Many of the basic to intermediate computer users today are very familiar with the terms trojan, virus, adware, spyware, and worm. While many may not understand exactly how these work, most users today are aware of the threat that they pose, and the necessity of having the proper software to detect, delete, and protect against them.
In the last few years, however, another threat has emerged : rootkits. While many may have heard the term, most are still somewhat ignorant to what rootkits are and how they go about detecting and removing them.
---What is a rootkit ?---
The term rootkit has been around for more than 10 years. A rootkit is a "kit" consisting of small and useful programs that allow an attacker to maintain access to "root," the most powerful user on a computer. In other words, a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.
In our definition of "rootkit," the key word is "undetectable." Most of the technology and tricks employed by a rootkit are designed to hide code and data on a system. For example, many rootkits can hide files and directories. Other features in a rootkit are usually for remote access and eavesdroppingâ€â€Âfor instance, for sniffing packets from the network. When combined, these features deliver a knockout punch to security. Unfortunately, they are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean.
---How do rootkits work ?---
Rootkits work using a simple concept called modification. In general, software is designed to make specific decisions based on very specific data. A rootkit locates and modifies the software so it makes incorrect decisions.
There are many places where modifications can be made in software. Here are some of them:.
Patching
Executable code (sometimes called a binary) consists of a series of statements encoded as data bytes. These bytes come in a very specific order, and each means something to the computer. Software logic can be modified if these bytes are modified. This technique is sometimes called patchingâ€â€Âlike placing a patch of a different color on a quilt. Software is not smart; it does only and exactly what it is told to do and nothing else. That is why modification works so well. In fact, under the hood, it's not all that complicated. Byte patching is one of the major techniques used by "crackers" to remove software protections. Other types of byte patches have been used to cheat on video games (for example, to give unlimited gold, health, or other advantages).
Easter Eggs
Software logic modifications may be "built in." A programmer may place a back door in a program she wrote. This back door is not in the documented design, so the software has a hidden feature. This is sometimes called an Easter Egg, and can be used like a signature: The programmer leaves something behind to show that she wrote the program. Earlier versions of the widely used program Microsoft Excel contained an easter-egg that allowed a user who found it to play a 3D first-person shooter game similar to Doom embedded inside a spreadsheet cell.
Spyware Modifications
Sometimes a program will modify another program to infect it with "spyware." Some types of spyware track which Web sites are visited by users of the infected computer. Like rootkits, spyware may be difficult to detect. Some types of spyware hook into Web browsers or program shells, making them difficult to remove. They then make the user's life hell by placing links for new mortgages and Viagra on their desktops, and generally reminding them that their browsers are totally insecure.
Source-Code Modification
Sometimes software is modified at the sourceâ€â€Âliterally. A programmer can insert malicious lines of source code into a program she authors. This threat has caused some military applications to avoid open-source packages such as Linux. These open-source projects allow almost anyone ("anyone" being "someone you don't know") to add code to the sources. Granted, there is some amount of peer review on important code like BIND, Apache, and Sendmail. But, on the other hand, does anyone really go through the code line by line? (If they do, they don't seem to do it very well when trying to find security holes!) Imagine a back door that is implemented as a bug in the software. For example, a malicious programmer may expose a program to a buffer overflow on purpose. This type of back door can be placed on purpose. Since it's disguised as a bug, it becomes difficult to detect. Furthermore, it offers plausible deniability on the part of the programmer! Even the very tools used by security professionals have been hacked in this way.
---Okay, so what do I do ?---
Thankfully there is a new class of security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders.
Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use are also amongst the most effective. The first is called Panda Anti-Rootkit. It's my top recommendation for any..but if u have any sprogram that u try go....
In the last few years, however, another threat has emerged : rootkits. While many may have heard the term, most are still somewhat ignorant to what rootkits are and how they go about detecting and removing them.
---What is a rootkit ?---
The term rootkit has been around for more than 10 years. A rootkit is a "kit" consisting of small and useful programs that allow an attacker to maintain access to "root," the most powerful user on a computer. In other words, a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.
In our definition of "rootkit," the key word is "undetectable." Most of the technology and tricks employed by a rootkit are designed to hide code and data on a system. For example, many rootkits can hide files and directories. Other features in a rootkit are usually for remote access and eavesdroppingâ€â€Âfor instance, for sniffing packets from the network. When combined, these features deliver a knockout punch to security. Unfortunately, they are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean.
---How do rootkits work ?---
Rootkits work using a simple concept called modification. In general, software is designed to make specific decisions based on very specific data. A rootkit locates and modifies the software so it makes incorrect decisions.
There are many places where modifications can be made in software. Here are some of them:.
Patching
Executable code (sometimes called a binary) consists of a series of statements encoded as data bytes. These bytes come in a very specific order, and each means something to the computer. Software logic can be modified if these bytes are modified. This technique is sometimes called patchingâ€â€Âlike placing a patch of a different color on a quilt. Software is not smart; it does only and exactly what it is told to do and nothing else. That is why modification works so well. In fact, under the hood, it's not all that complicated. Byte patching is one of the major techniques used by "crackers" to remove software protections. Other types of byte patches have been used to cheat on video games (for example, to give unlimited gold, health, or other advantages).
Easter Eggs
Software logic modifications may be "built in." A programmer may place a back door in a program she wrote. This back door is not in the documented design, so the software has a hidden feature. This is sometimes called an Easter Egg, and can be used like a signature: The programmer leaves something behind to show that she wrote the program. Earlier versions of the widely used program Microsoft Excel contained an easter-egg that allowed a user who found it to play a 3D first-person shooter game similar to Doom embedded inside a spreadsheet cell.
Spyware Modifications
Sometimes a program will modify another program to infect it with "spyware." Some types of spyware track which Web sites are visited by users of the infected computer. Like rootkits, spyware may be difficult to detect. Some types of spyware hook into Web browsers or program shells, making them difficult to remove. They then make the user's life hell by placing links for new mortgages and Viagra on their desktops, and generally reminding them that their browsers are totally insecure.
Source-Code Modification
Sometimes software is modified at the sourceâ€â€Âliterally. A programmer can insert malicious lines of source code into a program she authors. This threat has caused some military applications to avoid open-source packages such as Linux. These open-source projects allow almost anyone ("anyone" being "someone you don't know") to add code to the sources. Granted, there is some amount of peer review on important code like BIND, Apache, and Sendmail. But, on the other hand, does anyone really go through the code line by line? (If they do, they don't seem to do it very well when trying to find security holes!) Imagine a back door that is implemented as a bug in the software. For example, a malicious programmer may expose a program to a buffer overflow on purpose. This type of back door can be placed on purpose. Since it's disguised as a bug, it becomes difficult to detect. Furthermore, it offers plausible deniability on the part of the programmer! Even the very tools used by security professionals have been hacked in this way.
---Okay, so what do I do ?---
Thankfully there is a new class of security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders.
Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use are also amongst the most effective. The first is called Panda Anti-Rootkit. It's my top recommendation for any..but if u have any sprogram that u try go....
Tidak ada komentar:
Posting Komentar