Tech Terminology Demystified – Rootkits

When a computer is compromised by an attacker he usually tries to elevate his privileges to that of the administrator or root user. The attacks that can be carried out by administrative users obviously have more far reaching effects and that is what the attacker wants.


The first thing that the attacker does is install something called a “rootkit”. This is a kit that contains all the tools that aid the attacker. The rootkit contains a “backdoor” which is nothing but a service running on a particular port. When the attacker comes back to the compromised system, the backdoor lets him in.

The rootkit also contains programs that help cover the attackers tracks. For eg. every Unix based system contains the “ps” command which shows the list of processes running on the system. The rootkit would replace the original “ps” with it’s own trojaned version which will be a replica of the original “ps” in all visual and functional aspects – the only difference being that it does not display the backdoor.

Rootkits also contain “sniffers” that help the attacker capture data. For sniffers to work, the NIC has to operate in what is called a promiscuous mode where it listens to and captures all data in that network. The commands “ipconfig” and “ifconfig” give details of the network card and also tell whether the card is functioning in a promiscuous mode. The rootkit contains programs that replace the default “ifconfig/ipconfig” commands with a trojaned version that does not tell the administrator that the card is in promiscuous mode.

Rootkits also contain trojaned programs for directory find utilities such as ‘ls’ and ‘find’ which do not show the administrator the presence of the rootkit. Most rootkits also contain log scrubbers that delete traces of the attackers activities from the logs.

Rootkit countermeasures include properly hardening the system, running updated antivirus software and installing a host based IDS which looks for suspicious activities and also keeps a check on the integrity of the system.