|< Day Day Up >|
As you know, a rootkit is installed to gain remote access to a computer. This serves two primary purposes: to control computer software operation, and to copy data from the system. Examples of such command and control include shutting a computer down, enabling or disabling features, and manipulating the kernel. Taking data from a system is typically called exfiltration, or exfil for short. Exfiltration may take such arcane forms as data transmissions over electromagnetic emissions, via extra data inserted into network protocols, and in the form of time delays.
Where remote access is required, the rootkit must be able to communicate over a network. For a TCP/IP network, this could mean via a TCP connection. Once a connection has been established, commands can be issued and data can be exfiltrated.
In the hacker underground, a typical generic solution to the problem of exfil is the remote shell. A remote shell is simply a TCP session connected to the native command interpreter on the system. The command interpreter is supplied with the operating system. On an MS-Windows machine, this would be cmd.exe, and on a UNIX system it may be /bin/sh or /bin/bash.
These command interpreters are actually software programs themselves. Since the command interpreters are already installed on the system before the hacker arrives, the attack program just connects the command interpreter to a network port. In other words, the hacker borrows the existing program when she attacks.
For the most part, hackers are just lazy; they don't want to write their own shell programs. There are, however, cases where hackers have created complex remote-control software. Back Orifice 2000 is one example of a full remote-control system, with file access, screen capture, and even audio bugging.
Large, full-featured back-door programs have a few drawbacks. First, they are overkill for most needs. Second, every virus scanner on the planet will detect them. Third, and perhaps most importantly, they are written by people you don't know.
When engaging in an activity as sensitive as remote penetration, you should be concerned about risk of exposure before anything else. Two concepts that are key to avoiding exposure are minimal footprint and unique structure.
|< Day Day Up >|