What is a rootkit? A rootkit is a collection of tools and utilities that a hacker can use to hide their presence on your system and gather data to help them infiltrate further across the network. There are many different rootkits available, but they typically include tools to log keystrokes, create secret backdoor entrances for the hacker to get in, monitor packets on the network to gain information, and alter system log files and administrative tools to prevent detection.
According to An Overview of Unix Rootkits, a white paper from security firm iDefense, rootkits as we know them originated around the early 90’s, with some of the tools existing as far back as 1989. And this is just when the tools were discovered or made publicly available. They may have existed long before that in the hacker underground.
After having gained some level of access to a computer, the intruder installs a rootkit which can help him maintain his ability to access the hacked computer, help him attack the hacked computer or use it to remotely attack other computers and help to cover his tracks. Most rootkits have the ability to collect usernames and passwords giving the hacker alternate methods for entry should the username and password he is using get changed.
To maintain access the intruder will often set up multiple entry points- using different ports or protocols on the system. They may spread through the network setting up backdoors on other systems to use once the first intrusion is detected and that system gets taken offline or secured to block the intruder. Using the rootkit tools they can continue to collect new usernames and passwords from the network traffic providing multiple personas for them to adopt while surfing your network.
While accessing the hacked computer, the intruder can interact with network resources, files and systems with the same privileges as whatever username and password they are using. If they get an administrative username and password they have the keys to the vault and can basically run free. They may install various denial of service (DoS) utilities to allow them to launch attacks against other computers. The target of the DoS will see that your computer is attacking them, but will not be able to identify the individual who truly launched the attack.
