Cover Tracks and Install Tools:
Rootkits and other tools can be used to remove any signs that a hacker has gained access to the system and give the hacker an easy method to access the server at some later time for future attacks. As soon as the proper privileges are gained and the hacker can access the logs he will remove any sign that the server has been compromised, this includes system connection logs as well as service logs and command histories for the compromised user. This is one of the most important steps for the hacker because it removes any trace of his intrusion.
The next step is to create a backdoor and install tools to further compromise the system. These tools are generally installed all at once from a rootkit. The rootkit will allow the hacker to return to this server any time with complete root/admin access; it will also schedule any necessary batch jobs, infect startup files, plant remote control services, install monitoring mechanisms, and replace some system applications with Trojans which will perform the original task as well as some other tasks that are useful for the hacker such as logging usernames and passwords, notifying the hacker when the administrator logs on, and others.
Some tools installed with the rootkit allow the hacker to bypass any activity logging that the administrator might have tried to put in place to discover when the system has been compromised. This will allow the hacker to move without the possibility of detection throughout the system.
Below is a short list of tools that are common in a rootkit, a hacker may choose to include others as the system dictates.
Tools of a Rootkit:
Tool Name |
Purpose |
Backdoor |
Allow the hacker an easy entry next time access is required. Often this runs on a new port, and uses a username and password the hacker decides on. |
Keylogger |
Logs all characters typed on the system. This allows the hacker to ensure the administrator of the system has not discovered the attack. The keylogger also logs more username and password pairs. |
Hide/Unhide Tool |
A tool to hide/unhide this and other tools from being discovered |
Add User |
Allows the hacker to add users to the system. |
Schedule batch jobs |
Batch jobs can perform certain tasks periodically. |
Infect startup files |
Ensure services that should always be running persist after a reboot. These tools include the backdoor and keylogger |
Remote Control Services |
Allow the hacker to take control of the system without having to login. |
Replace other apps with Trojans |
By replacing the login application or su application the hacker can discover more username and password pairs and learn when the real administrator is online. |
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next>> |
Provided by: Security Innovation, The Application Security Company