2. Table of Contents
• Secure Programming
• Fixing faults
• Non malicious program errors
• Buffer overflow error
• Buffer overflow error- security implication
• Incomplete Mediation
• Time-of-Check to Time-of-Use Errors
• Viruses and other malicious code
• Types of viruses
• Malicious code
• Targeted malicious code
• Trapdoors
• Salami attack
• Rootkits
• Control against program threats.
3. Secure Programming
• Security implies some degree of trust that the program enforces expected
Confidentiality
Integrity
Availability.
• Security and safety are two important aspects of the quality of software.
Security is the ability of a system to protect itself against accidental or
intentional attacks.
Safety is the ability of a system operating without risk, performing normal
functions as well as handling exceptional conditions.
• An assessment of security can also be influenced by someone's general
perspective on software quality.
4. Fixing Faults
• Fixing faults is one of the approach to check security of a program.
A module in which 100 faults were discovered and fixed is better than another
in which only 20 faults were discovered and fixed.
• Early approach of checking program security is “Penetrate and Patch” in
which analysts searched for and repaired faults.
Red Team or Tiger team tries to crack software, if software withstands the
attack then security is good. This is rarely true.
• Developers try to fix the problems as soon as discovered by Tiger team that
has following disadvantages
This pressure leads to less attention towards fault.
5. Fixing Faults (contd)
Non obvious side effects
The fault could not be fixed properly because system functionality or
performance would suffer as a consequence.
Fixing one problem leads to another fault.
• The inadequacies of penetrate-and-patch led researchers to seek a better
way to be confident that code meets its security requirements.
One way to do that is to compare the requirements with the behavior i.e. we
can examine programs to see whether they behave as their designers intended
or users expected.
Unexpected behavior a program security flaw; it is inappropriate program
behavior caused by a program vulnerability.
6. Non-Malicious Program Errors
• Being human, programmers and other developers make many mistakes,
most of which are unintentional and non-malicious.
• Many such errors cause program malfunctions but do not lead to more
serious security vulnerabilities.
• A few classes of errors have been more serious errors for programmers and
security professionals.
Buffer Overflow Error
Incomplete mediation
Time-of-Check to Time-of-Use Errors
7. Buffer Overflow Error
• A buffer (or array or string) is a space in which data can be held. A buffer
resides in memory. Because memory is finite, a buffer's capacity is finite.
For this reason, in many programming languages the programmer must
declare the buffer's maximum size so that the compiler can set aside that
amount of space. For Example
char sample[10];
sample[10] = 'A';
The subscript is out of bounds (that is, it does not fall between 0 and 9), so
we have a problem
• In some programming languages, buffer sizes need not be predefined
C does not perform array bound checking.
Similar problems caused by pointers for which there is no way to define a
proper limit
8. Buffer Overflow Error (contd)
• Damage done by Buffer overflow
Affects User’s data (overwrites user data)
Affects user’s code (changes user’s instruction)
Affects system data (Overwrites OS data)
Affects system code (changes OS’s instruction)
• Implications of buffer overflow
Attacker can insert malicious data values/instruction codes into overflow
space.
C programming language specifications do not specify how data is to be
laid out in memory.
Some implementations of C may leave space between arrays and variables
on the stack, for instance, to minimize aliasing effects.
9. Buffer Overflow-Security Implication
• Web server attack is similar to buffer overflow attack: passes very long
string to web server.
• Buffer overflows are still common
Used by attackers to crash systems and to take over the system by taking
control over.
• Large number of vulnerabilities due to buffer overflows still persists in
many software's and systems.
10. Incomplete mediation
• Consider the example
http://www.somesite.com/subpage/userinput&parm1=(808)555-
1212&parm2=2004Jan01
What happen if we pass value like 1800Jan01 or 1800Feb30 or 2048Min32
a) Data type error.
b) Continue to execute but end up with a wrong result.
• What if we do all the validations properly on the client browser.
Here are some security implications of incomplete mediation
Unchecked data values represent a serious data vulnerability.
a) Example: A firm named “Things” started a e-commerce site to sell their products.
b) Once a person places his order , the return URL is as follows
c) http://www.things.com/order/final&custID=101&part=555A
&qy=20&price=10&ship=boat&shipcost=5&total=205
11. Incomplete mediation (contd)
• A malicious attacker may decide to exploit this peculiarity by supplying
instead the following URL, where the price has been reduced from $205 to
$25:
http://www.things.com/order/final&custID=101&part=555A
&qy=20&price=1&ship=boat&shipcost=5&total=25
The attacker could have ordered Objects from Things in any quantity at any
price.
• From a security perspective, the most serious concern about this flaw was
the length of time that it could have run undetected
12. Time-of-Check to Time-of-Use Errors
• Access control is a fundamental part of computer security; we want to
make sure that only those who should access an object are allowed that
access.
• Every requested access must be governed by mediated access policy
enforcement agent.
• Incomplete mediation problem occurs when access is not checked
universally.
• The time-of-check to time-of-use (TOCTTOU) flaw concerns mediation
that is performed with a "bait and switch" in the middle.
• It is also known as a serialization or synchronization flaw.
13. TOCTTOU (contd)
• Example: DBMS/OS
Pgm 1 reads value of X=10
Pgm 1 adds X=X+5
Pgm 2 reads X=10, adds 3 to X, writes X=13
Pgm 1 writes X=15
X ends up with value X=15 while it should be X=18
• Prevention
Be aware of time lags.
Use digital signatures and certificates to lock data values after checking them.
• Security Implication
Checking one action and performing another is an example of ineffective
access control.
14. Viruses and other malicious code
• Computer data are not usually seen directly by users, malicious people can
make programs serve as vehicles to access and change data and other
programs.
• Malicious code is written just like any other program on the system, but is
written to exploit vulnerabilities of the system.
• Malicious code can change data or other programs.
• Malicious code can do anything any other program can, such as writing a
message on a computer screen, stopping a running program, generating a
sound, or erasing a stored file.
• Malicious code can do nothing at all right now; it can be planted to lie
dormant, undetected, until some event triggers the code to act.
15. Viruses and other malicious code (contd)
• The trigger can be a time or date
• An interval (for example, after 30 minutes),
• An event (for example, when a particular program is executed)
• A condition (for example, when communication occurs on a modem)
• A count (for example, the fifth time something happens)
• Some combination of these, or a random situation.
16. Types of Viruses
• Viruses have been categorized according to the ways in which they infect a
system, the part of the system they affect or their behaviors.
File Infector Viruses
a) File infector viruses are those that infect other files or programs on your system.
b) Once the original 'host' program is run, the virus can stay resident or 'live' inside
your systems memory (RAM) and infect programs as they are opened, or they can
lay dormant inside another program. Each time that program is run, the virus will
infect another program or file.
c) A second, more complex file infector is one that doesn't alter the program itself,
but alters the route a computer takes to open a file.
d) If a program or file that is infected with a file infector virus is passed from one
computer to another, over a network or via floppy disk for example, the virus will
begin infecting the 'clean' computer as soon as the file or program is opened.
17. Types of Viruses (contd)
Boot Sector Viruses
a) Whereas file infector viruses infect programs on a computer's hard drive, boot
sector viruses can infect hard drives and removable disks, such as floppy disks.
b) The boot sector is an area at the beginning of a hard drive or other disk where
information about the drive or disk structure is stored.
c) Symptoms of a boot sector virus may be a computer that is unbootable or gives
error messages upon booting. Frustratingly, boot sector viruses may be present
with no noticeable problems.
Macro Viruses
a) Macro viruses are by far the most common type of malicious code found today.
This is due to the popularity of software such as Microsoft Office and others such
as Corel Draw, which use the macro programming languages extensively in the
products.
b) Macro viruses use an application's own macro programming language to distribute
themselves.
c) Macro viruses do not infect programs; they infect documents.
18. Types of Viruses (contd)
Worms
a) A worm is a piece of code that can make fully functional copies of itself and travel
through a computer network and/or across the Internet through a number of
means.
b) A worm does not attach themselves to other programs like traditional viruses, but
creates copies of itself, which in turn create even more copies.
c) The computer 'worm' is so-called because of the way in which 'rogue' computer
code was originally detected.
d) Worms are prolific due to the fact that most are created using simple scripting
languages that can be created with a text editor and become fully functional
'programs' under the right conditions.
Trojan horses
a) Accordingly Trojans are malicious programs that sneak into a victim computer
disguised as harmless software.
b) Trojans may also be 'wrapped' inside another program so that when the original
innocent program is installed, the Trojan program is installed as well.
c) The most commonly described Trojan has a payload that will allow a user on
another computer somewhere else in the world to gain full control and access to
the files on your computer.
19. Types of Viruses (contd)
Hoax Viruses
a) There are hundreds of hoax viruses that spread like chain letters through e-mail.
b) They cause little or no long-term damage, these hoaxes can be as disruptive as real
malicious code.
c) The standard response of most people when receiving a virus warning is to pass it
on to all people in their organization and most likely everyone else in their
contacts lists.
d) This sets up a chain reaction that not only wastes Internet bandwidth, but also
wastes the valuable time of recipients.
Memory-Resident Viruses
a) Some parts of the operating system and most user programs execute, terminate,
and disappear, with their space in memory being available for anything executed
later.
b) For very frequently used parts of the operating system and for a few specialized
user programs, it would take too long to reload the program each time it was
needed. Such code remains in memory and is called "resident" code.
c) Examples of resident code are the routine that interprets keys pressed on the
keyboard, the code that handles error conditions that arise during a program's
execution, or a program that acts like an alarm clock, sounding a signal at a time
the user determines.
20. Malicious code
• Malicious code or a rogue program is the general name for unanticipated
or undesired effects in programs or program parts, caused by an agent
intent on damage.
• This definition eliminates unintentional errors, although they can also have
a serious negative effect.
• A virus is a program that can pass on malicious code to other non
malicious programs by modifying them.
• The term "virus" was coined because the affected program acts like a
biological virus: It infects other healthy subjects by attaching itself to the
program and either destroying it or coexisting with it.
• A good program can be modified to include a copy of the virus program, so
the infected good program itself begins to act as a virus, infecting other
programs.
21. Malicious code (contd)
• A virus can be of two types
Transient: Its life that depends on the life of its host; the virus runs when its
attached program executes and terminates when its attached program ends.
Resident: A resident virus locates itself in memory; then it can remain active
or be activated as a stand-alone program, even after its attached program ends.
• Types of malicious code
Trojan horse: It is malicious code that, in addition to its primary effect, has a
second, non obvious malicious effect.
a) It gets installed with legitimate infected program.
b) Effects of trojan horse are deleting or editing files, transmitting files to intruders,
installing malicious code that can gain network access.
c) Privilege elevation attack.
22. Malicious code (contd)
Logic bomb: It is a class of malicious code that "detonates" or goes off when a
specified condition occurs.
a) A time bomb is a logic bomb whose trigger is a time or date.
b) Trapdoor or Backdoor: Its a feature in a program by which someone can access the
program other than by the obvious, direct call, perhaps with special privileges.
Worm : It is a program that spreads copies of itself through a network.
a) The primary difference between a worm and a virus is that a worm operates
through networks, and a virus can spread through any medium (but usually uses
copied program or data files).
Rabbit : Virus or worm that self-replicates without bound, with the intention of
exhausting some computing resource.
a) A rabbit might create copies of itself and store them on disk, in an effort to
completely fill the disk, for example.
23. Targeted Malicious code
• Malicious code is written for a particular system, for a particular
application, and for a particular purpose. Similar to viruses but with the
addition of new techniques
Trapdoor : An undocumented entry point to a module.
a) Inserted for code development
b) “Hooks” to add additional future enhancements
• Can be legitimate or non-legitimate
• Software Testing
Unit Testing
Integration Testing
Stubs and Drivers – routines that inject information during testing
Control Stubs – used to invoke debugging code
Accidently left in place
Poor Error Checking
24. Trapdoors
• Poorly defined Data
• Incomplete Mediation
• Undefined Opcodes – instructions that have not been defined for the
processor
• Trapdoors can be useful
• Software audits may request trapdoors to be inserted
• Trap doors should always be documented.
25. Trapdoors
• Causes of Trapdoors
Forgot to remove
Intentionally for Testing
Intentionally left for maintenance
Intentionally left for covert means of access
Trapdoors are not bad. They are not faults until the trapdoor is not shut.
A system is not secure if a trapdoor is present but unknown by others
26. Salami Attack
• Named after the way scrap meat is used to form salami
• Salami Attack – merges seemingly inconsequential bits of data to yield
something important
• For example, programs often disregard small amounts of money in their
computations, as when there are fractional pennies as interest or tax is
calculated.
• Classic Salami Attacks
Missing ½ cent
Missing percentage
Taking a bit from a bunch
Charging higher fees
• Why do they happen?
Sometimes programmers just except small errors
Code many times it to large to look for salami type errors
27. Rootkits
• Rootkit – is a piece of malicious code that goes to great lengths not to be
discovered
If discovered tries to reestablish itself
Tries to run itself as “root” on the system (UNIX administrator)
Resides between user and OS
Intercepts commands in order to keep itself hidden
Rootkit Revealer – program written to reveal rootkits
XCP rootkit – used to help prevent copying of music
28. Rootkits (Contd)
• One of the primary objectives of a rootkit is to avoid detection in order to
remain installed and accessible on the victim system, so rootkit developers
aim to keep their malware undetectable
One common symptom of a rootkit infection is that antimalware protection
stops working.
a) An antimalware application that just stops running indicates that there is an active
rootkit infection.
b) Another symptom of a rootkit infection can be observed when Windows settings
change independently, without any apparent action by the user.
c) Other unusual behavior, such as background images changing or disappearing in
the lock screen or pinned items changing on the taskbar, could also indicate a
rootkit infection.
d) Unusually slow performance or high CPU usage and browser redirects may also
indicate the presence of a rootkit infection.
29. Rootkits (Contd)
• Types of rootkits
Kernel mode rootkit
a) Designed to change the functionality of an OS.
b) This type of rootkit typically adds its own code -- and, sometimes, its own data
structures -- to parts of the OS core, known as the kernel.
c) Many kernel mode rootkits exploit the fact that OSes allow device drivers or
loadable modules to execute with the same level of system privileges as the OS
kernel, so the rootkits are packaged as device drivers or modules to avoid detection
by antivirus software.
User mode rootkit
a) Sometimes called an application rootkit, executes in the same way as an ordinary
user program.
b) User mode rootkits may be initialized like other ordinary programs during system
startup, or they may be injected into the system by a dropper.
Bootkit
a) Infects the master boot record of a hard drive or other storage device connected to
the target system.
b) Bootkits are able to subvert the boot process and maintain control over the system
after booting and, as a result, have been used successfully to attack systems that
use full disk encryption.
30. Rootkits (Contd)
Firmware rootkits
a) Firmware rootkits take advantage of software embedded in system firmware and
install themselves in firmware images used by network cards, BIOSes, routers or
other peripherals or devices.
• Rootkit detection and removal
Rootkits are designed to be difficult to detect and remove; rootkit developers
attempt to hide their malware from users and administrators, as well as from
many types of security products.
Once a rootkit compromises a system, the potential for malicious activity is
very high.
a) There are many rootkit detection tools suitable for power users or for IT
professionals provided by antimalware vendors, which usually offer rootkit
scanners or other rootkit detection tools to their customers.
b) One approach to rootkit removal is to reinstall the OS, which, in many cases, will
eliminate the infection.
31. Controls Against Program Threats
• Development of Controls
Specify the system : capturing the requirements and building a model of how
the system should work from the users' point of view.
Design the system: proposing a solution to the problem described by the
requirements and building a model of the solution.
Implement the system: using the design as a blueprint for building a working
solution.
Test the system: to ensure that it meets the requirements and implements the
solution as called for in the design.
32. Controls Against Program Threats
(contd)
Review the system at various stages: to make sure that the end products are
consistent with the specification and design models
Document the system: users can be trained and supported
Manage the system: to estimate what resources will be needed for
development and to track when the system will be done
Maintain the systems: tracking problems found, changes needed, and
changes made, and evaluating their effects on overall quality and
functionality
Hinweis der Redaktion
Secure coding is the practice of developing computer s/w in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors.
One approach to judging quality in security has been fixing faults. You might argue that a module in which 100 faults were discovered and fixed is better than another in which only 20 faults were discovered and fixed, suggesting that more rigorous analysis and testing had led to the finding of the larger number of faults.
A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-liter pitcher: Some water is going to spill out and make a mess. And in computing, what a mess these errors have made.
We could not identify the problem until i was set during execution to a too-big subscript. It would be useful if, during execution, the system produced an error message warning of a subscript out of bounds. Unfortunately, in some languages, buffer sizes do not have to be predefined, so there is no way to detect an out-of-bounds error. More importantly, the code needed to check each subscript against its potential maximum value takes time and space during execution, and the resources are applied to catch a problem that occurs relatively infrequently.
Attacker insert just after the buffer so as to cause mischief or damage and make the system to forcibly execute planned instruction codes. First, the attacker may replace code in the system space. Remember that every program is invoked by the operating system and that the operating system may run with higher privileges than those of a regular program. Thus, if the attacker can gain control by masquerading as the operating system, the attacker can execute many commands in a powerful role. Therefore, by replacing a few instructions right after returning from his or her own procedure, the attacker can get control back from the operating system, possibly with raised privileges. If the buffer overflows into system code space, the attacker merely inserts overflow data that correspond to the machine code for instructions.
As with buffer overflows, one possibility is that the system would fail catastrophically, with a routine's failing on a data type error as it tried to handle a month named "Min" or even a year (like 1800) which was out of range. Another possibility is that the receiving program would continue to execute but would generate a very wrong result. (For example, imagine the amount of interest due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing server might have a default condition, deciding to treat 1Aardvark2Many as 3 July 1947.
Incomplete mediation is easy to exploit, but it has been exercised less often than buffer overflows. Nevertheless, unchecked data values represent a serious potential vulnerability. To demonstrate we explain an example above. Surprisingly, it worked for attackers. The attacker could have ordered Objects from Things in any quantity at any price. And yes, this code was running on the web site for a while before the problem was detected.
The third programming flaw we investigate involves synchronization. To improve efficiency, modern processors and operating systems usually change the order in which instructions and procedures are executed. In particular, instructions that appear to be adjacent may not actually be executed immediately after each other, either because of intentionally changed order or because of the effects of other processes in concurrent execution.
To understand the nature of this flaw, consider a person's buying a sculpture that costs $100. The buyer removes five $20 bills from a wallet, carefully counts them in front of the seller, and lays them on the table. Then the seller turns around to write a receipt. While the seller's back is turned, the buyer takes back one $20 bill. When the seller turns around, the buyer hands over the stack of bills, takes the receipt, and leaves with the sculpture. Between the time when the security was checked (counting the bills) and the access (exchanging the sculpture for the bills), a condition changed: what was checked is no longer valid when the object (that is, the sculpture) is accessed.
Simply put, viruses are small programs designed with (usually) malicious intent that attach themselves to other programs or files. They are capable of copying themselves throughout a computer or computers. They are called viruses because of the way they emulate their biological namesakes. A virus will infect healthy programs in a host computer and then spread to other healthy hosts, infecting them as well. Just as biological viruses range from being quite harmless to lethal, computer viruses may simply cause a harmless message to appear on your screen occasionally, or may render your system inoperable.
Malicious code can be spread through just about any computer medium. They can arrive on an infected floppy disk and infect your system when a file on the disk is opened. Worse still, a floppy disk could be inadvertently left in the computer when it is shut down. Upon reboot, if the floppy is infected with a boot sector virus, the infection will be transmitted to your system.
The most common methods employed to spread viruses and worms are either through e-mail as attachments or through IRC (Internet Relay Chat). Typically, in the case of e-mail, a message will arrive with an attachment, the user clicks on the message and the code is executed immediately. Viruses are capable of bringing down entire networks by clogging e-mail servers with copies of themselves. Some viruses will repeatedly extract addresses from e-mail 'address' books and send themselves to the recipients. Some contact lists can generate potentially thousands of messages, causing massive network bandwidth problems.
Boot Sector Viruses: One thing should be noted about floppy disks. It does not matter whether the floppy disk is a 'bootable' disk or not, if the disk is infected with a boot sector virus and you inadvertently leave the disk in the drive when you reboot the computer, the virus can still be executed. Ways of preventing this will be discussed in part two of this series.
Macro Viruses: Macro viruses typically arrive in an infected document, a price list written with MS Word for example. When the file is opened, the virus infects the base template on the victim computer, in this case Normal.dot. Normal.dot is the 'framework' that Word documents are created on. Once this template is infected, every document that is opened from then on will be infected as well, making all documents created or opened in Word a carrier of the macro virus. Macro viruses have been written for most Microsoft Office applications, including Excel, Access, PowerPoint and Word. They can also be found in Lotus AmiPro and Corel products to name a few.
Worms: The computer 'worm' is so-called because of the way in which 'rogue' computer code was originally detected. Printouts of computer memory locations would show random 'wormhole' patterns, much like that of the patterns on worm-eaten wood. The term eventually became shortened and used to describe viruses that could 'worm' or propagate across networks and the Internet, leaving copies of themselves as they travelled.
Trojan horses: Trojan horses typically consist of two parts, the server and the client. The server is the part that is installed on the victim computer. When the server is installed, it allows the remote client to send commands to the computer as if the other person were sitting at the keyboard. The remote attacker can upload and download files, delete and create files on your system, play with the CD drive and generally control most aspects of the victim machine. Most of the approximately 550 known Trojans will send some sort of message to the attacker to let them know the server is running on the computer. Therefore, every time you connect to the Internet the person who sent the Trojan will know that the system is online and open for abuse.
Hoax viruses: a hoax can be damaging to a company's reputation. For example, NVision Design Inc produced three small games prior to Christmas of 1999. A virus hoax was spread worldwide that these games (Frog-a-pult, Elf-Bowl and Y2K game) contained a delayed action virus that would wipe out the users hard-drive. Not only did this cause damage to the reputation of the games' developer Vectrix, it also caused a deluge of e-mails in peoples' mail servers and inboxes.
Examples of Trapdoor: Because computing systems are complex structures, programmers usually develop and test systems in a methodical, organized, modular manner, taking advantage of the way the system is composed of modules or components. Often, each small component of the system is tested first, separate from the other components, in a step called unit testing, to ensure that the component works correctly by itself. Then, components are tested together during integration testing, to see how they function as they send messages and data from one to the other. Rather than paste all the components together in a "big bang" approach, the testers group logical clusters of a few components, and each cluster is tested in a way that allows testers to control and understand what might make a component or its interface fail.
The first case is an unintentional security blunder, the next two are serious exposures of the system's security, and the fourth is the first step of an outright attack. It is important to remember that the fault is not with the trapdoor itself, which can be a very useful technique for program testing, correction, and maintenance. Rather, the fault is with the system development process, which does not ensure that the trapdoor is "closed" when it is no longer needed. That is, the trapdoor becomes a vulnerability if no one notices it or acts to prevent or control its use in vulnerable situations.
In general, trapdoors are a vulnerability when they expose the system to modification during execution. They can be exploited by the original developers or used by anyone who discovers the trapdoor by accident or through exhaustive trials. A system is not secure when someone believes that no one else would find the hole.
During both unit and integration testing, faults are usually discovered in components. Sometimes, when the source of a problem is not obvious, the developers insert debugging code in suspicious modules; the debugging code makes visible what is going on as the components execute and interact. Thus, the extra code may force components to display the intermediate results of a computation, to print out the number of each step as it is executed, or to perform extra computations to check the validity of previous components.
Why Salami Attacks Persist?
Computer computations are notoriously subject to small errors involving rounding and truncation, especially when large numbers are to be combined with small ones. Rather than document the exact errors, it is easier for programmers and users to accept a small amount of error as natural and unavoidable. To reconcile accounts, the programmer includes an error correction in computations. Inadequate auditing of these corrections is one reason why the salami attack may be overlooked.
Usually the source code of a system is too large or complex to be audited for salami attacks, unless there is reason to suspect one. Size and time are definitely on the side of the malicious programmer.
Rootkits can be installed in a number of ways, including phishing attacks or social engineering tactics to trick users into giving the rootkit permission to be installed on the victim system, often giving remote cyber criminals administrator access to the system. Once installed, a rootkit gives the remote actor access to and control over almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits, but most antimalware programs today have the ability to scan for and remove rootkits hiding within a system.
User mode rootkit: The method depends on the OS. For example, a Windows rootkit typically focuses on manipulating the basic functionality of windows dynamic link libraries, but in a Unix system, an entire application may be completely replaced by the rootkit.
Most types of rootkit infections can persist in systems for long periods of time, because they install themselves on permanent system storage devices, but memory rootkits load themselves into computer memory (RAM). Memory rootkits persist only until the system RAM is cleared, usually after the computer is restarted.
Rootkit detection and removal
Rootkits are designed to be difficult to detect and remove; rootkit developers attempt to hide their malware from users and administrators, as well as from many types of security products. Once a rootkit compromises a system, the potential for malicious activity is very high.
