On 24 Apr 2006 at 21:32, Ra wrote:
> What is a rootkit and how would I investigate it?
The name comes from the world of Unix and Linux, where the all-powerful
account on a computer is named "root" rather than "Administrator". The
original purpose of a rootkit was, as a piece of malware, to obtain this
supreme level of user privilege, from which the attacker who installed the
rootkit could then proceed to wreak whatever havoc was desired.
Of course, not all attackers are just interested in causing immediate
chaos; many see their infiltration of a machine as a stepping-stone to some
further purpose. And so the term's meaning shifted to focus on techniques
to try to prevent discovery that the system has been compromised.
Indeed, the distinguishing characteristic of a modern rootkit is that it
makes it so difficult for an ordinary mortal user to discover its presence.
As such, there's not much useful advice to give. If you are having the
sort of problems that usually indicate a virus or spyware infestation, but
all of your usual tools for detecting and removing malware are coming up
empty, then that *may* indicate the presence of a rootkit.
(But not necessarily. I had been seeing such symptoms on one of my
machines, and discovered today that I had missed updating its copy of
Firefox from 1.0.x to 1.5.x; updating it appears to have corrected the
problem.)
David Gillett
Do you want to signoff PCSOFT or just change to
Digest mode - visit our web site:
http://freepctech.com/pcsoft.shtml
|