What the heck are rootkits anyways? Why should you care?
First of all, a rootkit is a “stealthy” piece of software because it is designed to hide the existence of itself as well as other processes or programs from normal methods of detection.
… if you open up task manager, you won’t find any rootkits listed in the running processes.
Rootkits are also typically malicious and in most cases are designed to enable continued privileged access to a computer.
… if you run your Anti-Virus software, it won’t detect most rootkits.
Listen, you could be compromised with a rootkit right now and how would you even know? The only way is to take the first step towards learning more!
The Rootkit Arsenal presents the most accessible, timely, and complete coverage of forensic countermeasures. This book covers more topics, in greater depth, than any other book currently available.
… this book will shed light on all sorts of things you didn’t even know were possible. As a software or computer engineer, this is an extremely important topic because computer security is vital to any real-world business.
The Rootkit Arsenal will discuss the sorts of things going on in the murky back alleys of the internet that are generally poorly documented.
This is a great book for learning all things rootkit related. Here are some of the main topics covered:
- How to evade post-mortem analysis
- How to frustrate attempts to reverse engineer your command & control modules
- How to defeat live incident response
- How to undermine the process of memory analysis
- How to modify subsystem internals to feed misinformation to the outside
- How to entrench your code in fortified regions of execution
- How to design and implement covert channels
- How to unearth new avenues of attack
An attacker can install a rootkit once they’ve obtained root or Administrator access…
… And escalating privileges to root or admin isn’t as hard as you might think. A little bit of research with a tool like Metasploit is all it takes. If you’re interested in this topic, read some of the other articles in the IT Security section.
Once a rootkit is installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent the malware. That makes rootkit detection extremely difficult, because the best malware will subvert the very software that is intended to find it.
Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Let’s just say, it’s NOT a piece of cake. It’s a piece of very old moldy pie with receding hairlines.
Removal of rootkits can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel. If you have a rootkit, you need to format and re-install your operating system, and even this cleansing method will only work for standard rootkits.
Rootkits are nasty…
If you’re dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment. It’s like fighting an incurable plague or anti-biotic resistant infection. Everything you traditionally know to deal with the problem won’t work.
In The Rootkit Arsenal, Bill does a great job at presenting this complex subject in a simple way making great use of analogies to help facilitate understanding.
If you’re interested in learning more about rootkits, I highly recommend this book. Just remember to use this knowledge for good, not evil! As a Software Engineer, it’s your duty to build secure software and to protect your users. Do NOT unleash vast swaths of incurable horror upon the world. Please.