[譯] Windows rootkits 101

Windows rootkits 101

by  Michael Mullins CCNA, MCP
作者：Michael Mullins CCNA（Cisco Certified Networking Associate，Cisco網路認證工程師），MCP（Microsoft Certified Professionals，微軟認證專家）

翻譯：endurer 2006-08-16 第1版

Keywords:  Microsoft Windows | Flaws | Security threats | Hacking
關鍵字：微軟視窗 | 缺陷 | 安全威脅 | Hacking

英文來源：http://articles.techrepublic.com.com/5100-1009_11-6104304.html?tag=nl.e030

Takeaway:
When administrators and security professionals hear the word rootkit, many think first of a UNIX-based system. But the fact is that Windows rootkits do exist, and you need to be able to detect them. Get the details from Mike Mullins in this edition of Security Solutions.

導讀：
當管理員們和安全專家們聽到“rootkit”這個詞時，其中一些人首先想到的是基於UNIX的系統，但實際情況是Windows（系統中的）rootkits存在著，你要能檢測它們。從Mike Mullins的本期安全解決方案中擷取細節罷。

--------------------------------------------------------------------------------

When administrators and security professionals hear the word rootkit, most think first of a UNIX-based system. Unfortunately, this only leads to a false sense of security for Windows-based systems. The fact is that Windows rootkits do exist, and you need to be able to detect them.
當管理員們和安全專家門聽到“rootkit”這個詞時，多數人首先想到的是基於UNIX的系統。不幸地是，這。實際情況是Windows（系統中的）rootkits存在著，你要能檢測它們。從Mike Mullins的本期安全解決方案中擷取細節罷。

What is a rootkit?
rootkit是什嗎？

To clarify, a rootkit is not an exploit—it's the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.
需要澄清，rootkit不是漏洞利用——它是攻擊者成功利用漏洞後留下的後門的代碼和程式。 rootkit讓hacker隱藏他或她在電腦中的活動，並允許未來對電腦的訪問。為了達到目標，rootkit 將修改作業系統的執行流程，或對作業系統依賴的資料做手腳。

《endurer註：rely on 依賴,依靠；信任》

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBusoperate in user mode.
Windows作業系統支援程式或進程運行在兩種不同的模式中：使用者模式和核心模式。傳統的Windows rootkits，如 SubSeven 和 NetBusoperate 工作在使用者模式。

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit's existence if they have a signature file.
已知的後門程式或特洛伊木馬程式，使用者模式 rootkits 以 獨立應用程式 或 在現存應用程式內部運行。它們具有與受害電腦上啟動並執行其它應用程式相同的層級的系統許可權。因為這些rootkits在使用者模式下工作，諸如反病毒掃描程式之類的應用程式，如果有特徵值檔案，就可以檢測出rootkit的存在。

On the other hand, a kernel-mode rootkit is remarkably different—and much more powerful and elusive. kernel-mode rootkits have total control over the operating system and can corrupt the entire system.
另一方面，核心模式rootkit顯著不同——更具威力和躲避能力。核心模式rootkit具有淩駕於作業系統之上的全面控制能力，可以竄改整個系統。

By design, kernel-mode rootkits control the operating system's Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.
核心模式rootkits控制特意地控制了作業系統的應用程式介面（API），rootkit位於作業系統和使用者程式之間，對這些（使用者）程式可以看到和操作的內容進行選擇。

《endurer註：by design 故意》

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit's files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.
另外，它利用此地位來在檢測中隱藏自己。如果一個應用程式，例如反病毒掃描程式，試圖列出包含rootkit檔案的目錄內容時，rootkit將在列表中隱藏自身檔案名稱。它也能隱藏或控制已引導的系統中的一些進程。

《endurer註：in addition 另外》

Rootkit detection
Rootkit的檢測

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.
檢測rootkits的方法分為兩類：基於特徵值 和 啟發學習法/基於行為的檢測。
《endurer註：fall into 分成(變成,開始)》

Signature-baseddetection: As its name implies, this method scans the file system for a sequence of bytes that comprise a "fingerprint" that's unique to a particular rootkit. However, the rootkit's tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

基於特徵值的檢測：正如其名，這種方法掃描檔案系統，搜尋包含指紋即特定rootkit的專屬特徵的位元組序列。然而，rootkit通過中斷/幹擾檢測軟體的執行路徑的傾向/趨勢可限制基於特徵值的檢測的成功。

Heuristic/behavioral-based detection:This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.
啟發學習法/基於行為檢測：此方法通過按正常作業系統型式或行為評鑑偏差來工作。例如，此方法可以通過確認擁有200GB的硬碟、報告有160GB的檔案的系統，只有15GB可用自由空間，來檢測rootkit。

Rootkits are hard to detect. But there are programs—some free and from reputable companies such as F-Secure and Sysinternals—to help you detect their presence on your systems. Microsoft has even stepped up to the plate with its Malicious Software Removal Tool, designed to detect and remove Windows rootkits.
Rootkits難於檢測。但有程式——一些免費和來自廣受好評的公司
，例如F-Secure 和 Sysinternals——可協助你檢測你系統中rootkit的存在。微軟甚至已經把其為檢測和移除Windows rootkits而設計的惡意件軟移除工具增加到了（Windows）平台。
《endurer註：step up to 增加到(上升到,趨近)》
 

Final thoughts
If you discover someone has compromised your machine, it's vital that you take the necessary steps to find out if the attacker has installed a rootkit—and then eliminate the threat. Applying vulnerability patches after someone has installed a rootkit on your machine won't close the security holes that already exist on your network.

結語
如果你發現rootkit已經損害你的電腦，至關重要的是，如果攻擊者已經安裝了rootkit，則採取必要的步驟找出它，接著消除威脅。在電腦被裝上rootkit後，使用缺陷補丁程式將不能關閉網路中已經存在的安全黑洞。