1. A packet sniffing program for monitoring network traffic
2. Trojan backdoor programs for gaining future remote access
3. Trojan versions of system binaries and a utility to alter time stamps to replaced
    binaries
4. Log scrubbers for hiding the compromise

There are a large variety of rootkits available. Three examples follow that illustrate the different classifications of rootkits and methodologies;

T0rnkit illustrate a traditional UNIX rootkit. T0rnkit is commonly available and was used in a varient of the UNIX Lion worm. It stops syslogd (system logging daemon) and scrubs logs files using mjy. It also replaces several operating-system-level executables including du, find, ifconfig, in.telnetd, in.fingerd, login, ls. netstat, ps, pstree and top. It may also replace the nscd (name server cache daemon) with a Trojan horse sshd daemon that listens for remote connections on TCP port 47017 (default).

Adore is an example of  a loadable kernel module, or LKM, UNIX rootkit. LKM rootkits are more difficult to identify because they function at the kernel level. They intercept and alter system-level calls. Although possible on most UNIX variants that implements LKMs, this classification of rootkit is most commonly found on Linux.

Slanret is an example of a Win32 "kernel mode" rootkit. Although less common than UNIX-based rootkits, Win32 rootkits are growing in popularity. This type of rootkit is more sophisticated than the typical SubSeven or BO2K type of backdoors commonly seen today. The difference is the level at which these kernel mode Trojans operate. SubSeven and BO2K, mentioned in the "Trojan Horse Programs" section, run at an application level and are therefore easy to identify. Slanret hides as a device driver, provides remote access by listening on an unused TCP port, and conceals itself from casual detection.

Thats all for today. Have a nice day.