Is a Rootkit just a Trojan?

Mild_Manered · #1 July 16th, 2012, 03:24 PM

My "know it all" roommate said, "a Rootkit is just a Trojan". Is he right? I have read a little on rootkits, but got the impression one could be delivered and dropped by most any type of malware. Also, can't a user clean a Trojan and still have the Rootkit remain that was delivered by that Trojan?

Hungry Man · #2 July 16th, 2012, 03:38 PM

Malware rarely falls into one category anymore. A rootkit can be a trojan and vice versa.

A trojan describes malware that makes the user think it's legitimate to ge tthem to install it. A rootkit describes malware that embeds itself into the sytsem. You can have both in one.

noone_particular · #3 July 16th, 2012, 04:21 PM

Quote:

Malware rarely falls into one category anymore. A rootkit can be a trojan and vice versa.

Sadly, this has been a problem for better than 10 years. This "need" to categorize everything has confused a lot of people and resulted in duplicated and sometimes conflicting coverage being installed or worse, gaps in the coverage due to inconsistent and differing interpretations of definitions of the many terms. There never have been any "official" definitions for most of the terms. I remember an instance a few years back where an AV didn't block a specific item, saying it was adware. An adware remover didn't touch it, labelling it a trojan. The anti-trojan considered it a malicious script, outside of its intended coverage.

Mild_Manered · #4 July 16th, 2012, 05:01 PM

Great answers, so far! Even though, I am an average user and not an advanced user, my gut-feeling is telling me there is still more info to this topic. I'm sure you both have experienced a gut-feeling about something, where even though, you were not an expert, you still knew there was something missing or more info.

noone_particular · #5 July 16th, 2012, 06:05 PM

Definitely know that feeling. The simplest way I can think of to explain some of it would be like this. Trojans are malicious apps primarily for taking control of or harvesting data from anothers PC or network. Rootkit refers to code thats installed or inserted deep enough into the system that the operating system and most apps aren't aware of it being there. It's a type of install that hides the existence of the installed code. Like many things, rootkits themselves aren't malicious. On linux, they're part of the OS and serve legitimate purposes. It's what they're used for that matters. On Windows, the term rootkit has become automatically equated with malware.

Mild_Manered · #6 July 16th, 2012, 06:54 PM

noone_particular, a Rootkit is malicious-code or code that is made to be malicious? And, usually delivered by and along with a Trojan? Or, a code on top of and hides another malicious code?

noone_particular · #7 July 16th, 2012, 07:54 PM

A rootkit is a type of installation that is deeply integrated or embedded into the operating system, usually deeper than is visible to the user or the operating system itself. It's the intent of the code itself and how it's used decides if it's malicious, not whether it's a userspace install or deeply integrated into the system. Malicious rootkits and classic HIPS employ many of the same methods, but for completely opposite reasons.

Hungry Man · #8 July 16th, 2012, 08:18 PM

A rootkit is any type of malware that tries to hide itself from forms of detection. This is accomplished by getting as high rights as possible, embedding into the OS, and then intercepting programs that might reveal it.

A trojan is any type of malware that tries to trick the user into installing it by making them believe that the program is legitimate.

Mild_Manered · #9 July 16th, 2012, 08:36 PM

Got it! thanks to the different posts and this other website-def. For awhile there, I thought I was going to need to take a class in programming. LOL

"Is A Rootkit Malware?

That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee's / children's computer systems. Products such as eBlaster or Spector Pro are essentially rootkits which allow for such monitoring.
However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit itself is not really malware."

http://netsecurity.about.com/od/freq...aq_rootkit.htm

FanJ · #10 July 16th, 2012, 10:56 PM

Quote:

Originally Posted by Mild_Manered

"Is A Rootkit Malware?

That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee's / children's computer systems. Products such as eBlaster or Spector Pro are essentially rootkits which allow for such monitoring.
However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit itself is not really malware."

http://netsecurity.about.com/od/freq...aq_rootkit.htm

Wrong, Spector Pro and the likes (Ardamax comes to mind for example) are key-loggers (that may use rootkit technology to "hide" themselves).

Hungry Man · #11 July 16th, 2012, 11:13 PM

These terms very rarely mean all too much due to widespread misuse . In the end it's malware.

siljaline · #12 July 17th, 2012, 12:44 AM

This post and FAQ, has been a great learning tool for many. Perhaps it should be read and used in order to proceed in the discovery of what is being discussed here.

Mrkvonic · #13 July 17th, 2012, 01:33 AM

Rootkit is a fancy word for a kernel driver.
Mrk

Hungry Man · #14 July 17th, 2012, 01:35 AM

ZeroAccess has no kernel driver.

treehouse786 · #15 July 17th, 2012, 08:44 AM

Quote:

Originally Posted by Hungry Man

These terms very rarely mean all too much due to widespread misuse . In the end it's malware.

i agree

sdmod · #16 July 17th, 2012, 10:15 AM

A good coverage of rootkit on Wikipedia

Mild_Manered · #17 July 17th, 2012, 10:39 AM

sdmod, thanks for that. I can see how my roommate thought a rootkit was just a Trojan. That is not the case today or the only method used.

"The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund."

A rootkit is basically stealthy type malware, unless someone wants to really jump in and fully do the homework on it.

I just want to add. My gut-feeling earlier was not letting go until noone_particular brought up, the intent of "code". Code, being basically, "instructions" and of course, with evil intent as far as malware. That satisfied my gut-felling on this.

FanJ · #18 July 17th, 2012, 11:20 AM

Quote:

Originally Posted by Hungry Man

These terms very rarely mean all too much due to widespread misuse . In the end it's malware.

With respect to key-loggers: while I myself see them as malware, a better description is maybe PUA (Potential Unwanted Application) or PUP (Potential Unwanted Program) or something like that. And you always have to keep in mind (as has been said many times here) that your employer might have the right to have it installed on your work-computer (whether you like it or not).

Anyways, I try to stay further out of this thread that could easily lead to endless semantics discussions...

Mrkvonic · #19 July 17th, 2012, 01:27 PM

Quote:

Originally Posted by Hungry Man

ZeroAccess has no kernel driver.

OK, let's rephrase it - anything with descriptor privilege level (dpl) of 0, or 1-2 when these are degenerate, on ia architecture, the last two bits in the code segment are 00, and suchlike. So kernel access, but to what end? You can to kide yourself, manipulate kernel tables, process table, etc, this is done by something that can see a kernel space = kernel driver.

Mrk

Hungry Man · #20 July 17th, 2012, 02:31 PM

Anything that attempts to hide itself is a rootkit. Having higher privileges means you can intercept more programs.

I think that's about it - nothing fancy.

Mrkvonic · #21 July 17th, 2012, 03:48 PM

Rootkit specifically implies root = admin = big boss.
Mrk

Hungry Man · #22 July 17th, 2012, 06:56 PM

Rootkits only run on Unix? =p

Dezaxa · #23 July 18th, 2012, 07:35 AM

Of course, rootkit means something completely different if you're Australian.

RJK3 · #24 July 18th, 2012, 07:47 AM

Quote:

Originally Posted by Dezaxa

Of course, rootkit means something completely different if you're Australian.

One must always be prepared!

#25 July 18th, 2012, 09:28 AM

A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
...
The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
...
A Trojan horse, or Trojan, is a type of malware that masquerades as a legitimate file or helpful program with the ultimate purpose of granting a hacker unauthorized access to a computer.
...
The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of “social engineering,” presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers.

Sources:
http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Trojan_horse_(computing)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search