1.2 Distilling a More Precise Definition

book series from Microsoft and also to the Sysintcrnals tool suite. According

to Mark, a rootkit is

"Software that hides itself or other ob jects, such as files, processes, and

Registry keys, from view of standard diagnostic, administrative, and

security software,

Greg Hoglund, the godfather of Windows rootkits, offered the following

definition in the book that he co-authored with Jamie Butler:

"A rootkit is a set of programs and code that allows a permanent or

consistent, undetectable presence on a computer. "

Greg's book first went to press in 2005, and he has since modified his defini¬

tion:

"A rootkit is a tool that is designed to hide itself and other processes,

data, and/or activity on a system"

In the blog entry that introduces this update definition, Greg adds:'�

"Did you happen to notice my definition doesn't bring into account

intent or the word 'intruder'?"

Note: As I mentioned in this book's preface, I'm assuming the vantage point of a Black

Hat. Hence, the context in which I use the term "rootkit" is skewed in a manner that

emphasizes attack and intrusion.

In practice, rootkits are typically used to provide three services:

■ Concealment.

■ Command and control (C2).

■ Surveillance.

Without a doubt, there are packages that offer one or more of these features

that aren't rootkits. Remote administration tools like OpenSSH, GoToMyPC

by Citrix, and Windows Remote Desktop are well-known standard tools.

There's also a wide variety of spyware packages that enable monitoring and

13. Mark Russinovich, Rootkits in Commercial Software, January 15, 2006, hltp://blogs.technet,

coni/markrLi.ssinovich/archive/2006/0 l/l5/rootkits-in-commercial-software.aspx.

14. Greg Hoglund and Jamie Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley,

2005, ISBN-13: 978-0321294319.

15. http://rootkit.com/blog.php?newsid=440&uscr=hoglund.

Parti I 11