| Rootkits are used by attackers after cracking a computer system. They can help attackersmaintain root access to the system and conduct malicious activities. Rootkits exist for a varietyof operating systems such as Linux, Solaris and Microsoft Windows.Rootkits are classified into application-level rootkits and kernel-level rootkits according totheir invasion level to operating system. Application-level rootkits modify system files at theuser level, and can be prevented easily. Kernel-level rootkits attack the kernel of operatingsystem, and are more powerful than application-level ones. It is very difficult to detectkernel-level rootkits.The majority of existing tools detecting rootktis can only detect application-level rootkits,and only a few can detect certain kinds of kernel-level rootkits. All existing tools need systemadministrators to start them manually. There isn't an effective method to restore systemautomatically now, once a system is attacked by kernel-level rootktis, we have to restart, evenreinstall the whole operating system in order to restore it to normal status.In this thesis, a method is proposed to detect rootkits real time and restore systemautomatically. It is implemented as Anti-Rootkit system on Linux platform. Anti-Rootkit itselfcan resist the attack of rootkits. Anti-Rootkit is not only effective to existing rootkits, but alsoto rootkits that may emerge in future. Experiment results indicate that Anti-Rootkit can detectvarious kinds of typical rootkits and recover system automatically.In addition, typical rootkits and the principle of rootkits are analysed in depth. Besidesattacking methods used by rootkits so far, methods that are likely to be used by rootkits infuture are all analysed. |
PDF Full Text Request