A rootkit is a type of software that is designed to gain administrative-level control over a computer system without being detected. In virtually all cases, the purpose and motive is to perform malicious operations on a target host computing system at a later date without the knowledge of the administrators or users of that system. Rootkits can be installed in hardware or software targeting the BIOS, hypervisor, boot loader, kernel or less commonly, libraries or applications
A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.
Virus vs Worm vs Rootkit
It is also important not to confuse a rootkit with a virus, or a worm. The main difference is in propagation and stealth. Like a rootkit, a virus also alters software components of a system. A virus, however, is designed to do damage and possibly provide additional service(s) to the attacker. This usually alerts the user right away that something is wrong, and gives away its existence. A worm is usually designed to scan for vulnerabilities and take advantage of them, as well as spread to other computers connected to a network, thereby doing the same damage to them. Again, this alters computer behavior significantly enough to alert the user to its existence and that there is something wrong. A rootkit, on the other hand, is designed to maintain its own integrity, and remain hidden from the user in order to allow the attacker to use the compromised computer for a long period of time for his or her own nefarious means.
Payload
a virus payload referred to action a virus might take beyond simply infecting files. This payload could range from the virus displaying a dialog box with the words "Have a Good Day" to a virus that overwrites or deletes files on the system. For example, the circa 1998 CIH virus had a payload to overwrite the Flash BIOS of systems, rendering those systems unbootable. LoveLetter also deployed a malicious payload as part of its routine, overwriting certain media file types.
Today's malware is less likely to include a payload that damages files on the system, but instead typically include a payload that allows backdoor access to the system and steals passwords and other sensitive data.
Rootkit Types
There are three basic types of rootkits - library, application and kernel. There are also two subtypes - memory based, and persistent.
Rootkit Categories
There are two basic categories that modern rootkits in the wild can be divided into: those that are designed to hook, and those that are designed to use DKOM.
Hooks (or hooking) –
A hook, or hooking, is a method used by a rootkit to alter the normal execution path of the operating system.
Some of the more common areas a rootkit will hook are –
1. Execution paths
2. Import Address Tables(IAT)
3. System Service Descriptor Tables(SSDT)
4. Layered Filter Drivers
DKOM –
DKOM stands for Direct Kernel Object Manipulation. Rootkits designed to use DKOM rely on creation of kernel objects by the operating system, which are normally used by the system for auditing normal operation.
Rootkit SubTypes
Persistent versus memory-based rootkits:
Generally speaking, there are two types of rootkits: persistent rootkits and memory-based rootkits. The primary difference between these two types of rootkits lies in their "persistence" on an infected machine after a reboot. Persistent rootkits are capable of surviving a system reboot whereas memory-based rootkits are not. In order to survive a reboot, two conditions must be met. First, they must have some means of permanently storing their code on the victim system (such as on the hard disk). Second, they must place a hook in the system boot sequence so that they can be loaded from disk into memory and begin execution.
Unlike persistent rootkits, in-memory rootkits make no effort to permanently store their code on disk or hook into the boot sequence. Their code exists only in volatile memory and they may be installed covertly via a software exploit. This makes them stealthier than their "persistent" brethren and confers anti-forensic advantages. While it may seem that an inability to survive a reboot would undermine the usefulness of these rootkits, server systems frequently remain online for days, weeks, or months at a time. In practice, the potential for losing the rootkit infection may be counter-balanced by an attacker's need for untraceability.
ref:
Windows rootkits, Part1 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one
Windows rootkits, Part2 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-two
Windows rootkits, Part3 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-three
http://www.5starsupport.com/tutorial/rootkits.htm
http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Malware
http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp
http://www.rootkit.com/newsread.php?newsid=928
http://www.viralpatel.net/taj/tutorial/idt.php
Home User Security: Personal Firewalls - http://www.symantec.com/connect/articles/home-user-security-personal-firewalls
Software Firewalls , Part 1 – http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2
Software Firewalls , Part 2 - http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-2-2
