Chapter 1 / Empty Cup Mind
caught.� She took showers, moved a mattress into the closet where she slept,
and had bottles of water to tide her over while she hid. Police spokesman
Horiki Itakura stated that the woman was "neat and clean."
In a sense, that's what a rootkit is: It's an uninvited guest that's surprisingly
neat, clean, and difficult to unearth.
1.2 Distilling a More Precise Definition
Although the metaphor of a neat and clean intruder does offer a certain
amount of insight, let's home in on a more exact definition by looking at the
origin of the term. In the parlance of the UNIX world, the system admin¬
istrator's account (i.e., the user account with the least number of security
restricdons) is often referred to as the root account. This special account is
sometimes literally named "root," but it's a historical convention more than a
requirement.
Compromising a computer and acquiring administrative rights is referred to
as rooting a machine. An attacker who has attained root account privileges
can claim that he or she rooted the box. Another way to say that you've
rooted a computer is to declare that you own it, which essentially infers that
you can do whatever you want because the machine is under your complete
control. As Internet lore has it, the proximity of the letters p and o on the
standard computer keyboard has led some people to substitute pwn for own.
Strictly speaking, you don't necessarily have to seize an administrator's ac¬
count to root a computer. Ultimately, rooting a machine is about gaining the
same level of raw access as that of the administrator. For example, the SYS¬
TEM account on a Windows machine, which represents the operating system
itself, actually has inore authority than that of accounts in the Administra¬
tors group. If you can undermine a Windows program that's running under
the SYSTEM account, it's just as effective as being the administrator (if not
more so). In fact, some people would claim that running under the SYSTEM
account is superior because tracking an intruder who's using this account
becomes a lot harder. There are so many log entries created by SYSTEM that
it would be hard to distinguish those produced by an attacker.
Nevertheless, rooting a machine and maintaining access are two different
things (just like making a million dollars and keeping a million dollars).
2. "Japanese Man Finds Woman Living in his Closet," AFP, May 29, 2008.
4 I Part I