DEV Community


Posted on

What is Rootkit?

When you listen about rootkit and if you are a linux user first thing that comes to your mind will be this has some thing to do with root user. And, you are not wrong but it's a part of it. Let's define it formally.

Rootkit is a program that can hide itself as well as other running processes, files, network connections from the host where it is running.

What is the utmost goal of the rootkit?

The main goal is to run incognito meaning running in the background for as long as it is possible.

What is the typical functionality or characteristics of rootkit?

1- Stealth Functionality

It aims to hide the traces of intruder by manipulating processes, open files, network activity, changing access rights/permission of different files and directory.

2- backdoor

One of the main goal of rootkit is to make sure that intruder have full remote access to the victim's computer all the time. For e.g: rootkit may establish a backdoor using ssh tunneling.

3- Sniffing

It also enables attacker to wiretapping and intercepting various system components may be sending data to a particular end point or installing a keylogger.

What is the biggest challenge to the attacker?

The biggest challenge that also differentiate rootkit from other types of malware is the fact that rootkit need to be installed with root privileges in the first place.

Types of Rootkits

  • User-mode rootkit: A user-mode rootkit covertly replaces common UNIX binaries or libraries with infected versions to hide its existence and to gain root privileges if needed.

  • Kernel-mode rootkit: A kernel-mode rootkit operates on the system level and modifies or replaces the kernel which may have been affected in the boot process.

This is a good blog on Linux boot process.

Top comments (0)