[译] Windows rootkits 101

Windows rootkits 101

by Michael Mullins CCNA, MCP
作者：Michael Mullins CCNA（Cisco Certified Networking Associate，Cisco网络认证工程师），MCP（Microsoft Certified Professionals，微软认证专家）

翻译：endurer 2006-08-16 第1版

Keywords: Microsoft Windows | Flaws | Security threats | Hacking
关键字：微软视窗 | 缺陷 | 安全威胁 | Hacking

英文来源：http://articles.techrepublic.com.com/5100-1009_11-6104304.html?tag=nl.e030

Takeaway:
When administrators and security professionals hear the word rootkit, many think first of a UNIX-based system. But the fact is that Windows rootkits do exist, and you need to be able to detect them. Get the details from Mike Mullins in this edition of Security Solutions.

导读：
当管理员们和安全专家们听到“rootkit”这个词时，其中一些人首先想到的是基于UNIX的系统，但实际情况是Windows（系统中的）rootkits存在着，你要能检测它们。从Mike Mullins的本期安全解决方案中获取细节罢。

--------------------------------------------------------------------------------

When administrators and security professionals hear the word rootkit, most think first of a UNIX-based system. Unfortunately, this only leads to a false sense of security for Windows-based systems. The fact is that Windows rootkits do exist, and you need to be able to detect them.
当管理员们和安全专家门听到“rootkit”这个词时，多数人首先想到的是基于UNIX的系统。不幸地是，这。实际情况是Windows（系统中的）rootkits存在着，你要能检测它们。从Mike Mullins的本期安全解决方案中获取细节罢。

What is a rootkit?
rootkit是什么？

To clarify, a rootkit is not an exploit—it's the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.
需要澄清，rootkit不是漏洞利用——它是攻击者成功利用漏洞后留下的后门的代码和程序。 rootkit让hacker隐藏他或她在计算机中的活动，并允许未来对计算机的访问。为了达到目标，rootkit 将修改操作系统的执行流程，或对操作系统依赖的数据做手脚。

《endurer注：rely on 依赖,依靠；信任》

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBusoperate in user mode.
Windows操作系统支持程序或进程运行在两种不同的模式中：用户模式和内核模式。传统的Windows rootkits，如 SubSeven 和 NetBusoperate 工作在用户模式。

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit's existence if they have a signature file.
已知的后门程序或特洛伊木马程序，用户模式 rootkits 以 独立应用程序 或 在现存应用程序内部运行。它们具有与受害计算机上运行的其它应用程序相同的级别的系统权限。因为这些rootkits在用户模式下工作，诸如反病毒扫描程序之类的应用程序，如果有特征值文件，就可以检测出rootkit的存在。

On the other hand, a kernel-mode rootkit is remarkably different—and much more powerful and elusive. kernel-mode rootkits have total control over the operating system and can corrupt the entire system.
另一方面，内核模式rootkit显著不同——更具威力和躲避能力。内核模式rootkit具有凌驾于操作系统之上的全面控制能力，可以窜改整个系统。

By design, kernel-mode rootkits control the operating system's Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.
内核模式rootkits控制特意地控制了操作系统的应用程序接口（API），rootkit位于操作系统和用户程序之间，对这些（用户）程序可以看到和操作的内容进行选择。

《endurer注：by design 故意》

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit's files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.
另外，它利用此地位来在检测中隐藏自己。如果一个应用程序，例如反病毒扫描程序，试图列出包含rootkit文件的目录内容时，rootkit将在列表中隐藏自身文件名。它也能隐藏或控制已引导的系统中的一些进程。

《endurer注：in addition 另外》

Rootkit detection
Rootkit的检测

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.
检测rootkits的方法分为两类：基于特征值 和 启发式/基于行为的检测。
《endurer注：fall into 分成(变成,开始)》

Signature-baseddetection: As its name implies, this method scans the file system for a sequence of bytes that comprise a "fingerprint" that's unique to a particular rootkit. However, the rootkit's tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

基于特征值的检测：正如其名，这种方法扫描文件系统，搜索包含指纹即特定rootkit的独有特征的字节序列。然而，rootkit通过中断/干扰检测软件的执行路径的倾向/趋势可限制基于特征值的检测的成功。

Heuristic/behavioral-based detection:This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.
启发式/基于行为检测：此方法通过按正常操作系统型式或行为鉴定偏差来工作。例如，此方法可以通过确认拥有200GB的硬盘驱动器、报告有160GB的文件的系统，只有15GB可用自由空间，来检测rootkit。

Rootkits are hard to detect. But there are programs—some free and from reputable companies such as F-Secure and Sysinternals—to help you detect their presence on your systems. Microsoft has even stepped up to the plate with its Malicious Software Removal Tool, designed to detect and remove Windows rootkits.
Rootkits难于检测。但有程序——一些免费和来自广受好评的公司
，例如F-Secure 和 Sysinternals——可帮助你检测你系统中rootkit的存在。微软甚至已经把其为检测和移除Windows rootkits而设计的恶意件软移除工具增加到了（Windows）平台。
《endurer注：step up to 增加到(上升到,趋近)》

Final thoughts
If you discover someone has compromised your machine, it's vital that you take the necessary steps to find out if the attacker has installed a rootkit—and then eliminate the threat. Applying vulnerability patches after someone has installed a rootkit on your machine won't close the security holes that already exist on your network.

结语
如果你发现rootkit已经损害你的计算机，至关重要的是，如果攻击者已经安装了rootkit，则采取必要的步骤找出它，接着消除威胁。在计算机被装上rootkit后，使用缺陷补丁程序将不能关闭网络中已经存在的安全黑洞。