瑞星卡卡安全论坛

呵呵，我有个要求，我先介绍什么是Rootkit,待有人翻译过来后，我再继续介绍它的功能、用途、种类及清除方式。
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

The rootkit concept is the dominant controversial aspect of the 2005 Sony CD copy protection controversy, which has made the previously obscure concept of a rootkit much more widely known in the technology community, and to the general public.

Rootkit是一套在获得电脑系统的使用权后, 经常被第三方使用(通常是入侵者)的软件工具.
这些工具故意隐藏运行程序, 文件或系统数据, 来帮助入侵者在使用者未知的情况下维持对系统的使用.
Rootkit是众所周知的为多种操作系统所存在的, 如Linux, Solaris和Microsoft Windows的版本.

Rootkit概念是2005年Sony CD正版保护辩论的主导争议的方面, 这使得以前一个rootkit的模糊概念被更加广泛地在科技界和一般公众了解.

引用:

【toshiakiw的贴子】Rootkit是一套在获得电脑系统的使用权后, 经常被第三方使用(通常是入侵者)的软件工具. ... ...........................

Well done! Thank you.
Now, the next part:

Functions of a rootkit

    A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.

Uses of rootkits

    A rootkit is often used to hide utilities used to abuse a compromised system. These often include so called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.

Thanks...

Study....

引用:

【endurer的贴子】Thanks... Study.... ...........................

Why not have a try?

感觉像是高手在过招

me too!

let me  have a  try
rootkit 是隐藏日志文件，进程，文件 ，包括从 终端窃取 软件，网络链接，和键盘的数据 的典型代表。rootkit 通常被认为是木马程序。
rootkit 通常被用做隐藏被入侵电脑被破坏的痕迹的角色。诸如之类的后门 就是帮助入侵者更加容易的获得电脑系统的使用权。例如，当入侵者连接到被入侵 的电脑系统后，rootkit 能够隐藏被壳包裹的应用程序！Kernel rootkits 可能包含相同的功能，
“后门”能够允许非授权用户执行 只有超级用户才能执行的程序。所有其他有用的破坏工具在rootkits 运行的条件下 都能够被隐藏。 这种工具使得入侵者更加有效的攻击连接在SNIFFERS和KEYLOGGERS的电脑。通常的用途是把被入侵的电脑作为一个平台，以便日后更有效的攻击。 这种工具也能使得入侵者变得更像是电脑使用者而不是入侵者。
这种工具包括 enial-of-service attack tools, tools to relay chat sessions, and e-mail spam attacks.
 
由于本人的电脑专业知识有限，所以错误在所难免，喜欢各大高手批评改正。谢谢
  贵在学习，不在对错

Well, thank you very much for taking great trouble to make us know something about how a rootkit,a kind of trojan horse, works.It is sure to help us to protect our computer from the attacks against which you have just warned us.

Now,I suppose,many members here might be interested in what the following is about.

Types of rootkitsBasic types
Rootkits come in two different flavours, kernel and application level kits. Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect.

Examples
FU Rootkithttp
SuckIT
T0rn
Ambient's Rootkit (ARK)
Hacker Defender
...

***I just expect another member to help us out. Thank you first

i can help myself out:),but to translate it is much harder than fly high in the sky .

Rootkits 通常分成两类， kernel rootkits 和application rootkits 。Kernel 级别的rootkits  会增加额外的代码 或者用修改过的 kernel 代码 代替一部分的 kernel 代码 来帮助隐藏电脑系统上 “后门”。这种过程经常通过增加新的代码到kernel 经过的驱动设置 或者 下载模块来完成的， 就像在Linux的驱动设置 或者  Microsoft Windows 的下载模块。Kernel rootkits 通常用补丁、尾钩，或者代替系统指令来 隐藏入侵者的信息。Application 级别的 rootkits 会用特洛伊的伪装的合成体，或者 用 钩子 补丁 注入代码或者其他的手段来修改已经存在的应用程序的执行结果。Kernel rootkits  及其危险而且也很难删除。
本人不才，希望 FIGHTOUT大侠能够给出正确的答案来 供大家的参考。

引用:

【迷惘的电脑迷的贴子】 本人不才，希望 FIGHTOUT大侠能够给出正确的答案来 供大家的参考。 ...........................

Actually,you are better at translating something on computer than I.Thank you for your translation.

引用:

【fightout的贴子】 Actually,you are better at translating something on computer than I.Thank you for your translation. ...........................

起初我自己是把kernel rootkits译成内核级rootkits.而application rootkits是应用级rootkits(不过后来查了一下,有人把它称为特洛伊)

还有,上面多处的kernel可以理解为系统内核

这里修改一个地方吧
such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows.这里上面的朋友刚才倒了过来,应该是:比如Linux中的可加载模块和Windows中的设备驱动程序.

引用:

【欧虫的贴子】 起初我自己是把kernel rootkits译成内核级rootkits.而application rootkits是应用级rootkits(不过后来查了一下,有人把它称为特洛伊) 还有,上面多处的kernel可以理解为系统内核 这里修改一个地方吧 such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows.这里上面的朋友刚才倒了过来,应该是:比如Linux中的可加载模块和Windows中的设备驱动程序. ...........................

Thank you.
Now,I suppose some members might be interested in how to detect rootkits.And I'd like to offer a description of it.When it has been translated,you'll be told how to remove rootkits.



Detecting rootkitsThere are inherent limitations to any program that attempts to detect rootkits while those programs are running under the suspect system. Rootkits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. Some rootkits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers.

The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM, USB-stick). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls (which are supposedly doctored by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference the presence of a rootkit infection can be assumed. Rootkits try to protect themselves by monitoring running processes and suspending their activity until the scanning has finished as non-stealthy malware will not be identified by rootkit scanners.

Security vendors envision a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defence may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses the detection and elimination of rootkits will be an ongoing struggle between the creators of the tools on both sides of this conflict.

There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform a free for personal use stealth scanner, named Blacklight, is available in beta on F-Secure's website. Another Windows detector is Rootkit Revealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from. So in essence, removing the differences between the two listings, the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. This features are also included in lastest Rkdetector release.

Well,the next post is "Removing rootkits"
Interested?

看不懂

Come here often. It will be translated by someone here sooner or later.

学习了

引用:

【茶农的贴子】学习了 ...........................

Welcome here.

高！实在是高啊！

引用:

【迷惘的电脑迷的贴子】这种工具包括 denial-of-service attack tools, tools to relay chat sessions, and . ...........................

denial-of-service attack 指的是“拒绝服务”攻击
relay chat sessions  指的是基于IRC协议的网络通讯
e-mail spam attacks  指的是邮包炸弹攻击

对英语一知半解啊.惭愧!

引用:

【fightout的贴子】Well,the next post is "Removing rootkits" Interested? ...........................

Where?

Can I ask you  a question that if you studied Computer or
IT in other country?

引用:

【yingqin的贴子】Can I ask you  a question that if you studied Computer or IT in other country? ...........................

I have never been abroad.But do I have the right to use English?

Removing rootkits
There is a body of opinion that holds this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch. "I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt this is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat. This is so even if the rootkit is very well known and can be removed 100%." Rootkit Question

There is a way to delete a rootkit using another filesystem driver when the system is online. Rkdetector v2.0 implements a way to wipe hidden files when the system is running using its own NTFS and FAT32 filesystem driver. Once erased and after a system reboot, rootkit files will not be loaded because data contained is corrupted.

通俗的说,"rootkit"即是后门的一种.早期的计算机入侵者在成功夺取系统控制权后,希望能够有一种技术能让他们随心所欲的再次进入所控系统,于是"系统后门",便出现了.

  而"rootkit"最早是指在Linux和Unix中的一种后门程序(在国内似乎没有统一的中文译名).它是将系统中的一些正常命令用后门程序替换,同时这些程序具有被替换的程序的正常功能.现在这种后门也已存在于WINDOWS平台下,只要你运行了那些被替换了的程序,那么就相当于运行了后门程序.

  举例说明:在系统 C:\WINDOWS\system32 文件夹下有许多后缀名为"EXE"的可执行文件,入侵者只要使用一些不会影响用户正常使用的后门程序替换其中的一些常用程序,如计算器,画图程序等,那么恐怕用户是永远也不会发现入侵者所做的手脚.


  对于普通用户来说,这样的手法,如果想找出所有的恶意程序往往很困难,且不能保证清除干净.所以,最好的方法是--重装系统.


    以上,是我所知．补充在此,希望对大家有所帮助．

引用:

【strange的贴子】通俗的说,"rootkit"即是后门的一种.早期的计算机入侵者在成功夺取系统控制权后,希望能够有一种技术能让他们随心所欲的再次进入所控系统,于是"系统后门",便出现了.   而"rootkit"最早是指在Linux和Unix中的一种后门程序(在国内似乎没有统一的中文译名).它是将系统中的一些正常命令用后门程序替换,同时这些程序具有被替换的程序的正常功能.现在这种后门也已存在于WINDOWS平台下,只要你运行了那些被替换了的程序,那么就相当于运行了后门程序.   举例说明:在系统 C:\WINDOWS\system32 文件夹下有许多后缀名为"EXE"的可执行文件,入侵者只要使用一些不会影响用户正常使用的后门程序替换其中的一些常用程序,如计算器,画图程序等,那么恐怕用户是永远也不会发现入侵者所做的手脚.   对于普通用户来说,这样的手法,如果想找出所有的恶意程序往往很困难,且不能保证清除干净.所以,最好的方法是--重装系统.     以上,是我所知．补充在此,希望对大家有所帮助． ………………

厉害!

thanks for fightout,expecting more