Главная страница | Контакты | Случайная страница Автомобили Астрономия Биология География Дом и сад Другие языки Другое Информатика История Культура Литература Логика Математика Медицина Металлургия Механика Образование Охрана труда Педагогика Политика Право Психология Религия Риторика Социология Спорт Строительство Технология Туризм Физика Философия Финансы Химия Черчение Экология Экономика Электроника

Text 2B. How Rootkits Work

Essential Vocabulary

clue n – ключ

convict v – убедить в чем-либо, признать виновным

omit v – пропускать, не включать

pertain v - относиться, принадлежать

preclude v – предотвращать, устранять

prevent from v - предотвращать, препятствовать

Rootkits work using two basic types of mechanisms, mechanisms that enable them to avoid detection and ones that set up backdoors.

Hiding Mechanisms
Attackers know that discovery of their unauthorized activity on a victim system almost invariably leads to investigations that result in the system being patched or rebuilt, thereby effectively forcing them to "start from scratch" in their efforts to gain unauthorized access to and control a target system, or in a worst case scenario for attackers, giving investigators clues that can be used in identifying and ultimately convicting the attackers of wrongdoing. It is to the attackers' advantage, therefore, to hide all indications of their presence on victim systems. Most rootkits incorporate one or more hiding mechanisms - as a rule, the more sophisticated the rootkit, the more of these mechanisms are part of the rootkit and the more proficient these mechanisms are.

The most basic type of hiding mechanism is one in which log data pertaining to an attacker's logins and logouts on the victim system are erased so that when system administrators inspect the system's audit logs, they do not see any entries that report the attacker's having logged in or out or having done anything else on the system. Additionally, many rootkits delete any evidence of processes generated by the attacker and the rootkit itself. When system administrators enter commands or use system utilities that display the processes that are running, the names of processes started in connection with all facets of the attack (including the presence of a rootkit) are omitted from the output. Rootkits may also hide files and directories that the attacker has created in a number of ways, including changing commands used to list directory contents to have them exclude files that the attacker has created, or (as explained in more detail shortly) making changes to the kernel of the operating system itself to cause it to provide false information about the presence and function of certain files and executables. To allow backdoor access by attackers, rootkits almost always open one or more network ports on the victim system. To preclude the possibility of discovering rootkits when system administrators examine open ("listening") ports, many rootkits thus also hide information about certain ports' status. Additionally, some rootkits change what happens when certain executables are invoked by legitimate users (e.g., system administrators) such that malicious executables that superficially appear to work like the original executables are run instead.

Backdoor Mechanisms
Rootkits almost without exception also provide attackers with remote backdoor access to compromised systems. One of the most common ways of providing this kind of access is creating encrypted connections such as secure shell (SSH) connections that not only give attackers remote control over compromised systems, but also encrypt information to prevent it from being available for analysis by network-based intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) as well as network monitoring tools. Additionally, SSH implementations used in connection with rootkits require entering a username and password, thereby also helping prevent individuals other than the individual or individuals who installed the rootkit from being able to use the backdoor.

Task 9. Translate the following word combinations:

To avoid detection; start from scratch; unauthorized activity; to gain unauthorized access; the most basic type of hiding mechanism; to provide false information; legitimate users; compromised system; in a number of ways; to encrypt information; intrusion detection systems; intrusion prevention systems; network monitoring tools.

Task 10. Finish the following sentences without looking into the text: