become a guest operating system, so that the entire control of the operating system can be taken over by this type of rootkit. One of the existing rootkits are manifold SubVirt, Virtual machine based rootkits are developed by Microsoft and the University of Michigan.
6. BIOS rootkit
BIOS rootkit also called firmware rootkit, the rootkit that is located at the deepest level, living in the firmware and started active when all computer activity occurs early initialization.
The workings
Rootkits are generally working normally without leaving any trace. They are called "root kit or" being able to run on the operating system or the highest priviliges Ring0.
Rootkit that live in this Ring0 can be very difficult to be detected and removed because they operate at the same time as the operating system itself, and thus is able to intercept or subvert or break the operation or the most important operating system as you wish from the creator of rootkits. Any software like antivirus software running on the same system easily defeated by the rootkit if it infects the system.
Rootkits can modify the data structures in the Windows kernel using a method known as direct kernel object modification (Dkom). This method can connect the kernel function in the System Service Descriptor Table (SSDT), or modify the gates between user mode and kernel mode, in order to cloak itself. Similarly for the Linux operating system, the rootkit can modify the system call table to subvert the kernel function. It's unusual for a rootkit to create a filesystem, hidden and encrypted at the same time be able to hide other malware or original copy of the file that has been infected.
The operating system of today has evolved to counter the threat of kernel-mode rootkit. For example, 64-bit editions of Microsoft Windows now apply the signature or signatures are mandatory term is applied to all kernel-level driver.Hal was done to create a program that has not been in the given signature are not able to be executed with the highest privileges in a system.
No comments:
Post a Comment