A rootkit is a group of software tools which an attacker can use to hide their tracks. A rootkit can also contain software which allows the attacker to get root access and steal or remove files on a system. Another goal for a rootkit is for the attacker to maintain access to the hijacked computer. Rootkits are written for many different operating systems however, this article will only talk about Linux rootkits.

Types of Rootkits
One type of rootkit is at the user level which is the simplest one and easiest to detect and remove. They can replace a user application with a modified program of their own. They are easier to detect because one can trust the kernel of the operating system. By scanning for programs which have been changed software like AIDE and Tripwire can detect this type of rootkit. Another type of rootkit is at the kernel level. These are harder to find and remove because one can't trust even the kernel on which the rootkit has been installed on. They have the ability to delete logs to hide the intruders tracks and even replace system calls. This type is usually installed as a Linux Kernel Module (LKM). Some examples of LKM rootkits are Afhrm and Synapsis.

Techniques Used in Rootkits
Using the Linux Kernel Module, a rootkit can modify the kernel's syscall table. Doing this the rootkit can replace a system call to point to a program of the rootkit. Another technique which a rootkit can use is to delete a log entry on the system so there will be no log entry of the attackers activities. Also, to hide the attackers tracks the rootkit can replace standard Unix programs such as ps to not show the processes which the rootkit is running.

Detecting and Removing Rootkits

Full Story.