Computer Hijacking (Rooting)

Article by Eugene Veeden

Computer Hijacking or Rooting is the act of compromising desktop computers, servers or public workstations by installing a Trojan horse, a virus or a rootkit. Rooting is a serious threat to internet security and operability. Multiple compromised “zombie” hosts may bring down corporate networks, government server complexes, and cause virtual havoc on the internet as a whole. Many users may not be aware that their system is compromised due to process hiding, file hiding and the use of general anti-detection techniques.

 

Contents

Origins

Originally the word "rooting" referred to the action of using "rootkits" to compromise UNIX systems.[1] Using viruses, Trojan horses, and "rootkits" a hacker is able to carefully hide any trace of the intruder, thus allowing the intruders to maintain "root" access on the system without the system administrator even seeing them.

The term "rooting" is generally used to describe a windows, or a UNIX based compromised system regardless of the existence of a "root" system account in the operating system.

How it is done

Most systems are compromised due to vulnerable services running openly to the public on the machine. A simple port scan will determine of a specific service for which an exploit is available is running on the target host. A port scanning software such as X-Scan 3.0 will scan a range of IP's for specific vulnerabilities, once found an attacker may then upload their rootkit/trojan/virus software using tftp, netbui or e-mail to the victims computer and activate the software by means of a command shell.

Once a host has been infected, an attacker may further infect the host with additional tools such as X-Scan to scan other IP blocks in parallel to find the same vulnerabilities in other hosts; therefore, this process may exponentially grow to a certain point.

Common Uses

IRC File Servers

The use of iroffer is a tool for serving files from a host to the public through the an Internet Relay Chat (IRC) network. An attacker will first load up a number of tools through one of the many known vulnerabilities such as MSSQL exploit or NTAdmin blank password exploit. The attacker will then proceed to run iroffer and hide it from running processes list, iroffer is a legitimate program which will serve files uploaded to the hosts PC to the public through an IRC chat channel.

Targeted Advertising

Targeted advertising is usually done by browser hijacking which is one of the web's constant dangers. Whether it arrives in the form of a flood of obscene pop-up windows assaulting you after a mistyped URL, or malicious code taking over your browser completely, chances are that the computer system has been compromised by a targeted advertising virus. [2]

Password Gathering

An attacker can compromise a system to gain access to bank accounts, credit cards, line of credit, and perform identity theft based on private information gathered from the victims computer system. Passwords to accounts can easily be gathered through the use of a key logger.

Denial of Service Attacks

A number of compromised hosts may be used to simultaneously send multiple requests to a server continuously, from many different IP addresses, until the server becomes overloaded and eventually crashes. This is the most difficult attack to prevent since the compromised clients are actually regular users who have no knowledge of the attack. Internet bots may be used to synchronize compromised hosts and perform commands simultaneously. [3]

Detection and Removal

The best and most reliable method for detection of a compromised system is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running trojan, rootkit or virus cannot hide its presence and most established antivirus programs will identify software that compromises the system armed via standard OS calls and lower level queries, which ought to remain reliable. Specific rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished.

There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform there are many free detection tools such as AVG AntiVirus, Blacklight, and RootkitRevealer. It will detect rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from--so in essence, they remove the differences between the two listings, and the detector doesn't report them.[1]

See also

References

External Links

 

Last Revised: March 30, 2007