Essential Computer Security

One day, everything on your computer is fine. Then, suddenly you start noticing suspicious behavior- your CPU is cranking away when you aren’t doing anything, your 20 Gb of free space on your hard drive has disappeared down to 3 Gb, ports are open on that you didn’t set up. There is a good possibility that you have been the victim of a rootkit.What is a rootkit? A rootkit is a collection of tools and utilities that a hacker can use to hide their presence on your system and gather data to help them infiltrate further across the network. There are many different rootkits available, but they typically include tools to log keystrokes, create secret backdoor entrances for the hacker to get in, monitor packets on the network to gain information, and alter system log files and administrative tools to prevent detection.

According to An Overview of Unix Rootkits, a white paper from security firm iDefense, rootkits as we know them originated around the early 90’s, with some of the tools existing as far back as 1989. And this is just when the tools were discovered or made publicly available. They may have existed long before that in the hacker underground.

After having gained some level of access to a computer, the intruder installs a rootkit which can help him maintain his ability to access the hacked computer, help him attack the hacked computer or use it to remotely attack other computers and help to cover his tracks. Most rootkits have the ability to collect usernames and passwords giving the hacker alternate methods for entry should the username and password he is using get changed.

To maintain access the intruder will often set up multiple entry points- using different ports or protocols on the system. They may spread through the network setting up backdoors on other systems to use once the first intrusion is detected and that system gets taken offline or secured to block the intruder. Using the rootkit tools they can continue to collect new usernames and passwords from the network traffic providing multiple personas for them to adopt while surfing your network.

While accessing the hacked computer, the intruder can interact with network resources, files and systems with the same privileges as whatever username and password they are using. If they get an administrative username and password they have the keys to the vault and can basically run free. They may install various denial of service (DoS) utilities to allow them to launch attacks against other computers. The target of the DoS will see that your computer is attacking them, but will not be able to identify the individual who truly launched the attack.

Computers have logs though. They can log when someone logs in and logs out. They can log when someone tries to log in and fails. They can log when someone accesses a file or when a service starts or stops. Good administrators should be reviewing those logs on a frequent basis. If an administrator were to view the logs and find logins and file access and deletions by the company President at 3am they may find that a little suspicious.Not a problem for the rootkit. They contain a plethora of tools designed to sanitize the intrusion to evade detection. There are tools to clean log files and erase evidence of the intruders actions. There are also tools for hiding the files and processes that the intruder may place on the system and even to hide port and protocol connections.

Until recently, the rootkit has been the bane of those with insecure Linux or Unix systems, but users of Microsoft operating systems were spared this headache.

Recently, Kevin Poulsen wrote an article on SecurityFocus regarding the advent of Windows rootkits (Windows Root Kits a Stealthy Threat). Unlike normal Trojan and backdoor programs that operate on a user or application level, these new tools interact directly with the kernel- the heart of the Windows operating system. Doing so allows it perform on a higher level and evade detection by firewall software, antivirus software and other security applications.

One of the problems is that there is no way to truly know how many of these rootkits exist. If they do what they’re designed to do they should not be discovered. We only know about the ones that failed to achieve their ultimate goal- evading detection.

What do you do if you find that you have been victimized by a rootkit? That could spark a good debate. You could remove the root kit files, close ports you don’t want open and change your name and password. The problem is that you have no idea what tools, backdoors, or other malicious utilities still live on your computer undetected. If you are on a network- you have no idea how many other systems have been infiltrated or how many other backdoors may have been opened.

Ideally, you should probably format the hard drive and rebuild the computer from scratch or from a clean, known-good image, but this time add extra security to keep your system from getting hacked again. If you are on a network you may need to scan or investigate each machine to try and determine whether any others have been victimized and cleanse them as well.