Section 6.53 Rootkits

Question 1

Rootkit

Answer 1

Designed to gain administrative level control over a given computer system without being detected

Question 2

Administrator account

Answer 2

Account with the highest level of permissions is called the Administrator account

■ Allows the person to install programs, delete programs, open ports, shut ports,
and do whatever it is they want to do on that system

■ In a UNIX, Linux, or MacOS computer, this type of administrator account is actually called the root account

Question 3

Rings of permission

Answer 3

A computer system has several different rings of permissions throughout the system

■ Ring 3 (Outermost Ring): Where user level permissions are used - standard user

■ Ring 0 (Innermost or Highest Permission Levels): Kernel mode

Question 4

Ring 0 (Innermost or Highest Permission Levels):

Kernel Mode

Answer 4

Kernel mode refers to the processor mode that enables software to have full and unrestricted access to the system and its resources.

Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things

■ Remember, the closer the malicious code is to the kernel, the more permissions it will have and the more damage it can cause on your system

If you login as the administrator or root user on a system, you have root permission and you will be operating at Ring 1 of the operating system

Question 5

Root Kit Installation and Rings

Answer 5

When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection

Question 6

Root Kit techniques

DLL Injection

Answer 6

Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library

Question 7

Root Kit techniques

Dynamic Link Library (DLL)

Answer 7

A dynamic link library (DLL) is a collection of small programs/Data that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.

Question 8

Root Kit techniques

Shim

Answer 8

Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them

Question 9

Detect Rootkits

Answer 9

Rootkits are extremely powerful, and they are very difficult to detect because the operating system is essentially blinded to them

To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti-malware scanning solution from a live boot Linux distribution