Tools In A Rootkit

Tools in a Root Kit

Kuhnhauser ( date) asserts that the tools in a root kit comprises four key areas: 1) tools for the discovery of vulnerabilities, 2)tools that conceals the attackers tracks, 3) tools that assist with future attacks, and 4) tools that fabricate system components. (p. 14) Kuhnhauser (date) indicates that the tools consist of "algorithms to establish contact with the attacked system and to evaluate its response, data bases with known vulnerabilities of operating systems and services, and preassembled fakes of standard utility programs and operating system components for the replacement of the originals" (p. 14). Let's take a closer look at each key area.

Tools for Vulnerability Discovery

The tools used for vulnerability discovery (also referred to as exploiters) uses a data base containing three different classes of vulnerabilities: 1) vulnerabilities of standard utilities and server programs; examples are utility programs such as ssh/slogin, mount, cron, ftp, and servers running as demon processes such as sshd, maild, inetd, and nscd, 2) vulnerabilities of the current operating system(s) caused by implementation flaws, and 3) vulnerabilities contributed to system configuration such as default passwords or open communication ports that were not changed during the initial system installation and configuration (Kuhnhauser, date).

Tools for Covering Attacks

Kuhnhauser (date) states that the tools in this group hide the presence of the root kit attack. First, the tools cover all traces of an ongoing attack, secondly they hide modifications to the system, servers, libraries and utilities, and lastly, they prepare the compromised environment to hide activities when the system is accessed in the future through an installed backdoor (Kuhnhauser, date). The activities hidden by tools in this group consist of but are not limited to "root kit processes running in the course of the attack, processes running in the course of using a backdoor, active network connections, files installed during the attack, replacement of original files with fakes containing backdoors, and the restarting of crashed servers because their configuration files were manipulated" (Kuhnhauser, date, p. 14). In order to hide the aforementioned activities, Kuhnhauser (date) indicates that the techniques of erasing "log file entries regarding processes or network connections that were opened during the course of the attack, and modification of administrational utilities that informs about running processes, active network connections, and the state of the network interfaces and files systems are applied" (p. 15).

Tools for Preparing Future Attacks

When preparing for future attacks, Kuhnhauser (date) asserts that a root kit should strive for sustainability. To accomplish this end, root kits install back doors into standard utility programs (Kuhnhauser, date). This allows the attacker, in cases where the initially exploited vulnerability is mended, a hidden entrance into the compromised system (Kuhnhauser, date).

Prefabricated System Components

Lastly, Kuhnhauser (date) states, "this tool group contains preassembled manipulated versions of standard utility programs, dynamically linked libraries, and dynamically loadable operating system modules" (p. 15). They are installed in the course of a successful attack and hides the ongoing attack, installed root kit files, programs, backdoors, and the future opening of backdoors (Kuhnhauser, date). Examples of prefabricated UNIX operating system utilities that conceal modified or added software are ls, du, find, and md5sum (Kuhnhauser, date). In addition, modified versions of netstat and ifconfig hide active network connections, while active background processes are hidden by modified versions of ps, pstree, top, and ksysguard (Kuhnhauser, date). Lastly, Kuhnhauser (date) indicates that root kits, "similar to viruses or worms, may contain proliferation mechanisms for automated large scale attacks" (p. 16).

Summary

Kuhnhauser does a good job of identifying and explaining the tasks of the tools contained in a "root kit." The grouping of the tools into categories for vulnerability discovery, attack concealment, future attack preparation, and prefabricated system components, appears to be the prevailing methodology for assembling a root kit (Kuhnhauser, date; Brumley, 1999; Unknown, 2004; Russinovich, 2005). However, he focuses on root kits that contain tools that compromise or manipulates core system processes or executable commands. He neglects to discuss root kits that in addition

...