Rootkit levels of infection and mitigation

Filed under
HowTos

Hackers don many disguises in order to sneak past IT security guards. The rootkit, one of the most effective disguises, not only masks the intruder, but covers his trail.

The rootkit's origins are deeply rooted in early methods of "backdooring" Unix-based workstations and servers. Current examples encompass a variety of functions and features that further improve upon existing methods (where they don't redefine them outright). Today, the term rootkit is divorced from operating system dependency. While a strong security implementation can help mitigate the effectiveness of rootkit installation, removal of such malware is -- unfortunately -- an inexact science, and usually requires a drive format and full re-installation of the original operating system to ensure a clean and proper restoration.

Understanding this basic principle illustrates precisely why attempts to remove a determined rootkit can be impractical. The very tools used to identify such threats are susceptible to direct manipulation by these threats. One such popular tool used for rootkit detection is chkrootkit[1], which can currently identify 60 known Linux-based rootkits.

Full Story.