Sunday, 24 March 2013

A thing called Rootkit

There are some concepts in the hacking world which leaves the passers-by absolutely stunned. It appears something like a magic portion creating a black magic effect. By passers-by I mean those who try out its implementation for the first time.

Its installation is usually simple but its output is absolutely amazing. It gives you the power to hide processes, programs and files so that the users cannot spot them and even the OS fails to spot them!!!

And if the OS fails to spot them what can the antivirus do???

YES I AM TALKING ABOUT ROOTKITS.

Rootkits have the power to evade highly sophisticated antivirus softwares.

ROOTKIT = ROOT + KIT

ROOT  =         Root-level Access or Administrative Access
KIT      =                     Set of Tools

Rootkits are used for many purposes including (but not limited to) the following:

1.Privilege Escalation
2.Backdoor Installation
3.Recording Keystrokes
The primary reason why rootkits evade detection is because they operate at a lower level of the OS i.e. inside the kernel.When we use any software i.e. when we interact with it,these interactions happen at a higher level of the OS.

When an anti virus does its job I mean scanning,it usually passes requests off to the inner levels of the OS for the completion of its task.

Now we know that rootkits dwell deep inside the OS.This is where a rootkit does its job by intercepting system calls between any software and the OS.In the Hacking world this action of Rootkit is known as Hooking.

For instance lets go through an example :

To find out the running processes on a Windows computer we use Ctrl + Alt + Del.
This starts the Task Manager and on clicking the Processes Tab we see all the processes which are running at the moment.

In the above case the OS is called and asked “Which processes/services are running now?”

The OS here starts querying all the running processes “it knows”(Yes this is the catch.Hope you got it!!!)

Now if we bring rootkit here in between they give us the ability to intercept and modify the responses which the OS returns when the user asks for it.

When the user asks for the listing of all the running processes the rootkit intercepts this and removes selected processes from that list and displays the modified list to the users.

All this happens so fast that the user can never even think that a rootkit is installed on his/her machine.

Keep yourself hooked to Innobuzz Blog and be on the lookout for future articles on how to use a full-fledged rootkit.

For Any Query Leave A Comment Or Contact Me On Facebook
Contact ==> www.facebook.com/ryan.manjothi

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Pages