Brought to you by the reinvented two thousand twelve camera. It's ready. Are you get in touch with technology? With tech Stuff from how stuff works dot com. Hello again, everyone, and welcome to tech Stuff. My name is Chris Poulette. I'm an editor at how stuff Works dot com. And as usual, the person sitting across to me at this table while we do this thing as senior writer Jonathan Strickland. The world isn't run by weapons anymore, or energy or money.
It's run by little ones and zeros, little bits of data. It's all just electrons. Today, we're going to start off with a little Facebook feedback. This comes from j B and j B says, Hey, guys, I just heard you mentioned something called a root kit or something like that on the back end of your podcast on piracy. I'd really love to hear all about all the nasty little digital bacteria and viry floating around on the web, perculating in the minds of hackers like the mouth of a
Komodo dragon. Thanks for the greatly entertaining and interesting podcast. Cheers and happy holidays. Wow that's a greatly entertaining Yeah. I have to point out jb um komodo dragon's mouth actually don't percolate. I heard they're cleaner than humans mouth.
I'm sorry, I think you have another animal. I'm pretty sure if a komodo dragon bites me, the bacteria would be worse than than your general human I'm not saying that there aren't humans out there who could give a komodo dragon a run for the money in the bacteria department. But how about we get this back on track. Okay, so we're gonna talk about root kits now. We've already talked about various kinds of worms and viruses in previous episodes,
but we never really got into root kits. Um And Uh, it's interesting because a root kit on its own by itself, I mean, really, you could say this about just about anything, right, But it's just a tool. It's not necessarily m malicious. It doesn't have to be malicious, but I think it's probably more than not used as a tool to take control of a computer or infect it so thoroughly with
some kind of malware that it is virtually, if not completely, undetectable. Right, let's let's let's try and break this down a bit so root kit if you want to be perfectly technical about the the definition. A root kit on its own does not take control of a computer. Know what it does is it allows you to maintain control over a computer you've already compromised, but you do it in a
way that gets shielded from the victims computer. Well, not the original the first root kits weren't necessarily that great at shielding themselves. But well we can get into that. I mean just but yeah, keep going. Okay, So, so rooting is kind of going back to Unix terminology. Yeah, I mean, hackers of all stripes, good and bad, uh frequently referred to the root user, the person who has all the administrative rights to the machine right the fewest,
the fewest restrictions are placed upon the root user. So fear me for I am root. Yeah. You can think of you can think of different um uh levels of user. You know, you've got your your general user, You've got your administrator, who usually has greater access than you know, your regular user. And then you've got the root user, which is usually like a system administrator, who might even be able to access things that the administrator can't access.
It's one of my friends, purposefully with this in mind, named his computer all evil. Oh, it's the root of all evil. Yes, got you. I thought that was the love of money. But at any rate, is apparently this person and his or watched out. Um, so yeah, it's it's uh too. To root a computer is to get that level of access. And you can even do that, not just by you know, stealing a password or hacking a password or whatever. You can infect a system level
operation and get system level access to a machine. Now, system level access and root access are more or less the same thing, but a system there are hackers who will tell you system level access is the way to go because this is where there are practically no restrictions whatsoever, and you can do anything to the core of that machine that you want. That's really the goal of the root kits is to get control of the core of the machine and then to hold onto that as long
as possible. And while the early root kits didn't necessarily shield uh the the invasion from prying eyes so that the victim would remain unaware, since then that's pretty much the way to go because if you want to have if you want to maintain control, it's best if the victim never even knows that there, that they are a victim. Right.
In doing some research, A consulted one of my favorite UH tech research sites, tech target UM and the first root kits started showing up on networks in the early UM and at that point we weren't talking about, you know, rooting Windows or Mac machines. They were looking at Sun and Linux based operating systems. UM. But now, of course UM, things have changed some wide and you could find root kits for pretty much every operating system. UM. I've never really heard of one for Mac os, but with its
roots in BSD, I wouldn't be a bit surprised. I did come across one while I was researching. So, I mean, the concept itself is platform agnostic. It doesn't matter what platform we're talking about ways to break into a system and get that level of access, that deep level of access.
And when you're really talking about things like the you're talking about things that are are integral to the way the computer operates, and in a way, there's it's gonna be really difficult to ever prevent root kits from happening or or rooting a computer from happening, UM, just because as long as you understand how the computer works, you have to be able to get to that that core
of the computer. I mean if you if you weren't, then these applications that you build on top of the computer would never work because they have to refer back to the core to get things like instructions and um and what. We can talk a little bit about the sort of stuff that that the core does. When I'm talking about the core, I'm really I'm talking about the kernel of the operating system. Yeah, or talking the very I mean the kernel. If you think about a kernel
of corn or seed. That's really what we're talking about, is the the core of the operating It's it's really a foundation that everything else is built upon. So this is kind of getting to the point of an operating system that interacts with the hardware on a machine. So this is the This is the layer of programming of coding that allows the hardware and the software to work with one another. Without this, the hardware wouldn't be able to software wouldn't be able to interact with the hardware
at all. It would just be you know, gobbledygook. So the sort of stuff that the colonel does, UM, it's in charge of process management. So we've talked a little bit about clock cycles. If you use working clock cycles, they have a certain number of clock cycles per second. Well, something has to assign those cycles to the various applications that are running on that machine. That's the colonel's job. And colonel, by the way, we're spelling it k E R in E L. We're not talking about Mr Sanders.
So you know it's gonna say, you know, if the colonel does a good enough job ed it, it could it could receive our promotion. Yeah. And if otherwise, it's just fingerlicking good yes. But then if you then you end up with the possibility of a general fault in which case and then that's a major disaster. But I
think that's better to kept private. Uh ouch. So anyway, we're gonna leave behind the horrible military puns military computing puns, which is anyway, So you've got the process management, where the kernel is deciding which which processes are getting, how many clock cycles per second? Um. Then you also have things like file access. The kernels in charge of ultimately how how programs access files and how the files are organized, and it has to provide sort of a consistent logical
interface for file systems. It's also in charge of security to some point. It's it's in charge of administering permission between the processes and memory allocation, so it's also in charge of memory UM. With these elements, if you fiddle with these elements at all, then you can create an environment where you can run secret process is and it
doesn't appear to the user at all. Yeah, I think I think it would be safe to say, I mean, based on my understanding of this, that we're talking about stuff that's sort of in between the operating system, almost like the layer the operating system that you see and the computer itself. So it's it's basically buried under anything that you're going to be able to to see visually. You can't go in there and go, wait a minute, what's that program? UM, which may be talking about a
deeper level than that. Yeah, Now, I mean I was reading up on it at a Computer World and Paul Roberts said that for early root kits, what you would be able to do is look at the way the computer is using memory, UM, whether there are any communications going on back and forth between the computer and a network of you know whatever kind UM. Basically those are
clues to tell you that something is going on. If you can't attribute those processes to something that is already running on that machine, there may be a root kit installed. And that's one way that for earlier root kits, um you would be able to tell that something strange was going on. Right, Yeah, These these levels of root kits we would probably call user level. Yeah, so your user level root kit is existing on top of the operating system.
It's actually kind of running like an additional application, right Like, So it's so you might be running maybe three applications on your computer, and this would be a fourth mysterious application, um where if you if you were careful enough and looked around, you would be able to see evidence of it running, and therefore you would know that possibly something was wrong. So user level user um level root kits
are not the most um secure for the hacker. Right now, there's a chance the hacker will be found out, or at least the hackers work will be found out. Right, and of course he or she whomever it was that that put it in place, you know, the point is to keep it on there as long as possible. So they got more ingenious with ways to find to hide it machine. And and then we're getting into kernel level
root kits, and these are the nasty ones. This is insidious stuff here, because you're talking about messing with the very core of the computer. And it's kind of like if you could imagine someone being able to invade your mind and change your way of thinking in such a way that you couldn't tell that there was someone messing with you. I mean, it's it's it's that kind of level of of sneakiness. Yeah. Roberts's article said that the more modern kernel level root kits can basically go in
and erase their tracks. They shut down any sign of whatever it is that they're doing in there. They can encrypt communication between the computer and the network so that even if you could tell what's going on, you couldn't. You can't tell what's going on, right, Yeah, it'll it'll do stuff like essentially, it'll it'll fiddle with the memory so that it looks like it's not using any memory.
It'll fiddle with um the kernel's ability to manage processes so it looks like there are no additional processes running. It's when you're again, when you have access to that level of the operating system, you can really manipulate it. In such a way that no one can tell that that there's something hinky going on, and and that encryption is a really tricky part two, because there are files
associated with these root kits. I mean, the way this works is the hacker first has to get access to your machine, right and either they're going to do that by using social engineering and fulling you into into revealing your password, or they're going to the hacket. They're going to brute force it where they just guess it the
password until it works. Once they have access to your machine and they install these files, they have to have it disguised in such a way so that you you don't just uncover it immediately and say, oh, well, here's the problem. There these files on my machine that don't belong here. By encrypting it, they've they've given it kind
of a disguise. And they've also been known to layer traffic on traffic from another legitimate program going through an open port that is available for that program to access. So basically any communication is hidden along with sort of like putting something in the prison mail and in the laundry to smuggle it outside. It's it's hiding it in something else that's legitimately supposed to be there, and that
makes it extremely hard to detect. Yeah, and you may wonder like, well, how how can you get kernel access to you know? But one of the ways is UM using device drivers. Device drivers, Yes, because these device drivers, these are the this is what allows again your computer to interact with devices that you hooked up to it. So like a printer driver for example, UM, you can you can infect a or you can create a device
driver that is actually a root kit. And by the very nature of the drivers, they have to have access to the kernel in order for them to work. So your computer just says, oh, well, this is a legitimate, you know, piece of code here that I need to incorporate, and in reality, it's this root kit that's hiding the activity of the hacker. UM, we haven't really I'm sorry you were about to say something to go ahead, but we haven't really talked about why anyone would install a
root kit. UM. There are a lot of different reasons that hackers might want to do it. One is if a hacker is is essentially a spam farm. If a hacker is making money by sending spam out to various recipients, they they don't want to send spam out from their own machine because if you do that, then you can be tracked down and caught. Now, we talked about and there's another reason to we We talked about this on a on a podcast a long time ago. UM distributed computing.
The the using distributing computing to spread out processors are spread out a task among multiple processors. Now there's only so much one computer could do. Now the hacker could buy a lot of computers and have them all send out spam, or they could write a piece of software that other people could put on their computers, either willingly or if you can manage it unwillingly very sneakily. Um. And uh, you know, have all these people do it
for you. Um. And that's that's the tricky part. But that's that's one of the reasons why they would do it, is to spread out that work over multiple computers without having to work over the money for lots of computers. It also makes you more detectable if all the traffic is coming from you. Yeah, so uh yeah, you can create an exploit to give you the access to the computer.
And that exploit is is the that's that's kind of like kicking the door in the root kit part is like, uh, setting it all up so it looks like the door was never kicked in. You've erased you know, you've removed all your fingerprints, but you're still hiding in the house. Um. It also allows you to do things like spy on the person machine or all the traffic that goes through that machine. If it's the case of like a web server, that's true, they could be they could be looking at
your passwords, they could be recording your key strokes. They could be packett sniffing to find out what kind of data you are sending across networks. Yeah, so that's of course a very dangerous thing if it's uh, if it's a machine that's in charge of passing along secure data, like you know, any kind of government machine or even a corporate machine, even personal machines. Really, I mean, when you get down to it, you don't want some unknown
party to have access to all your information. Now should we should we mention a particular root kit? Are you thinking stucks net? I wasn't thinking stucks net, But actually I didn't know that stucks net was a root kit. I heard it referred to as something else. There's a root kit element to it, but refer to yours and then I'll talk about stucks net UM. Okay, Well, the one I was going to talk about is x cp UM. This is something that actually I think this is the
one that we were referring to before. It's the one that security expert Mark Rassinovich of sis Internals found. He had popped to Sony Music CD into his computer and uh, now the memories coming back, yes, and it had a piece of copy protection. Again, you know, this is not something where Sony was trying to hack on into people's computers. But uh, that's effectively what they did. Do you know,
it wasn't their intent. Yeah, they weren't trying to do anything nefarious, unless you consider protecting their intellectual what they considered their intellectual property, as nefarious, and some people do. UM. But uh, basically what he discovered, you know, being a security expert, he knew what he was looking for in terms of this. He discovered this root kit had been installed by a music CD. Now, there were dozens of CDs that Sony released with this UM, including Celine, Dion, Disks,
Neil Diamond, Um, all kinds of other people. Uh, you just described half my music collection. Ricky Martin, there's the other I was looking for for great big names, but labels like Epic Columbia, UM, Epic Legacy, Columbia Legacy, and there were there were lots more. I just got that list actually from from the e f F, the Electronic
Frontier Foundation. Yes, that's only a partial list. Um, so yeah, I mean they had basically there there there were tailtell signs in the outside packaging it says, uh, this is compatible with these different computers. Um, you know, why would a music CD need to have that on there? Well, it turns out the root kit is compatible with that. Now, if you play this on a Mac running Mac os ten, you can see the root kit file. But the root kit file does not work on a Mac. It's it's
engineering for Windows PCs. That's a good point. Yeah. Root kits tend to work with specific uperating systems or specific families of operating systems. When you hear about Windows, root kits usually will only work on certain like you know, like Windows XP and a few other versions of Windows. But it won't work on all of them because not all of them are based on that same uh, that same code. Yeah, but In this case, Sony was basically trying to get access to the user's computer to protect
the copies from being made of the music. Now it could actually sniff what stuff like what sites you visited and how you and what kind of files you were sending. So if you were theoretically trying to share the music across the network, it could detect that people had a problem with this. Yes, lots of people had a big problem with this, and corporate sponsored group kids are not good Sony. Uh, I think was was pretty embarrassed by
the whole thing. They eventually, uh you know, discontinued this practice. They did apologize for it as well. Yeah, yeah, it was. It was a pretty uh, pretty serious deal there for a little while, and I think it's safe to say that, you know, people were weary of doing things that way. Now, Um, I totally lost my train of thought. Well, I can
pick it up with stuck snet if you like. Yeah, I mean it's it's but it's just seems to me kind of heavy handed that they would have gone to that much trouble to to do to install that level it was. It was definitely going above and beyond the call of duty to protect your music. Yeah, so stucks net is this, Uh. I remember what I was gonna say, Go ahead, Oh if you wanted to do If you wanted to do this, to disable the root kid, all you had to do was turn off auto run, but
then the CD would not play in your computer. So what you ended up having to do was to basically to rip the CD and listen to it that way to avoid having the root kit installed. That was the part of strip the music from the CD. Well you're not. That's music still on the CD, but you had to copy it essentially onto your computer to be able to listen to it, which is probably exactly what they were
trying to prevent you from me the first place. So not only did they not prevent people from doing it, but they also infected all these computers with various of a root kit fantastic stuck yes, which I can finally talk about this um now, stucks net is a pretty nasty uh thing that's going around, a malware that's going around. This is pretty current as if when we're recording this, it it just sort of popped out in the I
would say fall and it Uh. It targets Windows systems and it's looking for industrial control systems and not just any industrial control systems. Yeah, they there's a lot of people refer to them as scatter systems s C A, d A. Which really that's not that's not entirely accurate, but it's fair enough to call it that. It's we're talking about program programmable logic controllers UM that are those are like a computers essentially that can be programmed from
a Windows system and they are running industrial processes. So this is the sort of stuff you might find in a plant or a factory or like a massive utility might have these kind of machines in them. Yes, so you might think, well, why would you want to infect these? Well, theoretically you could infect them and then cause the machinery to behave in such a way that it would destroy itself or it cause damage to UH an entire area. You could you know, shut off region's water supply, bring
down a power grid. You could cause you could theoretically, if you set machines to a particular setting, you could cause um, a factory to catch fire or a nuclear power plant to you know that could you could have a little meltdown, you could, um, you could turn off the the safety valves on various devices so that people would not detect when there was a failure, and then
you could cause a failure to happen. It's scary stuff and uh and part of the stucks net attack involves installing root kits on systems because of course, if you don't install the root kit, then people security experts can find out that this is going on and then address it and try to to remove the malware from the various systems. Root kits help make that a more difficult task.
It's not necessarily impossible to discover that there's a root kit on your system, but if if the hacker has done a good job, if the root kit they're using is particularly um robust, it can be really really challenging. And again we're talking about the reason for that is because you go into that core of the computer. When you're messing with the core, you can just you know, the computers like malware. What malware In fact, that's that's a lot of these elements are built into various viruses
and worms. Now as well, where you on the initial attack, you can't when you run your anti virus software, the virus or worm may have in it as part of it a root kit element so that it evades that anti virus software. The people who write root kits know what they're doing. Yeah, these it's not the work of script kitties. No, no, no, no. Script kitties might use a root kit after it's been made, but they're not the ones building it. No, And something like like stucks net.
You know, a lot of people were a little nervous when they saw what it was and how how it could cause some serious damage because people started wondering what was behind it. As far as I know, nobody still knows exactly who is behind that particular UM yeah, you know, or when the trigger could be pulled on something like that. It is pretty terrifying. Uh. Other things that hackers may do with these UM devices that they've put a root kit on include the distributed denial of service attacks, which
we've seen recently with the whole Wiki leaks fallout. We talked about that recently, where you would put a root kit in so that the victim would not know that his or her computer was being used to direct attacks
against other machines on the Internet. And these attacks sometimes just take the four of sending millions and millions of messages UH like information requests to a server, often with a spoofed address, so that the servers trying to respond to UM an address that doesn't actually exist, and you just overwhelmed the server, or you may even have it where you crash it by sending responses to that server as if the server had had sent a ping out
to the victims computer, so it's like you're answering a question that hasn't been asked yet and that can also overwhelm the server. Those are just two very simple versions of denial of service attacks and a distributed denial of service attacks when you're using an entire bot net to do it. Yeah, whole whole basically a series of computers that is under the control of uh, you know, the
function is robots, that's why they call it. But yeah, it's it's a whole group of computers under the control of you know, a hacker, hacker organization UM And yeah, I mean talking about the level of sophistication necessary to this. Operating systems of all stripes have vulnerabilities in them, and it takes somebody who knows where to uh where the exploit can function for them and serve them to write the the the root kit or virus or trojan or whatever.
To take advantage of those vulnerabilities, especially something kernel level, it takes a lot of sophistication, but um, they also it also does take, as as Jonathan mentioned earlier, some some social engineering because in a lot most I would say probably all cases, I say probably, I'm just hedging my bets there. But basically they have to convince you
to install this. Sony convinced people to install the root kit by when you popped it in the CD, I'm you know, and asked you questions, you know, and you know, for mac os ten people complain about the viruses that people discover because um they say, well, you know, you still have to be convinced to install that. Well yeah,
I mean in these cases to access that level. If you are the administrative user on that computer, something is going to ask you if you can install it, and it will probably say it's I don't know, an anti virus program or you know, hey, we're adding some sophisticated stuff so you can enjoy this media content even more richly. Wouldn't you like to have that? And okay, sure, and you can even have this happen if you're getting a
legitimate program. There's there's no there's no nothing stopping a programmer from building a root kit in with any kind of program at all. I mean, maybe that the next video game you buy for your computer has a root kit in it because one of the programmers decided to include it. And uh, and I mean that can happen. In fact, you could argue that when we install programs on our machines were essentially taking it on faith that the programs did not put anything in there with the
intent to take over our machine. That's it's and that's kind of scary when you think about it. And also it's a good reminder that the best way to UM to have to battle root kits is just to avoid getting hit by them. Don't and ston't click on weird links, don't open weird attachments from people you don't know. Don't run applications that you know you you aren't positive came
from a legitimate source. Because even though, like I said, theoretically at kit could come from a legitimate source, after all the Sony one did, UM, the chances are of that happening are are lower than if you were just running any kind of application you came across in you know, in your worldwide web travels. Um, go ahead, you're saying something, well, I was going to say. Typically, in cases like this, we've said it's important for you to keep your anti
virus software up to date. However, with more modern kernel level root kits, there's probably not a whole lot anti virus software is going to be able to do techt at all. Yeah, because essentially it's the root kit itself is telling the antivirus software I'm not I'm not dangerous. Yeah, I'm not malware, and the antivirus software is a yoke. Yeah, and it's got the root kid is installed at such a level that the antivirus software really can't you know,
it can be fooled. One other interesting thing before we wrap up. I learned, um that multiple root kits on a single machine can cause stability issues. Yeah, so your machine could could crash because you've got two different root kits attempting to manipulate the kernel of your operating system. And that is a bad thing. Um. And that also, hackers don't necessarily checked to see if the machine they're
about to infect already has a root kit on it. Yeah, it's just not one of the things they necessarily think of when they're doing it. So if if you happen to be kind of click happy and you're clicking lots of different applications, and you get two root kits on your machine, you could end up making it just a crash happy device. Um. When when we talked about the Wiki leaks thing, I talked about it is possible for a single computer to be controlled by both sides of
a cyber war. That's still technically true, but it does create stability issues. So there's a chance that you know, you wouldn't really be launching any attacks with your machine necessarily, just because you wouldn't have it active long enough for it to do anything. Yeah, and um, there is one piece of advice of our typical advice that we can offer you. Um, it's still a good idea to back
up your hard drive. And that's especially important because the only way to technically to completely wipe a root kid off your hard drive is to completely wipe it off and reinstall your operating system. And even then, there are some root kits that have been proven, at least in labs, to affect the bios, which is even worse. Yeah, when you affect the bios than even when you wipe the operating system completely out and reinstall it, it's still there.
So in an absolute worst case scenario, you would need to get a new machine, but that still means back up your hard drive because otherwise you wouldn't be able
to have transferred over to your new machine. UM there are a lot of great cloud based services now to where you can back up your your information to the cloud, so that way you don't have to worry about like if your machine is beyond saving, then you can still get to that data you with a new machine without having to hook up an external hard drive or something
like that. UM Before, before I completely wrap this up, I just wanted to mention two books that I used while researching this that I think if you want to learn more about root kits UM it's written from two very different perspectives these two books. The first is root kits Subverting the Windows Kernel by Greg Hogland and James Butler. The second was written by a hacker, someone who someone who worked in UM computer security and now works in
anti computer forensics. Yeah. Uh, that novel or that novel novel, it's a book so tired. The root kit Arsenal by the Reverend Bill Blunder. That's that's that's his handle. I'm actually at Bill Blunder's his name as far as I know, But the Reverend, I guess, is a handle that he uses. UM and UH, and both of those books have a fascinating discussion about what root kits are, what they are not, what they do and UM and why they would be useful. Keep in mind that there are governments that use these,
there are companies that use these. If your computer is ever seized from you and searched by computer forensics experts, there's the possibility that when you get it back, it has one of these on it. Just say in behave That's what I'm saying. Okay, it would be nice. Yeah, yeah, or at least be aware. If you're not going to behave, be aware, but behave all. And so that wraps this up. If you have any suggestions for topics that we can address in the future, you can let us know via
Twitter or Facebook. That handle is tech Stuff h s W or you can email us that address is tech stuff at how stuff works dot com. And Chris and I will talk to you again really soon for more on this and thousands of other topics. Visit how stuff Works dot com. So learn more about the podcast, click on the podcast icon in the upper right corner of our homepage. The How Stuff Works iPhone app has arrived. Download it today on iTunes. Brought to you by the
reinvented two thousand twelve camera. It's ready, are you