|
Rootkit usually works in OS kernel level to facilitate the attack. So in attacking perspective, rootkit is different from other malicious programs.
Rootkit runs in OS kernel mode. The i386 architecture supports four rings, otherwise known as privileged levels. Windows operating systems use two of them, ring 0 and ring 3. The ring 0 is refereed as kernel mode. Operating system code excuting on ring 0 kernel mode provides the fundmental services and have full system access privileges. The ring 3 is refered as user mode. User mode code, such as application and system services running on user mode may only access their allocated memory.
Rootkit runs on ring 0 kernel mode in form of system driver. It has full system access privileges which means it can control all system resource. It can manipulate process, objects and even hardware. As an esential rootkit, it usually performs the following.
1. Alter a system's authentication system for backdoor access or elevated privileges.
2. Modify the system logs to ensure that certain activities never get logged for evidence.
3. Alter the intrusion detection system to ignore key event signatures or report false checksums to an anti-virus client.
4. Masquerade as normal system utilities so they exhibit normal behavior for regular users or display expected reports to system administrators.
Other malicious programs, for example, a virus program usually modifies a system file to promote its own propagation to achieve a special effect at a designated time. Trojans masquerade themselves as another piece of software to infiltrate a computer, after which they typically provide backdoor for hackers to bypass a system's normal authentication measures. A backdoor is a program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. A backdoor's goal is to remove the evidence of initial entry from the systems log. But a nice backdoor will allow a hacker to retain access to a machine it has penetrated even if the intrusion factor has in the meantime been detected by the system administrator. All of these techniques are still susceptible to detection and can leave traces of their usage.