Is a Rootkit just a Trojan?

Discussion in 'malware problems & news' started by Mild_Manered, Jul 16, 2012.

Thread Status:
Not open for further replies.
  1. Mild_Manered

    Mild_Manered Registered Member

    Joined:
    Jun 16, 2012
    Posts:
    40
    Location:
    usa
    My "know it all" roommate said, "a Rootkit is just a Trojan". Is he right? I have read a little on rootkits, but got the impression one could be delivered and dropped by most any type of malware. Also, can't a user clean a Trojan and still have the Rootkit remain that was delivered by that Trojan?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Malware rarely falls into one category anymore. A rootkit can be a trojan and vice versa.

    A trojan describes malware that makes the user think it's legitimate to ge tthem to install it. A rootkit describes malware that embeds itself into the sytsem. You can have both in one.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Sadly, this has been a problem for better than 10 years. This "need" to categorize everything has confused a lot of people and resulted in duplicated and sometimes conflicting coverage being installed or worse, gaps in the coverage due to inconsistent and differing interpretations of definitions of the many terms. There never have been any "official" definitions for most of the terms. I remember an instance a few years back where an AV didn't block a specific item, saying it was adware. An adware remover didn't touch it, labelling it a trojan. The anti-trojan considered it a malicious script, outside of its intended coverage.
     
  4. Mild_Manered

    Mild_Manered Registered Member

    Joined:
    Jun 16, 2012
    Posts:
    40
    Location:
    usa
    Great answers, so far! Even though, I am an average user and not an advanced user, my gut-feeling is telling me there is still more info to this topic. I'm sure you both have experienced a gut-feeling about something, where even though, you were not an expert, you still knew there was something missing or more info.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Definitely know that feeling. The simplest way I can think of to explain some of it would be like this. Trojans are malicious apps primarily for taking control of or harvesting data from anothers PC or network. Rootkit refers to code thats installed or inserted deep enough into the system that the operating system and most apps aren't aware of it being there. It's a type of install that hides the existence of the installed code. Like many things, rootkits themselves aren't malicious. On linux, they're part of the OS and serve legitimate purposes. It's what they're used for that matters. On Windows, the term rootkit has become automatically equated with malware.
     
  6. Mild_Manered

    Mild_Manered Registered Member

    Joined:
    Jun 16, 2012
    Posts:
    40
    Location:
    usa
    noone_particular, a Rootkit is malicious-code or code that is made to be malicious? And, usually delivered by and along with a Trojan? Or, a code on top of and hides another malicious code?
     
    Last edited: Jul 16, 2012
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A rootkit is a type of installation that is deeply integrated or embedded into the operating system, usually deeper than is visible to the user or the operating system itself. It's the intent of the code itself and how it's used decides if it's malicious, not whether it's a userspace install or deeply integrated into the system. Malicious rootkits and classic HIPS employ many of the same methods, but for completely opposite reasons.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A rootkit is any type of malware that tries to hide itself from forms of detection. This is accomplished by getting as high rights as possible, embedding into the OS, and then intercepting programs that might reveal it.

    A trojan is any type of malware that tries to trick the user into installing it by making them believe that the program is legitimate.
     
  9. Mild_Manered

    Mild_Manered Registered Member

    Joined:
    Jun 16, 2012
    Posts:
    40
    Location:
    usa
    Got it! thanks to the different posts and this other website-def. For awhile there, I thought I was going to need to take a class in programming. LOL

    "Is A Rootkit Malware?

    That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee's / children's computer systems. Products such as eBlaster or Spector Pro are essentially rootkits which allow for such monitoring.
    However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit itself is not really malware."

    http://netsecurity.about.com/od/frequentlyaskedquestions/f/faq_rootkit.htm
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Wrong, Spector Pro and the likes (Ardamax comes to mind for example) are key-loggers (that may use rootkit technology to "hide" themselves).
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    These terms very rarely mean all too much due to widespread misuse . In the end it's malware.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    This post and FAQ, has been a great learning tool for many. Perhaps it should be read and used in order to proceed in the discovery of what is being discussed here.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Rootkit is a fancy word for a kernel driver.
    Mrk
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    ZeroAccess has no kernel driver.
     
  15. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i agree :thumb:
     
  16. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    781
  17. Mild_Manered

    Mild_Manered Registered Member

    Joined:
    Jun 16, 2012
    Posts:
    40
    Location:
    usa
    sdmod, thanks for that. I can see how my roommate thought a rootkit was just a Trojan. That is not the case today or the only method used.

    "The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund."

    A rootkit is basically stealthy type malware, unless someone wants to really jump in and fully do the homework on it.

    I just want to add. My gut-feeling earlier was not letting go until noone_particular brought up, the intent of "code". Code, being basically, "instructions" and of course, with evil intent as far as malware. That satisfied my gut-felling on this.
     
    Last edited: Jul 17, 2012
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    With respect to key-loggers: while I myself see them as malware, a better description is maybe PUA (Potential Unwanted Application) or PUP (Potential Unwanted Program) or something like that. And you always have to keep in mind (as has been said many times here) that your employer might have the right to have it installed on your work-computer (whether you like it or not).

    Anyways, I try to stay further out of this thread that could easily lead to endless semantics discussions...
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    OK, let's rephrase it - anything with descriptor privilege level (dpl) of 0, or 1-2 when these are degenerate, on ia architecture, the last two bits in the code segment are 00, and suchlike. So kernel access, but to what end? You can to kide yourself, manipulate kernel tables, process table, etc, this is done by something that can see a kernel space = kernel driver.

    Mrk
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Anything that attempts to hide itself is a rootkit. Having higher privileges means you can intercept more programs.

    I think that's about it - nothing fancy.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Rootkit specifically implies root = admin = big boss.
    Mrk
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Rootkits only run on Unix? =p
     
  23. Dezaxa

    Dezaxa Registered Member

    Joined:
    Sep 23, 2011
    Posts:
    6
    Of course, rootkit means something completely different if you're Australian. ;)
     
  24. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    One must always be prepared!
     
  25. guest

    guest Guest

    A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
    ...
    The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
    ...
    A Trojan horse, or Trojan, is a type of malware that masquerades as a legitimate file or helpful program with the ultimate purpose of granting a hacker unauthorized access to a computer.
    ...
    The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of “social engineering,” presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers.

    Sources:
    http://en.wikipedia.org/wiki/Rootkit
    http://en.wikipedia.org/wiki/Trojan_horse_(computing)
     
Loading...
Thread Status:
Not open for further replies.