First of all what is a rootkit?
A collection of software that runs and tries to hide from the computer user and administrator while also allowing the attacker access to the computer.
It does this by connecting as ‘root’ to the Operating System kernel. In Linux ‘root’ is the administrator.
If you can masquerade as root and hijack system calls then there is a way software can be written to get root access allowing the software to hide itself in the Linux system.
I am not going to tell you how to create rootkits, as there are many a people on the Internet who have done so and show you what they have done.
Marcus Hodges at Thotcon had a 1 hour presentation about how to hide from the operating system. To hijack operating system calls that then are used to create the rootkit.
Once system calls are hijacked the attacker can create hidden areas on the file system to stow and stay quiet until more objectives are to be pursued.
In the Cyber Kill chain the rootkit performs the function of persistence – keeping a presence on the attacked network.
A decent command to find out what different commands do on a system: strace – commands for troubleshooting and debugging Linux
Contact Us to discuss a strategy to defend your computer networks