Abstract
The purpose of this research is to determine why the rootkits are not malicious but might be used as a part of malware. What needs to be figured out is how different technologies can prevent rootkit attacks from occurring. Rootkits are sets of programs or codes allowing a permanent, consistent, and undetectable presence on a computer without an end user’s consent. The following paper reflects the Internet-based research conducted to find valuable, reliable, and concise data on the topic of rootkits. The works by digital forensics experts Molina et al. and cybersecurity researchers Hoglund and Butler are compared and contrasted to examine different perspectives on the issue of rootkits. The paper contains the evaluation of the experts’ theoretical approaches to detect which one is more effective for Internet and computer security. The findings of the research demonstrate how to protect computers from rootkits, expose the legitimate uses of rootkits, and predict the future of rootkit computer security.
Introduction
Internet and computer security aim to prevent threats to the confidentiality of users and detect vulnerabilities in digital environments. However, the efforts to protect personal data and sensitive information are undermined by cybercriminals inventing new methods and upgrading the existing malicious programs. The topic of rootkits is relevant today, as it concerns almost everyone who uses a computer or a mobile device. Molina et al. discuss timely rootkit detection in forensic investigations, while Hoglund and Butler offer the legitimate uses of rootkits. The following paper will expose the differences and similarities between the two theoretical approaches to the problem of rootkits.
Main text
The paper by Molina et al. is based on a defensive approach and offers a non-intrusive tool for rootkit detection that gathers information from system data utilities. Rootkits are described as dangerous as they “enable attackers to have undetected access to computer systems” and “hide an attacker’s presence by manipulating system data” (Molina et al. 140). The researchers support the idea by Hoglund and Butler, who claim that rootkit detectors and prevention software should be placed at the lowest privilege level, or Ring 3, as most rootkits operate there.
The computer forensics experts describe rootkit categories, hiding techniques, and detection methods that should be considered for the development of the rootkit detection system. The authors categorize rootkits into kernel, library, user-level, hardware-level, and Virtual Machine Based Rootkits (VMBRs). VMBRs are difficult to detect as they are hidden in the virtual machine monitor (VMM), where malware functions unnoticed. According to Molina et al., the most common hiding techniques are patching (binaries modification), hooking (memory function modification), and Direct Kernel Object Manipulation exploiting Windows scheduling processes. Rootkit detection techniques are signature, behavioral, cross-view, integrity, and hardware-based detectors. The researchers propose the rootkit detection system, which “uses open source utilities that perform a system scan from userspace” (Molina et al. 143). The detection tool scans system files for potential threats and analyzes the discrepancies between the output files that are supposed to be uniform. The tests conducted by the researchers conclude that any differences in the files suggest the presence of rootkits.
Hoglund and Butler position their work as different from other sources on rootkits, as such articles or books do not provide any advice on what to do after the attack. The cybersecurity experts begin their work with a definition of a rootkit helping the reader to understand their perspective on the issue. A rootkit is “a set of programs and code that allows a permanent or consistent, undetectable presence on a computer that allows access at a most basic level to a computer function” (Hoglund and Butler 1). Similar to Molina et al., Hoglund and Butler emphasizes the undetectable nature of a rootkit and its access to the lowest, or the most basic, privilege level. Additionally, the researchers list similar rootkit hiding techniques, such as patching and source code modification, but Hoglund and Butler add two more hidden features called Easter Eggs and spyware modifications of an infected computer.
However, the theoretical approach of cybersecurity experts is different from the one by computer forensics specialists. Firstly, the experts selected an offensive approach to the discussion of the problem in contrast to the defensive one provided by Molina et al. Secondly, the digital forensics researchers described rootkits as malicious and dangerous, while Hoglund and Butler suggest that they are “just a technology” and are not always “bad” or used by the “bad guys” (1). Unlike Molina et al., who concentrate on the categories of rootkits and detection techniques, the authors examine the area of legitimate uses of rootkits. For instance, law enforcement agencies employ rootkits to deal with computer-related crimes. Rootkits help the military to prevent wars through a computer attack, as “it costs less, it keeps soldiers out of danger, it causes little collateral damage” (Hoglund and Butler 3). Finally, Hoglund and Butler claim that rootkits “will always have a place in our technology” (9). The authors do not offer a detection tool like Molina et al., because rootkits will always exist, and the new software exploits will be based on logic errors rather than architecture flaws.
Conclusion
All in all, the theoretical approaches and practical implications offered by the computer forensics researchers and the cybersecurity experts deliver valuable insights into the problem of rootkits. Both works indicate the undetectable nature of rootkits and their access to the lowest privilege level of the system. However, the approach by Hoglund and Butler is more effective, as it describes the legitimate uses of rootkits instead of focusing only on the negative aspects. Moreover, the research is relevant as the authors recommend preventing logic errors to minimize current software exploits due to the ever-changing nature of rootkits. In contrast, Molina et al. provide the detection tool that might become outdated due to the rootkit technology changes. Overall, the offensive approach by Hoglund and Butler is more applicable for future rootkit security than the traditional defensive approach by Molina et al.
Works Cited
Hoglund, Greg, and Jamie Butler. “The Basics of Rootkits.” InformIT, 2005, Web.
Molina, Daniel, et al. “Timely Rootkit Detection During Live Response.” Advances in Digital Forensics IV, edited by Indrajit Ray and Sujeet Shenoi, Springer, 2008, pp. 139–148.