[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

US-CERT Cyber Security Tip ST06-001 -- Understanding Hidden Threats: Rootkits and Botnets

Hash: SHA1

		     National Cyber Alert System
		     Cyber Security Tip ST06-001

Understanding Hidden Threats: Rootkits and Botnets

   Attackers are continually finding new ways to access computer systems. The
   use of hidden methods such as rootkits and botnets has increased, and you
   may be a victim without even realizing it.

What are rootkits and botnets?

   A rootkit is a piece of software that can be installed and hidden on your
   computer without your knowledge. It may be included in a larger software
   package or installed by an attacker who has been able to take advantage of a
   vulnerability on your computer or has convinced you to download it (see
   Avoiding Social Engineering and Phishing Attacks for more information).
   Rootkits  are  not  necessarily malicious, but they may hide malicious
   activities.  Attackers may be able to access information, monitor your
   actions,  modify programs, or perform other functions on your computer
   without being detected.

   Botnet is a term derived from the idea of bot networks. In its most basic
   form,  a bot is simply an automated computer program, or robot. In the
   context of botnets, bots refer to computers that are able to be controlled
   by one, or many, outside sources. An attacker usually gains control by
   infecting the computers with a virus or other malicious code that gives the
   attacker  access. Your computer may be part of a botnet even though it
   appears to be operating normally. Botnets are often used to conduct a range
   of  activities,  from  distributing  spam  and  viruses  to conducting
   denial-of-service attacks (see Understanding Denial-of-Service Attacks for
   more information).

Why are they considered threats?

   The main problem with both rootkits and botnets is that they are hidden.
   Although botnets are not hidden the same way rootkits are, they may be
   undetected unless you are specifically looking for certain activity. If a
   rootkit has been installed, you may not be aware that your computer has been
   compromised, and traditional anti-virus software may not be able to detect
   the malicious programs. Attackers are also creating more sophisticated
   programs that update themselves so that they are even harder to detect.

   Attackers  can  use rootkits and botnets to access and modify personal
   information, attack other computers, and commit other crimes, all while
   remaining undetected. By using multiple computers, attackers increase the
   range and impact of their crimes. Because each computer in a botnet can be
   programmed to execute the same command, an attacker can have each of them
   scanning multiple computers for vulnerabilities, monitoring online activity,
   or collecting the information entered in online forms.

What can you do to protect yourself?

   If you practice good security habits, you may reduce the risk that your
   computer will be compromised:
     * Use and maintain anti-virus software - Anti-virus software recognizes
       and protects your computer against most known viruses, so you may be
       able to detect and remove the virus before it can do any damage (see
       Understanding  Anti-Virus  Software for more information). Because
       attackers are continually writing new viruses, it is important to keep
       your  definitions  up  to date. Some anti-virus vendors also offer
       anti-rootkit software.
     * Install a firewall - Firewalls may be able to prevent some types of
       infection  by  blocking malicious traffic before it can enter your
       computer and limiting the traffic you send (see Understanding Firewalls
       for  more  information). Some operating systems actually include a
       firewall, but you need to make sure it is enabled.
     * Use  good  passwords - Select passwords that will be difficult for
       attackers to guess, and use different passwords for different programs
       and  devices  (see  Choosing  and  Protecting  Passwords  for more
       information). Do not choose options that allow your computer to remember
       your passwords.
     * Keep software up to date - Install software patches so that attackers
       can't  take  advantage  of  known problems or vulnerabilities (see
       Understanding Patches for more information). Many operating systems
       offer automatic updates. If this option is available, you should enable
     * Follow good security practices - Take appropriate precautions when using
       email and web browsers to reduce the risk that your actions will trigger
       an infection (see other US-CERT security tips for more information).

   Unfortunately, if there is a rootkit on your computer or an attacker is
   using  your  computer in a botnet, you may not know it. Even if you do
   discover that you are a victim, it is difficult for the average user to
   effectively recover. The attacker may have modified files on your computer,
   so simply removing the malicious files may not solve the problem, and you
   may not be able to safely trust a prior version of a file. If you believe
   that you are a victim, consider contacting a trained system administrator.

   As an alternative, some vendors are developing products and tools that may
   remove a rootkit from your computer. If the software cannot locate and
   remove the infection, you may need to reinstall your operating system,
   usually  with  a system restore disk that is often supplied with a new
   computer. Note that reinstalling or restoring the operating system typically
   erases all of your files and any additional software that you have installed
   on your computer. Also, the infection may be located at such a deep level
   that it cannot be removed by simply reinstalling or restoring the operating

     Author: Mindi McDowell

     Produced 2006 by US-CERT, a government organization.

     Note: This tip was previously published and is being
     re-distributed to increase awareness.

     Terms of use


     This document can also be found at


     For instructions on subscribing to or unsubscribing from this
     mailing list, visit 

Version: GnuPG v1.4.5 (GNU/Linux)


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux