Understanding Hidden Threats: Rootkits and Botnets
Attackers are continually finding new ways to access computer
systems. The use of hidden methods such as rootkits and botnets has
increased, and you may be a victim without even realizing it.
|
What are rootkits and botnets?
A rootkit is a piece of software that can be installed and hidden
on your computer without your knowledge. It may be included in a
larger software package or installed by an attacker who has been able
to take advantage of a vulnerability on your computer or has convinced
you to download it (see Avoiding Social
Engineering and Phishing Attacks for more information). Rootkits
are not necessarily malicious, but they may hide malicious
activities. Attackers may be able to access information, monitor your
actions, modify programs, or perform other functions on your computer
without being detected.
Botnet is a term derived from the idea of bot networks. In its most
basic form, a bot is simply an automated computer program, or
robot. In the context of botnets, bots refer to computers that are
able to be controlled by one, or many, outside sources. An attacker
usually gains control by infecting the computers with a virus or other
malicious code that gives the attacker access. Your computer may be
part of a botnet even though it appears to be operating
normally. Botnets are often used to conduct a range of activities,
from distributing spam and viruses to conducting denial-of-service
attacks (see Understanding
Denial-of-Service Attacks for more information).
Why are they considered threats?
The main problem with both rootkits and botnets is that they are
hidden. Although botnets are not hidden the same way rootkits are,
they may be undetected unless you are specifically looking for certain
activity. If a rootkit has been installed, you may not be aware that
your computer has been compromised, and traditional anti-virus
software may not be able to detect the malicious programs. Attackers
are also creating more sophisticated programs that update themselves
so that they are even harder to detect.
Attackers can use rootkits and botnets to access and modify
personal information, attack other computers, and commit other crimes,
all while remaining undetected. By using multiple computers, attackers
increase the range and impact of their crimes. Because each computer
in a botnet can be programmed to execute the same command, an attacker
can have each of them scanning multiple computers for vulnerabilities,
monitoring online activity, or collecting the information entered in
online forms.
What can you do to protect yourself?
If you practice good security habits, you may reduce the risk that
your computer will be compromised:
- Use and maintain anti-virus software - Anti-virus software
recognizes and protects your computer against most known viruses, so
you may be able to detect and remove the virus before it can do any
damage (see Understanding
Anti-Virus Software for more information). Because attackers are
continually writing new viruses, it is important to keep your
definitions up to date. Some anti-virus vendors also offer
anti-rootkit software.
- Install a firewall - Firewalls may be able to prevent
some types of infection by blocking malicious traffic before it can
enter your computer and limiting the traffic you send (see Understanding
Firewalls for more information). Some operating systems actually
include a firewall, but you need to make sure it is enabled.
- Use good passwords - Select passwords that will be
difficult for attackers to guess, and use different passwords for
different programs and devices (see Choosing and
Protecting Passwords for more information). Do not choose options
that allow your computer to remember your passwords.
- Keep software up to date - Install software patches so
that attackers can't take advantage of known problems or
vulnerabilities (see Understanding
Patches for more information). Many operating systems offer
automatic updates. If this option is available, you should enable
it.
- Follow good security practices - Take appropriate
precautions when using email and web browsers to reduce the risk that
your actions will trigger an infection (see other US-CERT security
tips for more information).
Unfortunately, if there is a rootkit on your computer or an
attacker is using your computer in a botnet, you may not know it. Even
if you do discover that you are a victim, it is difficult for the
average user to effectively recover. The attacker may have modified
files on your computer, so simply removing the malicious files may not
solve the problem, and you may not be able to safely trust a prior
version of a file. If you believe that you are a victim, consider
contacting a trained system administrator.
As an alternative, some vendors are developing products and tools
that may remove a rootkit from your computer. If the software cannot
locate and remove the infection, you may need to reinstall your
operating system, usually with a system restore disk that is often
supplied with a new computer. Note that reinstalling or restoring the
operating system typically erases all of your files and any additional
software that you have installed on your computer. Also, the infection
may be located at such a deep level that it cannot be removed by
simply reinstalling or restoring the operating system.
Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization. Terms of use