December 24, people as usual open the IM software, between each other passed the family and friendship greetings. While people are enjoying the holidays, a worm is trying to lure aim, MSN Messenger, QQ, and Yahoo users to click on a link in the greeting, and inadvertently upload a malicious software to your computer. A Santa Claus Blessing document Link, will let your love machine henceforth become other people's puppet, this is Rootkit's secret and sinister.
What is rootkit
Rootkit is an assembly that modifies an executable path that already exists in the system and has Trojan functionality. These processes violate the integrity of the trust processing base (TCB). Rootkit inserts a backdoor into an existing program, modifying or damaging existing security defenses (antivirus software or log) systems. The performance of the Rootkit Trojan is to hide itself deep and randomly, such as the 2006 ' popular ' Rogue Software, pop-up program, adware or spyware. Rootkit originated from the UNIX system, in UNIX systems, the System Manager's account name is called Root, which is also the origin of the rootkit name.
Any version of the operating system we use consists of the kernel (Kernel) and shell (shell) components (Figure 1).
The kernel is the most basic part of the operating system. It is part of the software that provides secure access to the computer's hardware for many applications, which is privileged, and the kernel determines when a program is operating on a part of the hardware for a long time. Direct hardware operations are very complex, so the kernel usually provides a hardware abstraction to do these things. Because the kernel and the shell are responsible for different tasks, their processing environment is different, so the processor provides a number of different processing environments, called the runtime level (ring), and the ring makes the computer resources that the program instruction can access progressively decrease in descending order to protect the computer from accidental damage-the kernel runs in the ring Level 0, with the most low-level management functions. In the case of the shell, it can only hold more than 3 of the ring level (sometimes like the guest user >. Once the kernel discovers an instruction pass that may cause damage to the system (for example, memory read and write beyond the specified range), returns an "illegal ultra vires" sign, the procedure that sends this instruction may be terminated to run, this is the most common "illegal operation" of the origin, the purpose is to protect the computer to prevent the road damage, If the shell is running at the same level as the kernel, it is possible for a user to inadvertently click on it to destroy the entire system. The most notable feature of Rootkit is that in the English word "Root" (which may be more than the Administrator's system account in Windows), it is not hard to imagine what will happen if the operating system itself is under the control of an attacker.
To the weaknesses of the antivirus system.
At the famous Black Hat meeting, HEISLI, chief Security advisor for the UK next-generation security software company, described Rootkit's ability to control the motherboard and other board cards. Hackers can use the power Configuration and Power Interface (ACPI) and its programming language to enter rootkit code in BIOS memory, and hackers can even take advantage of the malicious features they write to replace the normal functionality in ACPI. The danger of such a BIOS rootkit attack is that it has no effect on the reboot and cannot be detected on the hard disk, even if reformatting the hard drive or reinstalling the operating system does not affect it. It does not exist in the form of a document. Every time the machine restarts, the existing malicious code needs to be rerun, and the existing anti-virus software also uses most of the scan time on the hard disk scan, rootkit is to target the soft rib of the antivirus system. For example, recently in some forums, there is a "classic" rootkit (we do not have to say the author's name) program, it includes:
① Network Sniffer program used to obtain information about the user name and password transmitted in the network.
The ② Trojan Horse program provides a backdoor for attackers.
③ hides directories and process programs, including file property modifier and some log cleanup tools.
④ Network Datagram Modification program.
⑤ System file injection and modification program.
⑥ mainstream anti-virus software, such as uninstall tools.
In addition, in the past, the main rootkit technology of the Platform for Linux or UNIX systems, but in recent years gradually turned to Windows. According to Ivicafee's survey, the rootkit for Windows increased 23 times times from 2001 to 2005. Driven by illegal interests, some bad hackers are starting to sell Rootkit's program code. It is predicted that in the future two, hackers will use rootkit technology for the existing Windows operating system attacks on the annual rate of increase of 650%.
How to clear rootkit
For flexible users, Rootkit Trojan is the information world of AIDS. Once infected, it is difficult to use the general means to eliminate, because it destroys the integrity of the system's own detection. This is like AIDS destroys the human immune system, white cells can do nothing about it, only to watch the human body function is slowly shattered. Because the rootkit Trojan is very terrible, many manufacturers have launched a targeted kill tool, ordinary users can visit their home page from the network regularly, access to these free tools. For example, rootkit Scan Tool Sophos Anti rootkit, Microsoft Abalone MSRT (Microsoft Malicious Software removal Tbol) and so on.
If you are an administrator in the campus network, you may need to worry a lot. Generally speaking, the most effective way to defend this kind of Trojan horse is to check the integrity of important system files regularly. , Linux has a lot of such tools, such as Tripwire is a very good file integrity checking tool. Also, before installing any RPM package, you must use the MD5 cheeksum for comparison (Figure 2, md5sum execution results). and windows this kind of tools less, many software with integrity detection function, but their performance is slow and functional single, such as Regsnap diskstate. Here recommend Sentjnel Tools, the trial effect is good, especially for now we pay more attention to rogue software.
There are also a number of administrators in the detection system was infected by the Rootkit Trojan, hastily recovered from the backup, this is completely wrong. You never know what these rootkit have installed or modified on your computer, and the important files in your system may have been replaced long ago. In this case, it is recommended that you restore the backup "application Data" to a computer that is reinstalling the operating system instead of rushing to a full recovery. Again, before you copy the data to a newly installed computer, it is necessary to scan the data for infection. In fact, we also use some of the same rootkit principle, but the nature of different inspection procedures, bypassing the data provided by the API interface, read the process list directly from the kernel, read the original process list, and then the process API enumerated process list comparison, you can find the rootkit process, Since such tools are also "ultra vires"
function, so the killing of the rootkit is no longer difficult, and the rootkit process once cleared, its hidden function and the anti-virus system function also disappeared. You will find that the anti-virus software that has been "just checking and not Killing" has started to work. This kind of tool now has a lot of, and the own Help file is also quite detailed, such as IceSword, Patchfinder, GDB and so on.