page-035

1.2 Distilling a More Precise Definition

There are tools that a savvy systeiTi administrator can use to catch interlopers

and then kick them off a compromised machine. Intruders who are too noisy

with their newfound authority will attract attention and lose their prize. The

key, then, for intruders is to get in, get privileged, monitor what's going on,

and then stay hidden so that they can enjoy the fruits of their labor.

The Jargon File's Lexicon� defines a rookit as a "kit for maintaining root." In

other words:

A rootkit is a set of binaries, scripts, and configuration files (e.g., a kit)

that allows someone covertly to maintain access to a computer so that

he can issue commands and scavenge data without alerting the system's

owner.

A well-designed rootkit will make a compromised machine appear as though

nothing is wrong, allowing an attacker to maintain a logistical outpost right

under the nose of the system administrator for as long as he wishes.

The Attack Cycle

About now you might be wondering: "Okay, so how are machines rooted

in the first place?" The answer to this question encompasses enough subject

matter to fill several books.'� In the interest of brevity, I'll offer a brief (if

somewhat incomplete) summary.

Assuming the context of a precision attack, most intruders begin by gathering

general intelligence on the organization that they're targeting. This phase of

the attack will involve sifting through bits of information like an organiza¬

tion's DNS registration and assigned public IP address ranges. It might also

include reading Securities and Exchange Commission (SEC) filings, annual

reports, and press releases to determine where the targeted organization has

offices.

If the attacker has decided on an exploit-based approach, they'll use the Inter¬

net footprint they discovered in the initial phase of intelligence gathering to

enumerate hosts via a ping sweep or a targeted IP scan and then examine each

live host they find for standard network services. To this end, tools like nmap

are indispensable.''

3, http;//catb.org/jargoii/htinl/iiidex.htni 1.

4. Suiart McClurc, Joel Scambray, & George Kurtz, Hacking Exposed, McGraw-Hill, 2009,

ISBN�B: 978-0071613743.

5. http://nmap.org/.

Part I I 5