Roger said:
Of course, it is a kit and contains programs useful to the intruder...
Like any toolkit, it has many tools the user wants to use. Having a screwdriver
does not make it a screwdriver kit any more than having a wrench makes it a
wrench kit.
if the kit is full of screwdrivers and screwdriver accessories then it
most certainly is a screwdriving kit...
If the intruder only wants to cause an information leak on a target
machine (not some script kiddie collecting "rooted" machines so he can boast
about his collection being bigger than yours), his kit may not include the sniffer
or any other program that can be construed as an "aid in gaining root access".
then it wouldn't be a rootkit...
It is a "root" kit because the attacker needs root access to use the programs in
the kit, and a kit because it usually contains more than one tool.
this contradicts what is stated in the example you cite below... it states
"A rootkit is a "kit" consisting of small and useful programs that allow
an attacker to maintain access to "root," the most powerful user on a
computer".
that clearly doesn't agree with your definition... i'm not a big fan of
it either unless "maintain" means backdooring the system for easier
access later on...
I suspect so, survivability of the compromise is probably the main underlying
theme rather than "rooting" of more machines.
no, 'survivability' is an *enhancement*...
Stealth would be a great aid to
survivability as would creating other ways to get back in as root. No surprise
that most if not all kits had both tools. Also no surprise that the focus is now
on stealth as being the defining factor.
stealth is not the defining factor...
This seems to agree that survivability of root access compromise is paramount
and stealth is a major contributor toward achieving that end.
http://www.informit.com/articles/article.asp?p=408884&seqNum=2
No mention of machine collecting is made, only stealth aimed at local survivability
of root access (persistance). It also touches on the historical meaning of rootkit.
You could start at
http://www.informit.com/articles/article.asp?p=408884&seqNum=1
But this part isn't just about rootkits.
actually the entire article is all about rootkits, the first page just
abstracts out some of the underlying concepts inherent in rootkits so as
to talk about them in isolation and bring the reader up to speed on the
fundamentals...
page 3, however, has this nice little blurb:
"Rootkits provide two primary functions: remote command and control, and
software eavesdropping"
remote command and control == backdoors
software eavesdropping == sniffing
now, if something doesn't provide the 2 primary functions of a rootkit,
is it still a rootkit? i don't think so...
isn't the primary function == the "defining factor"? in any reasonable
taxonomy of malware (or even software in general) it most certainly is...
