1 00:00:00,280 --> 00:00:02,840 Speaker 1: Brought to you by the reinvented two thousand twelve camera. 2 00:00:03,160 --> 00:00:08,920 Speaker 1: It's ready. Are you get in touch with technology? With 3 00:00:09,039 --> 00:00:17,800 Speaker 1: tech Stuff from how stuff works dot com. Hello again, everyone, 4 00:00:17,840 --> 00:00:20,520 Speaker 1: and welcome to tech Stuff. My name is Chris Poulette. 5 00:00:20,600 --> 00:00:23,000 Speaker 1: I'm an editor at how stuff Works dot com. And 6 00:00:23,040 --> 00:00:24,919 Speaker 1: as usual, the person sitting across to me at this 7 00:00:25,000 --> 00:00:28,000 Speaker 1: table while we do this thing as senior writer Jonathan Strickland. 8 00:00:28,120 --> 00:00:31,440 Speaker 1: The world isn't run by weapons anymore, or energy or money. 9 00:00:31,680 --> 00:00:34,560 Speaker 1: It's run by little ones and zeros, little bits of data. 10 00:00:34,920 --> 00:00:40,240 Speaker 1: It's all just electrons. Today, we're going to start off 11 00:00:40,240 --> 00:00:45,080 Speaker 1: with a little Facebook feedback. This comes from j B 12 00:00:45,240 --> 00:00:47,159 Speaker 1: and j B says, Hey, guys, I just heard you 13 00:00:47,159 --> 00:00:50,000 Speaker 1: mentioned something called a root kit or something like that 14 00:00:50,080 --> 00:00:53,160 Speaker 1: on the back end of your podcast on piracy. I'd 15 00:00:53,159 --> 00:00:55,640 Speaker 1: really love to hear all about all the nasty little 16 00:00:55,680 --> 00:00:59,960 Speaker 1: digital bacteria and viry floating around on the web, perculating 17 00:01:00,040 --> 00:01:02,480 Speaker 1: in the minds of hackers like the mouth of a 18 00:01:02,560 --> 00:01:06,960 Speaker 1: Komodo dragon. Thanks for the greatly entertaining and interesting podcast. 19 00:01:07,040 --> 00:01:12,640 Speaker 1: Cheers and happy holidays. Wow that's a greatly entertaining Yeah. 20 00:01:12,680 --> 00:01:16,520 Speaker 1: I have to point out jb um komodo dragon's mouth 21 00:01:16,760 --> 00:01:21,200 Speaker 1: actually don't percolate. I heard they're cleaner than humans mouth. 22 00:01:22,160 --> 00:01:23,959 Speaker 1: I'm sorry, I think you have another animal. I'm pretty 23 00:01:23,959 --> 00:01:26,320 Speaker 1: sure if a komodo dragon bites me, the bacteria would 24 00:01:26,360 --> 00:01:29,119 Speaker 1: be worse than than your general human I'm not saying 25 00:01:29,120 --> 00:01:31,120 Speaker 1: that there aren't humans out there who could give a 26 00:01:31,160 --> 00:01:33,600 Speaker 1: komodo dragon a run for the money in the bacteria department. 27 00:01:33,640 --> 00:01:36,959 Speaker 1: But how about we get this back on track. Okay, 28 00:01:37,000 --> 00:01:39,319 Speaker 1: so we're gonna talk about root kits now. We've already 29 00:01:39,319 --> 00:01:43,839 Speaker 1: talked about various kinds of worms and viruses in previous episodes, 30 00:01:43,880 --> 00:01:47,760 Speaker 1: but we never really got into root kits. Um And Uh, 31 00:01:47,840 --> 00:01:51,240 Speaker 1: it's interesting because a root kit on its own by itself, 32 00:01:51,280 --> 00:01:53,400 Speaker 1: I mean, really, you could say this about just about anything, right, 33 00:01:53,400 --> 00:02:00,800 Speaker 1: But it's just a tool. It's not necessarily m malicious. 34 00:02:01,400 --> 00:02:03,920 Speaker 1: It doesn't have to be malicious, but I think it's 35 00:02:03,960 --> 00:02:09,360 Speaker 1: probably more than not used as a tool to take 36 00:02:09,440 --> 00:02:14,440 Speaker 1: control of a computer or infect it so thoroughly with 37 00:02:14,560 --> 00:02:20,600 Speaker 1: some kind of malware that it is virtually, if not completely, undetectable. Right, 38 00:02:20,720 --> 00:02:22,880 Speaker 1: let's let's let's try and break this down a bit 39 00:02:22,919 --> 00:02:27,120 Speaker 1: so root kit if you want to be perfectly technical 40 00:02:27,160 --> 00:02:30,200 Speaker 1: about the the definition. A root kit on its own 41 00:02:30,240 --> 00:02:34,320 Speaker 1: does not take control of a computer. Know what it 42 00:02:34,360 --> 00:02:37,840 Speaker 1: does is it allows you to maintain control over a 43 00:02:37,840 --> 00:02:40,920 Speaker 1: computer you've already compromised, but you do it in a 44 00:02:40,919 --> 00:02:45,919 Speaker 1: way that gets shielded from the victims computer. Well, not 45 00:02:46,400 --> 00:02:50,200 Speaker 1: the original the first root kits weren't necessarily that great 46 00:02:50,280 --> 00:02:54,040 Speaker 1: at shielding themselves. But well we can get into that. 47 00:02:54,080 --> 00:02:56,280 Speaker 1: I mean just but yeah, keep going. Okay, So, so 48 00:02:56,440 --> 00:03:00,680 Speaker 1: rooting is kind of going back to Unix terminology. Yeah, 49 00:03:00,680 --> 00:03:04,000 Speaker 1: I mean, hackers of all stripes, good and bad, uh 50 00:03:04,400 --> 00:03:07,639 Speaker 1: frequently referred to the root user, the person who has 51 00:03:07,639 --> 00:03:11,000 Speaker 1: all the administrative rights to the machine right the fewest, 52 00:03:11,160 --> 00:03:14,840 Speaker 1: the fewest restrictions are placed upon the root user. So 53 00:03:15,000 --> 00:03:16,880 Speaker 1: fear me for I am root. Yeah. You can think 54 00:03:16,880 --> 00:03:20,280 Speaker 1: of you can think of different um uh levels of user. 55 00:03:20,320 --> 00:03:22,520 Speaker 1: You know, you've got your your general user, You've got 56 00:03:22,520 --> 00:03:26,160 Speaker 1: your administrator, who usually has greater access than you know, 57 00:03:26,240 --> 00:03:28,919 Speaker 1: your regular user. And then you've got the root user, 58 00:03:28,960 --> 00:03:32,560 Speaker 1: which is usually like a system administrator, who might even 59 00:03:32,720 --> 00:03:35,640 Speaker 1: be able to access things that the administrator can't access. 60 00:03:36,000 --> 00:03:39,040 Speaker 1: It's one of my friends, purposefully with this in mind, 61 00:03:39,200 --> 00:03:43,640 Speaker 1: named his computer all evil. Oh, it's the root of 62 00:03:43,680 --> 00:03:46,880 Speaker 1: all evil. Yes, got you. I thought that was the 63 00:03:46,960 --> 00:03:49,680 Speaker 1: love of money. But at any rate, is apparently this 64 00:03:49,720 --> 00:03:54,839 Speaker 1: person and his or watched out. Um, so yeah, it's 65 00:03:55,040 --> 00:03:58,560 Speaker 1: it's uh too. To root a computer is to get 66 00:03:58,600 --> 00:04:01,120 Speaker 1: that level of access. And you can even do that, 67 00:04:01,200 --> 00:04:03,800 Speaker 1: not just by you know, stealing a password or hacking 68 00:04:03,800 --> 00:04:07,920 Speaker 1: a password or whatever. You can infect a system level 69 00:04:08,040 --> 00:04:12,480 Speaker 1: operation and get system level access to a machine. Now, 70 00:04:12,480 --> 00:04:15,640 Speaker 1: system level access and root access are more or less 71 00:04:15,680 --> 00:04:18,480 Speaker 1: the same thing, but a system there are hackers who 72 00:04:18,480 --> 00:04:20,440 Speaker 1: will tell you system level access is the way to 73 00:04:20,440 --> 00:04:24,680 Speaker 1: go because this is where there are practically no restrictions whatsoever, 74 00:04:24,960 --> 00:04:27,080 Speaker 1: and you can do anything to the core of that 75 00:04:27,160 --> 00:04:30,520 Speaker 1: machine that you want. That's really the goal of the 76 00:04:30,600 --> 00:04:32,640 Speaker 1: root kits is to get control of the core of 77 00:04:32,640 --> 00:04:35,680 Speaker 1: the machine and then to hold onto that as long 78 00:04:35,720 --> 00:04:39,680 Speaker 1: as possible. And while the early root kits didn't necessarily 79 00:04:39,760 --> 00:04:43,800 Speaker 1: shield uh the the invasion from prying eyes so that 80 00:04:43,839 --> 00:04:48,320 Speaker 1: the victim would remain unaware, since then that's pretty much 81 00:04:48,360 --> 00:04:49,920 Speaker 1: the way to go because if you want to have 82 00:04:50,120 --> 00:04:53,359 Speaker 1: if you want to maintain control, it's best if the 83 00:04:53,440 --> 00:04:57,400 Speaker 1: victim never even knows that there, that they are a victim. Right. 84 00:04:58,760 --> 00:05:01,719 Speaker 1: In doing some research, A consulted one of my favorite 85 00:05:02,160 --> 00:05:08,040 Speaker 1: UH tech research sites, tech target UM and the first 86 00:05:08,240 --> 00:05:11,880 Speaker 1: root kits started showing up on networks in the early 87 00:05:14,160 --> 00:05:17,720 Speaker 1: UM and at that point we weren't talking about, you know, 88 00:05:18,120 --> 00:05:21,000 Speaker 1: rooting Windows or Mac machines. They were looking at Sun 89 00:05:21,040 --> 00:05:26,840 Speaker 1: and Linux based operating systems. UM. But now, of course UM, 90 00:05:27,160 --> 00:05:29,520 Speaker 1: things have changed some wide and you could find root 91 00:05:29,600 --> 00:05:33,719 Speaker 1: kits for pretty much every operating system. UM. I've never 92 00:05:33,760 --> 00:05:37,800 Speaker 1: really heard of one for Mac os, but with its 93 00:05:37,880 --> 00:05:40,960 Speaker 1: roots in BSD, I wouldn't be a bit surprised. I 94 00:05:41,000 --> 00:05:43,520 Speaker 1: did come across one while I was researching. So, I mean, 95 00:05:43,600 --> 00:05:48,279 Speaker 1: the concept itself is platform agnostic. It doesn't matter what 96 00:05:48,400 --> 00:05:50,960 Speaker 1: platform we're talking about ways to break into a system 97 00:05:51,000 --> 00:05:54,440 Speaker 1: and get that level of access, that deep level of access. 98 00:05:54,600 --> 00:05:58,600 Speaker 1: And when you're really talking about things like the you're 99 00:05:58,600 --> 00:06:01,599 Speaker 1: talking about things that are are integral to the way 100 00:06:01,600 --> 00:06:05,479 Speaker 1: the computer operates, and in a way, there's it's gonna 101 00:06:05,520 --> 00:06:08,600 Speaker 1: be really difficult to ever prevent root kits from happening 102 00:06:08,720 --> 00:06:12,200 Speaker 1: or or rooting a computer from happening, UM, just because 103 00:06:12,520 --> 00:06:14,920 Speaker 1: as long as you understand how the computer works, you 104 00:06:15,000 --> 00:06:17,200 Speaker 1: have to be able to get to that that core 105 00:06:17,240 --> 00:06:19,080 Speaker 1: of the computer. I mean if you if you weren't, 106 00:06:19,400 --> 00:06:21,680 Speaker 1: then these applications that you build on top of the 107 00:06:21,720 --> 00:06:24,200 Speaker 1: computer would never work because they have to refer back 108 00:06:24,240 --> 00:06:27,799 Speaker 1: to the core to get things like instructions and um 109 00:06:28,000 --> 00:06:30,479 Speaker 1: and what. We can talk a little bit about the 110 00:06:30,560 --> 00:06:34,160 Speaker 1: sort of stuff that that the core does. When I'm 111 00:06:34,160 --> 00:06:35,920 Speaker 1: talking about the core, I'm really I'm talking about the 112 00:06:35,960 --> 00:06:39,800 Speaker 1: kernel of the operating system. Yeah, or talking the very 113 00:06:39,800 --> 00:06:41,560 Speaker 1: I mean the kernel. If you think about a kernel 114 00:06:41,640 --> 00:06:45,760 Speaker 1: of corn or seed. That's really what we're talking about, 115 00:06:45,839 --> 00:06:50,120 Speaker 1: is the the core of the operating It's it's really 116 00:06:50,120 --> 00:06:52,360 Speaker 1: a foundation that everything else is built upon. So this 117 00:06:52,400 --> 00:06:55,160 Speaker 1: is kind of getting to the point of an operating 118 00:06:55,200 --> 00:06:59,680 Speaker 1: system that interacts with the hardware on a machine. So 119 00:06:59,800 --> 00:07:03,080 Speaker 1: this is the This is the layer of programming of 120 00:07:03,200 --> 00:07:08,479 Speaker 1: coding that allows the hardware and the software to work 121 00:07:08,520 --> 00:07:11,680 Speaker 1: with one another. Without this, the hardware wouldn't be able 122 00:07:11,640 --> 00:07:13,480 Speaker 1: to software wouldn't be able to interact with the hardware 123 00:07:13,520 --> 00:07:16,280 Speaker 1: at all. It would just be you know, gobbledygook. So 124 00:07:16,840 --> 00:07:19,360 Speaker 1: the sort of stuff that the colonel does, UM, it's 125 00:07:19,400 --> 00:07:23,360 Speaker 1: in charge of process management. So we've talked a little 126 00:07:23,400 --> 00:07:26,720 Speaker 1: bit about clock cycles. If you use working clock cycles, 127 00:07:26,720 --> 00:07:29,640 Speaker 1: they have a certain number of clock cycles per second. Well, 128 00:07:29,920 --> 00:07:33,640 Speaker 1: something has to assign those cycles to the various applications 129 00:07:33,640 --> 00:07:36,920 Speaker 1: that are running on that machine. That's the colonel's job. 130 00:07:38,000 --> 00:07:39,720 Speaker 1: And colonel, by the way, we're spelling it k E 131 00:07:40,040 --> 00:07:42,640 Speaker 1: R in E L. We're not talking about Mr Sanders. 132 00:07:43,080 --> 00:07:45,480 Speaker 1: So you know it's gonna say, you know, if the 133 00:07:45,520 --> 00:07:47,360 Speaker 1: colonel does a good enough job ed it, it could 134 00:07:47,480 --> 00:07:52,080 Speaker 1: it could receive our promotion. Yeah. And if otherwise, it's 135 00:07:52,160 --> 00:07:54,800 Speaker 1: just fingerlicking good yes. But then if you then you 136 00:07:54,920 --> 00:07:57,040 Speaker 1: end up with the possibility of a general fault in 137 00:07:57,080 --> 00:08:01,560 Speaker 1: which case and then that's a major disaster. But I 138 00:08:01,600 --> 00:08:08,400 Speaker 1: think that's better to kept private. Uh ouch. So anyway, 139 00:08:08,400 --> 00:08:12,520 Speaker 1: we're gonna leave behind the horrible military puns military computing puns, 140 00:08:12,520 --> 00:08:17,280 Speaker 1: which is anyway, So you've got the process management, where 141 00:08:17,280 --> 00:08:21,160 Speaker 1: the kernel is deciding which which processes are getting, how 142 00:08:21,240 --> 00:08:24,600 Speaker 1: many clock cycles per second? Um. Then you also have 143 00:08:24,640 --> 00:08:28,720 Speaker 1: things like file access. The kernels in charge of ultimately 144 00:08:29,040 --> 00:08:35,239 Speaker 1: how how programs access files and how the files are organized, 145 00:08:35,520 --> 00:08:38,280 Speaker 1: and it has to provide sort of a consistent logical 146 00:08:38,360 --> 00:08:42,239 Speaker 1: interface for file systems. It's also in charge of security 147 00:08:42,280 --> 00:08:45,040 Speaker 1: to some point. It's it's in charge of administering permission 148 00:08:45,040 --> 00:08:49,160 Speaker 1: between the processes and memory allocation, so it's also in 149 00:08:49,240 --> 00:08:53,200 Speaker 1: charge of memory UM. With these elements, if you fiddle 150 00:08:53,320 --> 00:08:56,640 Speaker 1: with these elements at all, then you can create an 151 00:08:56,720 --> 00:09:01,439 Speaker 1: environment where you can run secret process is and it 152 00:09:01,520 --> 00:09:04,720 Speaker 1: doesn't appear to the user at all. Yeah, I think 153 00:09:05,040 --> 00:09:07,520 Speaker 1: I think it would be safe to say, I mean, 154 00:09:07,520 --> 00:09:09,600 Speaker 1: based on my understanding of this, that we're talking about 155 00:09:09,640 --> 00:09:14,080 Speaker 1: stuff that's sort of in between the operating system, almost 156 00:09:14,320 --> 00:09:17,240 Speaker 1: like the layer the operating system that you see and 157 00:09:17,280 --> 00:09:20,400 Speaker 1: the computer itself. So it's it's basically buried under anything 158 00:09:20,400 --> 00:09:22,760 Speaker 1: that you're going to be able to to see visually. 159 00:09:22,760 --> 00:09:24,120 Speaker 1: You can't go in there and go, wait a minute, 160 00:09:24,160 --> 00:09:27,880 Speaker 1: what's that program? UM, which may be talking about a 161 00:09:27,880 --> 00:09:30,800 Speaker 1: deeper level than that. Yeah, Now, I mean I was 162 00:09:30,840 --> 00:09:33,720 Speaker 1: reading up on it at a Computer World and Paul 163 00:09:33,800 --> 00:09:37,600 Speaker 1: Roberts said that for early root kits, what you would 164 00:09:37,600 --> 00:09:39,560 Speaker 1: be able to do is look at the way the 165 00:09:39,600 --> 00:09:44,240 Speaker 1: computer is using memory, UM, whether there are any communications 166 00:09:44,280 --> 00:09:49,000 Speaker 1: going on back and forth between the computer and a 167 00:09:49,080 --> 00:09:53,480 Speaker 1: network of you know whatever kind UM. Basically those are 168 00:09:53,559 --> 00:09:55,960 Speaker 1: clues to tell you that something is going on. If 169 00:09:56,000 --> 00:09:58,960 Speaker 1: you can't attribute those processes to something that is already 170 00:09:59,000 --> 00:10:02,880 Speaker 1: running on that machine, there may be a root kit installed. 171 00:10:02,960 --> 00:10:07,320 Speaker 1: And that's one way that for earlier root kits, um 172 00:10:07,400 --> 00:10:10,400 Speaker 1: you would be able to tell that something strange was 173 00:10:10,440 --> 00:10:13,280 Speaker 1: going on. Right, Yeah, These these levels of root kits 174 00:10:13,280 --> 00:10:16,520 Speaker 1: we would probably call user level. Yeah, so your user 175 00:10:16,600 --> 00:10:19,480 Speaker 1: level root kit is existing on top of the operating system. 176 00:10:19,480 --> 00:10:23,640 Speaker 1: It's actually kind of running like an additional application, right Like, 177 00:10:23,720 --> 00:10:26,559 Speaker 1: So it's so you might be running maybe three applications 178 00:10:26,559 --> 00:10:29,800 Speaker 1: on your computer, and this would be a fourth mysterious application, 179 00:10:30,360 --> 00:10:32,880 Speaker 1: um where if you if you were careful enough and 180 00:10:32,880 --> 00:10:34,960 Speaker 1: looked around, you would be able to see evidence of 181 00:10:35,000 --> 00:10:37,760 Speaker 1: it running, and therefore you would know that possibly something 182 00:10:37,840 --> 00:10:42,600 Speaker 1: was wrong. So user level user um level root kits 183 00:10:42,640 --> 00:10:47,760 Speaker 1: are not the most um secure for the hacker. Right now, 184 00:10:47,880 --> 00:10:50,000 Speaker 1: there's a chance the hacker will be found out, or 185 00:10:50,040 --> 00:10:52,360 Speaker 1: at least the hackers work will be found out. Right, 186 00:10:52,400 --> 00:10:54,920 Speaker 1: and of course he or she whomever it was that 187 00:10:54,920 --> 00:10:58,080 Speaker 1: that put it in place, you know, the point is 188 00:10:58,120 --> 00:11:00,480 Speaker 1: to keep it on there as long as possible. So 189 00:11:00,480 --> 00:11:03,400 Speaker 1: they got more ingenious with ways to find to hide 190 00:11:03,400 --> 00:11:07,080 Speaker 1: it machine. And and then we're getting into kernel level 191 00:11:07,440 --> 00:11:09,760 Speaker 1: root kits, and these are the nasty ones. This is 192 00:11:09,800 --> 00:11:12,800 Speaker 1: insidious stuff here, because you're talking about messing with the 193 00:11:12,920 --> 00:11:15,960 Speaker 1: very core of the computer. And it's kind of like 194 00:11:16,320 --> 00:11:19,360 Speaker 1: if you could imagine someone being able to invade your 195 00:11:19,400 --> 00:11:21,679 Speaker 1: mind and change your way of thinking in such a 196 00:11:21,720 --> 00:11:24,000 Speaker 1: way that you couldn't tell that there was someone messing 197 00:11:24,040 --> 00:11:26,199 Speaker 1: with you. I mean, it's it's it's that kind of 198 00:11:26,320 --> 00:11:31,400 Speaker 1: level of of sneakiness. Yeah. Roberts's article said that the 199 00:11:31,440 --> 00:11:36,040 Speaker 1: more modern kernel level root kits can basically go in 200 00:11:36,080 --> 00:11:41,080 Speaker 1: and erase their tracks. They shut down any sign of 201 00:11:41,760 --> 00:11:43,640 Speaker 1: whatever it is that they're doing in there. They can 202 00:11:43,760 --> 00:11:48,080 Speaker 1: encrypt communication between the computer and the network so that 203 00:11:48,920 --> 00:11:50,679 Speaker 1: even if you could tell what's going on, you couldn't. 204 00:11:50,720 --> 00:11:53,240 Speaker 1: You can't tell what's going on, right, Yeah, it'll it'll 205 00:11:53,240 --> 00:11:56,319 Speaker 1: do stuff like essentially, it'll it'll fiddle with the memory 206 00:11:56,440 --> 00:11:59,000 Speaker 1: so that it looks like it's not using any memory. 207 00:11:59,000 --> 00:12:03,800 Speaker 1: It'll fiddle with um the kernel's ability to manage processes 208 00:12:03,800 --> 00:12:06,440 Speaker 1: so it looks like there are no additional processes running. 209 00:12:06,840 --> 00:12:10,000 Speaker 1: It's when you're again, when you have access to that 210 00:12:10,160 --> 00:12:13,440 Speaker 1: level of the operating system, you can really manipulate it. 211 00:12:13,480 --> 00:12:16,240 Speaker 1: In such a way that no one can tell that 212 00:12:16,440 --> 00:12:19,320 Speaker 1: that there's something hinky going on, and and that encryption 213 00:12:19,400 --> 00:12:22,200 Speaker 1: is a really tricky part two, because there are files 214 00:12:22,240 --> 00:12:24,640 Speaker 1: associated with these root kits. I mean, the way this 215 00:12:24,679 --> 00:12:26,640 Speaker 1: works is the hacker first has to get access to 216 00:12:26,720 --> 00:12:29,319 Speaker 1: your machine, right and either they're going to do that 217 00:12:29,440 --> 00:12:33,559 Speaker 1: by using social engineering and fulling you into into revealing 218 00:12:33,559 --> 00:12:36,079 Speaker 1: your password, or they're going to the hacket. They're going 219 00:12:36,160 --> 00:12:38,800 Speaker 1: to brute force it where they just guess it the 220 00:12:38,800 --> 00:12:41,520 Speaker 1: password until it works. Once they have access to your 221 00:12:41,520 --> 00:12:44,440 Speaker 1: machine and they install these files, they have to have 222 00:12:44,480 --> 00:12:46,320 Speaker 1: it disguised in such a way so that you you 223 00:12:46,400 --> 00:12:49,800 Speaker 1: don't just uncover it immediately and say, oh, well, here's 224 00:12:49,800 --> 00:12:51,720 Speaker 1: the problem. There these files on my machine that don't 225 00:12:51,760 --> 00:12:55,040 Speaker 1: belong here. By encrypting it, they've they've given it kind 226 00:12:55,040 --> 00:12:58,600 Speaker 1: of a disguise. And they've also been known to layer 227 00:12:58,880 --> 00:13:04,199 Speaker 1: traffic on traffic from another legitimate program going through an 228 00:13:04,200 --> 00:13:07,199 Speaker 1: open port that is available for that program to access. 229 00:13:07,240 --> 00:13:11,679 Speaker 1: So basically any communication is hidden along with sort of 230 00:13:11,720 --> 00:13:14,560 Speaker 1: like putting something in the prison mail and in the 231 00:13:14,760 --> 00:13:18,400 Speaker 1: laundry to smuggle it outside. It's it's hiding it in 232 00:13:18,559 --> 00:13:21,640 Speaker 1: something else that's legitimately supposed to be there, and that 233 00:13:21,760 --> 00:13:25,000 Speaker 1: makes it extremely hard to detect. Yeah, and you may 234 00:13:25,040 --> 00:13:28,319 Speaker 1: wonder like, well, how how can you get kernel access 235 00:13:28,440 --> 00:13:32,160 Speaker 1: to you know? But one of the ways is UM 236 00:13:32,400 --> 00:13:37,240 Speaker 1: using device drivers. Device drivers, Yes, because these device drivers, 237 00:13:37,280 --> 00:13:39,959 Speaker 1: these are the this is what allows again your computer 238 00:13:40,040 --> 00:13:42,079 Speaker 1: to interact with devices that you hooked up to it. 239 00:13:42,160 --> 00:13:46,160 Speaker 1: So like a printer driver for example, UM, you can 240 00:13:46,280 --> 00:13:49,559 Speaker 1: you can infect a or you can create a device 241 00:13:49,640 --> 00:13:52,360 Speaker 1: driver that is actually a root kit. And by the 242 00:13:52,480 --> 00:13:55,280 Speaker 1: very nature of the drivers, they have to have access 243 00:13:55,320 --> 00:13:57,960 Speaker 1: to the kernel in order for them to work. So 244 00:13:58,120 --> 00:14:00,760 Speaker 1: your computer just says, oh, well, this is a legitimate, 245 00:14:01,280 --> 00:14:03,960 Speaker 1: you know, piece of code here that I need to incorporate, 246 00:14:04,480 --> 00:14:08,240 Speaker 1: and in reality, it's this root kit that's hiding the 247 00:14:08,280 --> 00:14:12,400 Speaker 1: activity of the hacker. UM, we haven't really I'm sorry 248 00:14:12,480 --> 00:14:13,839 Speaker 1: you were about to say something to go ahead, but 249 00:14:14,400 --> 00:14:16,960 Speaker 1: we haven't really talked about why anyone would install a 250 00:14:17,040 --> 00:14:20,400 Speaker 1: root kit. UM. There are a lot of different reasons 251 00:14:20,400 --> 00:14:22,360 Speaker 1: that hackers might want to do it. One is if 252 00:14:22,400 --> 00:14:26,600 Speaker 1: a hacker is is essentially a spam farm. If a 253 00:14:26,640 --> 00:14:31,680 Speaker 1: hacker is making money by sending spam out to various recipients, 254 00:14:32,680 --> 00:14:34,880 Speaker 1: they they don't want to send spam out from their 255 00:14:34,880 --> 00:14:37,360 Speaker 1: own machine because if you do that, then you can 256 00:14:37,400 --> 00:14:40,880 Speaker 1: be tracked down and caught. Now, we talked about and 257 00:14:40,920 --> 00:14:43,040 Speaker 1: there's another reason to we We talked about this on 258 00:14:43,080 --> 00:14:48,520 Speaker 1: a on a podcast a long time ago. UM distributed computing. 259 00:14:49,320 --> 00:14:54,520 Speaker 1: The the using distributing computing to spread out processors are 260 00:14:54,560 --> 00:14:58,360 Speaker 1: spread out a task among multiple processors. Now there's only 261 00:14:58,400 --> 00:15:03,080 Speaker 1: so much one computer could do. Now the hacker could 262 00:15:03,920 --> 00:15:07,600 Speaker 1: buy a lot of computers and have them all send 263 00:15:07,640 --> 00:15:11,120 Speaker 1: out spam, or they could write a piece of software 264 00:15:11,360 --> 00:15:15,240 Speaker 1: that other people could put on their computers, either willingly 265 00:15:15,360 --> 00:15:19,320 Speaker 1: or if you can manage it unwillingly very sneakily. Um. 266 00:15:19,520 --> 00:15:21,960 Speaker 1: And uh, you know, have all these people do it 267 00:15:22,000 --> 00:15:26,760 Speaker 1: for you. Um. And that's that's the tricky part. But 268 00:15:26,840 --> 00:15:28,640 Speaker 1: that's that's one of the reasons why they would do it, 269 00:15:28,720 --> 00:15:31,640 Speaker 1: is to spread out that work over multiple computers without 270 00:15:31,720 --> 00:15:34,280 Speaker 1: having to work over the money for lots of computers. 271 00:15:34,280 --> 00:15:36,480 Speaker 1: It also makes you more detectable if all the traffic 272 00:15:36,560 --> 00:15:39,640 Speaker 1: is coming from you. Yeah, so uh yeah, you can 273 00:15:39,800 --> 00:15:42,400 Speaker 1: create an exploit to give you the access to the computer. 274 00:15:42,480 --> 00:15:44,880 Speaker 1: And that exploit is is the that's that's kind of 275 00:15:44,880 --> 00:15:48,520 Speaker 1: like kicking the door in the root kit part is like, uh, 276 00:15:48,680 --> 00:15:50,480 Speaker 1: setting it all up so it looks like the door 277 00:15:50,560 --> 00:15:53,800 Speaker 1: was never kicked in. You've erased you know, you've removed 278 00:15:53,840 --> 00:15:56,760 Speaker 1: all your fingerprints, but you're still hiding in the house. Um. 279 00:15:56,800 --> 00:15:59,160 Speaker 1: It also allows you to do things like spy on 280 00:15:59,360 --> 00:16:02,600 Speaker 1: the person machine or all the traffic that goes through 281 00:16:02,640 --> 00:16:04,680 Speaker 1: that machine. If it's the case of like a web server, 282 00:16:05,040 --> 00:16:07,080 Speaker 1: that's true, they could be they could be looking at 283 00:16:07,120 --> 00:16:09,760 Speaker 1: your passwords, they could be recording your key strokes. They 284 00:16:09,760 --> 00:16:11,760 Speaker 1: could be packett sniffing to find out what kind of 285 00:16:11,840 --> 00:16:16,280 Speaker 1: data you are sending across networks. Yeah, so that's of 286 00:16:16,280 --> 00:16:20,200 Speaker 1: course a very dangerous thing if it's uh, if it's 287 00:16:20,320 --> 00:16:23,240 Speaker 1: a machine that's in charge of passing along secure data, 288 00:16:23,800 --> 00:16:26,400 Speaker 1: like you know, any kind of government machine or even 289 00:16:26,440 --> 00:16:28,800 Speaker 1: a corporate machine, even personal machines. Really, I mean, when 290 00:16:28,800 --> 00:16:31,280 Speaker 1: you get down to it, you don't want some unknown 291 00:16:31,320 --> 00:16:36,360 Speaker 1: party to have access to all your information. Now should 292 00:16:36,400 --> 00:16:39,840 Speaker 1: we should we mention a particular root kit? Are you 293 00:16:39,840 --> 00:16:43,680 Speaker 1: thinking stucks net? I wasn't thinking stucks net, But actually 294 00:16:43,720 --> 00:16:46,280 Speaker 1: I didn't know that stucks net was a root kit. 295 00:16:46,400 --> 00:16:49,200 Speaker 1: I heard it referred to as something else. There's a 296 00:16:49,280 --> 00:16:51,680 Speaker 1: root kit element to it, but refer to yours and 297 00:16:51,680 --> 00:16:54,280 Speaker 1: then I'll talk about stucks net UM. Okay, Well, the 298 00:16:54,280 --> 00:16:57,480 Speaker 1: one I was going to talk about is x cp UM. 299 00:16:57,720 --> 00:16:59,840 Speaker 1: This is something that actually I think this is the 300 00:16:59,840 --> 00:17:02,560 Speaker 1: one that we were referring to before. It's the one 301 00:17:02,600 --> 00:17:08,199 Speaker 1: that security expert Mark Rassinovich of sis Internals found. He 302 00:17:08,240 --> 00:17:13,119 Speaker 1: had popped to Sony Music CD into his computer and uh, 303 00:17:13,680 --> 00:17:17,119 Speaker 1: now the memories coming back, yes, and it had a 304 00:17:17,119 --> 00:17:21,679 Speaker 1: piece of copy protection. Again, you know, this is not 305 00:17:21,800 --> 00:17:25,520 Speaker 1: something where Sony was trying to hack on into people's computers. 306 00:17:25,560 --> 00:17:29,080 Speaker 1: But uh, that's effectively what they did. Do you know, 307 00:17:29,200 --> 00:17:31,399 Speaker 1: it wasn't their intent. Yeah, they weren't trying to do 308 00:17:31,440 --> 00:17:35,520 Speaker 1: anything nefarious, unless you consider protecting their intellectual what they 309 00:17:35,520 --> 00:17:40,000 Speaker 1: considered their intellectual property, as nefarious, and some people do. UM. 310 00:17:40,040 --> 00:17:43,480 Speaker 1: But uh, basically what he discovered, you know, being a 311 00:17:43,520 --> 00:17:45,399 Speaker 1: security expert, he knew what he was looking for in 312 00:17:45,480 --> 00:17:48,160 Speaker 1: terms of this. He discovered this root kit had been 313 00:17:48,160 --> 00:17:51,800 Speaker 1: installed by a music CD. Now, there were dozens of 314 00:17:52,119 --> 00:17:57,080 Speaker 1: CDs that Sony released with this UM, including Celine, Dion, Disks, 315 00:17:57,200 --> 00:18:01,639 Speaker 1: Neil Diamond, Um, all kinds of other people. Uh, you 316 00:18:01,760 --> 00:18:05,600 Speaker 1: just described half my music collection. Ricky Martin, there's the 317 00:18:05,600 --> 00:18:08,080 Speaker 1: other I was looking for for great big names, but 318 00:18:08,320 --> 00:18:12,840 Speaker 1: labels like Epic Columbia, UM, Epic Legacy, Columbia Legacy, and 319 00:18:12,880 --> 00:18:14,520 Speaker 1: there were there were lots more. I just got that 320 00:18:14,560 --> 00:18:18,240 Speaker 1: list actually from from the e f F, the Electronic 321 00:18:18,280 --> 00:18:23,800 Speaker 1: Frontier Foundation. Yes, that's only a partial list. Um, so yeah, 322 00:18:23,840 --> 00:18:26,119 Speaker 1: I mean they had basically there there there were tailtell 323 00:18:26,160 --> 00:18:28,800 Speaker 1: signs in the outside packaging it says, uh, this is 324 00:18:28,840 --> 00:18:32,600 Speaker 1: compatible with these different computers. Um, you know, why would 325 00:18:32,640 --> 00:18:34,840 Speaker 1: a music CD need to have that on there? Well, 326 00:18:34,880 --> 00:18:38,320 Speaker 1: it turns out the root kit is compatible with that. Now, 327 00:18:38,359 --> 00:18:41,040 Speaker 1: if you play this on a Mac running Mac os ten, 328 00:18:41,800 --> 00:18:44,120 Speaker 1: you can see the root kit file. But the root 329 00:18:44,200 --> 00:18:46,520 Speaker 1: kit file does not work on a Mac. It's it's 330 00:18:46,640 --> 00:18:49,400 Speaker 1: engineering for Windows PCs. That's a good point. Yeah. Root 331 00:18:49,480 --> 00:18:52,600 Speaker 1: kits tend to work with specific uperating systems or specific 332 00:18:52,720 --> 00:18:56,280 Speaker 1: families of operating systems. When you hear about Windows, root 333 00:18:56,359 --> 00:18:59,679 Speaker 1: kits usually will only work on certain like you know, 334 00:18:59,800 --> 00:19:04,400 Speaker 1: like Windows XP and a few other versions of Windows. 335 00:19:04,400 --> 00:19:05,879 Speaker 1: But it won't work on all of them because not 336 00:19:05,920 --> 00:19:08,600 Speaker 1: all of them are based on that same uh, that 337 00:19:08,720 --> 00:19:12,920 Speaker 1: same code. Yeah, but In this case, Sony was basically 338 00:19:12,920 --> 00:19:16,520 Speaker 1: trying to get access to the user's computer to protect 339 00:19:16,840 --> 00:19:20,280 Speaker 1: the copies from being made of the music. Now it 340 00:19:20,320 --> 00:19:24,119 Speaker 1: could actually sniff what stuff like what sites you visited 341 00:19:24,200 --> 00:19:26,600 Speaker 1: and how you and what kind of files you were sending. 342 00:19:26,640 --> 00:19:29,320 Speaker 1: So if you were theoretically trying to share the music 343 00:19:29,359 --> 00:19:32,600 Speaker 1: across the network, it could detect that people had a 344 00:19:32,600 --> 00:19:34,840 Speaker 1: problem with this. Yes, lots of people had a big 345 00:19:34,840 --> 00:19:37,640 Speaker 1: problem with this, and corporate sponsored group kids are not 346 00:19:37,680 --> 00:19:42,159 Speaker 1: good Sony. Uh, I think was was pretty embarrassed by 347 00:19:42,160 --> 00:19:46,320 Speaker 1: the whole thing. They eventually, uh you know, discontinued this practice. 348 00:19:46,680 --> 00:19:49,439 Speaker 1: They did apologize for it as well. Yeah, yeah, it was. 349 00:19:49,560 --> 00:19:52,280 Speaker 1: It was a pretty uh, pretty serious deal there for 350 00:19:52,320 --> 00:19:55,600 Speaker 1: a little while, and I think it's safe to say that, 351 00:19:56,320 --> 00:20:02,320 Speaker 1: you know, people were weary of doing things that way. Now, Um, 352 00:20:02,760 --> 00:20:04,560 Speaker 1: I totally lost my train of thought. Well, I can 353 00:20:04,560 --> 00:20:06,560 Speaker 1: pick it up with stuck snet if you like. Yeah, 354 00:20:06,600 --> 00:20:08,520 Speaker 1: I mean it's it's but it's just seems to me 355 00:20:08,640 --> 00:20:11,040 Speaker 1: kind of heavy handed that they would have gone to 356 00:20:11,160 --> 00:20:13,960 Speaker 1: that much trouble to to do to install that level 357 00:20:14,000 --> 00:20:16,439 Speaker 1: it was. It was definitely going above and beyond the 358 00:20:16,440 --> 00:20:21,760 Speaker 1: call of duty to protect your music. Yeah, so stucks 359 00:20:21,800 --> 00:20:24,320 Speaker 1: net is this, Uh. I remember what I was gonna say, 360 00:20:24,680 --> 00:20:26,520 Speaker 1: Go ahead, Oh if you wanted to do If you 361 00:20:26,560 --> 00:20:28,760 Speaker 1: wanted to do this, to disable the root kid, all 362 00:20:28,760 --> 00:20:30,679 Speaker 1: you had to do was turn off auto run, but 363 00:20:30,720 --> 00:20:33,560 Speaker 1: then the CD would not play in your computer. So 364 00:20:33,600 --> 00:20:36,520 Speaker 1: what you ended up having to do was to basically 365 00:20:36,600 --> 00:20:39,520 Speaker 1: to rip the CD and listen to it that way 366 00:20:39,600 --> 00:20:41,760 Speaker 1: to avoid having the root kit installed. That was the 367 00:20:41,760 --> 00:20:45,120 Speaker 1: part of strip the music from the CD. Well you're not. 368 00:20:45,240 --> 00:20:47,159 Speaker 1: That's music still on the CD, but you had to 369 00:20:47,160 --> 00:20:49,000 Speaker 1: copy it essentially onto your computer to be able to 370 00:20:49,000 --> 00:20:52,439 Speaker 1: listen to it, which is probably exactly what they were 371 00:20:52,440 --> 00:20:54,600 Speaker 1: trying to prevent you from me the first place. So 372 00:20:54,800 --> 00:20:56,720 Speaker 1: not only did they not prevent people from doing it, 373 00:20:56,760 --> 00:21:00,240 Speaker 1: but they also infected all these computers with various of 374 00:21:00,240 --> 00:21:04,560 Speaker 1: a root kit fantastic stuck yes, which I can finally 375 00:21:04,560 --> 00:21:07,520 Speaker 1: talk about this um now, stucks net is a pretty 376 00:21:07,640 --> 00:21:11,800 Speaker 1: nasty uh thing that's going around, a malware that's going around. 377 00:21:12,080 --> 00:21:14,080 Speaker 1: This is pretty current as if when we're recording this, 378 00:21:14,200 --> 00:21:16,040 Speaker 1: it it just sort of popped out in the I 379 00:21:16,040 --> 00:21:21,160 Speaker 1: would say fall and it Uh. It targets Windows systems 380 00:21:21,200 --> 00:21:25,399 Speaker 1: and it's looking for industrial control systems and not just 381 00:21:25,480 --> 00:21:30,520 Speaker 1: any industrial control systems. Yeah, they there's a lot of 382 00:21:30,520 --> 00:21:33,159 Speaker 1: people refer to them as scatter systems s C A, 383 00:21:33,240 --> 00:21:37,360 Speaker 1: d A. Which really that's not that's not entirely accurate, 384 00:21:37,480 --> 00:21:40,720 Speaker 1: but it's fair enough to call it that. It's we're 385 00:21:40,720 --> 00:21:45,080 Speaker 1: talking about program programmable logic controllers UM that are those 386 00:21:45,119 --> 00:21:49,720 Speaker 1: are like a computers essentially that can be programmed from 387 00:21:49,760 --> 00:21:55,120 Speaker 1: a Windows system and they are running industrial processes. So 388 00:21:55,440 --> 00:21:57,800 Speaker 1: this is the sort of stuff you might find in 389 00:21:58,080 --> 00:22:02,240 Speaker 1: a plant or a factory or like a massive utility 390 00:22:02,440 --> 00:22:06,160 Speaker 1: might have these kind of machines in them. Yes, so 391 00:22:06,280 --> 00:22:08,400 Speaker 1: you might think, well, why would you want to infect these? Well, 392 00:22:08,640 --> 00:22:11,720 Speaker 1: theoretically you could infect them and then cause the machinery 393 00:22:11,800 --> 00:22:13,600 Speaker 1: to behave in such a way that it would destroy 394 00:22:13,640 --> 00:22:17,840 Speaker 1: itself or it cause damage to UH an entire area. 395 00:22:18,000 --> 00:22:21,080 Speaker 1: You could you know, shut off region's water supply, bring 396 00:22:21,160 --> 00:22:25,240 Speaker 1: down a power grid. You could cause you could theoretically, 397 00:22:25,320 --> 00:22:28,200 Speaker 1: if you set machines to a particular setting, you could 398 00:22:28,200 --> 00:22:33,480 Speaker 1: cause um, a factory to catch fire or a nuclear 399 00:22:33,520 --> 00:22:36,399 Speaker 1: power plant to you know that could you could have 400 00:22:36,440 --> 00:22:39,800 Speaker 1: a little meltdown, you could, um, you could turn off 401 00:22:39,960 --> 00:22:45,000 Speaker 1: the the safety valves on various devices so that people 402 00:22:45,000 --> 00:22:47,239 Speaker 1: would not detect when there was a failure, and then 403 00:22:47,280 --> 00:22:50,400 Speaker 1: you could cause a failure to happen. It's scary stuff 404 00:22:51,080 --> 00:22:54,520 Speaker 1: and uh and part of the stucks net attack involves 405 00:22:54,680 --> 00:22:57,040 Speaker 1: installing root kits on systems because of course, if you 406 00:22:57,080 --> 00:23:00,600 Speaker 1: don't install the root kit, then people security experts can 407 00:23:00,640 --> 00:23:03,000 Speaker 1: find out that this is going on and then address 408 00:23:03,040 --> 00:23:07,040 Speaker 1: it and try to to remove the malware from the 409 00:23:07,119 --> 00:23:11,919 Speaker 1: various systems. Root kits help make that a more difficult task. 410 00:23:12,640 --> 00:23:15,520 Speaker 1: It's not necessarily impossible to discover that there's a root 411 00:23:15,600 --> 00:23:18,280 Speaker 1: kit on your system, but if if the hacker has 412 00:23:18,560 --> 00:23:20,480 Speaker 1: done a good job, if the root kit they're using 413 00:23:20,560 --> 00:23:25,480 Speaker 1: is particularly um robust, it can be really really challenging. 414 00:23:26,480 --> 00:23:28,119 Speaker 1: And again we're talking about the reason for that is 415 00:23:28,160 --> 00:23:31,000 Speaker 1: because you go into that core of the computer. When 416 00:23:31,040 --> 00:23:32,760 Speaker 1: you're messing with the core, you can just you know, 417 00:23:32,800 --> 00:23:36,040 Speaker 1: the computers like malware. What malware In fact, that's that's 418 00:23:36,119 --> 00:23:39,800 Speaker 1: a lot of these elements are built into various viruses 419 00:23:39,840 --> 00:23:43,479 Speaker 1: and worms. Now as well, where you on the initial attack, 420 00:23:43,560 --> 00:23:48,080 Speaker 1: you can't when you run your anti virus software, the 421 00:23:48,200 --> 00:23:50,879 Speaker 1: virus or worm may have in it as part of 422 00:23:50,880 --> 00:23:54,080 Speaker 1: it a root kit element so that it evades that 423 00:23:54,160 --> 00:23:58,000 Speaker 1: anti virus software. The people who write root kits know 424 00:23:58,040 --> 00:24:00,639 Speaker 1: what they're doing. Yeah, these it's not the work of 425 00:24:00,640 --> 00:24:03,600 Speaker 1: script kitties. No, no, no, no. Script kitties might use 426 00:24:03,600 --> 00:24:05,879 Speaker 1: a root kit after it's been made, but they're not 427 00:24:05,920 --> 00:24:09,200 Speaker 1: the ones building it. No, And something like like stucks net. 428 00:24:09,520 --> 00:24:12,480 Speaker 1: You know, a lot of people were a little nervous 429 00:24:12,520 --> 00:24:16,960 Speaker 1: when they saw what it was and how how it 430 00:24:17,040 --> 00:24:20,640 Speaker 1: could cause some serious damage because people started wondering what 431 00:24:20,760 --> 00:24:23,680 Speaker 1: was behind it. As far as I know, nobody still 432 00:24:23,720 --> 00:24:29,280 Speaker 1: knows exactly who is behind that particular UM yeah, you know, 433 00:24:29,720 --> 00:24:32,200 Speaker 1: or when the trigger could be pulled on something like that. 434 00:24:32,840 --> 00:24:36,560 Speaker 1: It is pretty terrifying. Uh. Other things that hackers may 435 00:24:36,600 --> 00:24:39,880 Speaker 1: do with these UM devices that they've put a root 436 00:24:39,960 --> 00:24:43,800 Speaker 1: kit on include the distributed denial of service attacks, which 437 00:24:43,840 --> 00:24:46,439 Speaker 1: we've seen recently with the whole Wiki leaks fallout. We 438 00:24:46,520 --> 00:24:49,120 Speaker 1: talked about that recently, where you would put a root 439 00:24:49,200 --> 00:24:51,640 Speaker 1: kit in so that the victim would not know that 440 00:24:51,720 --> 00:24:54,960 Speaker 1: his or her computer was being used to direct attacks 441 00:24:55,000 --> 00:24:59,120 Speaker 1: against other machines on the Internet. And these attacks sometimes 442 00:24:59,160 --> 00:25:02,359 Speaker 1: just take the four of sending millions and millions of 443 00:25:02,400 --> 00:25:08,239 Speaker 1: messages UH like information requests to a server, often with 444 00:25:08,400 --> 00:25:11,480 Speaker 1: a spoofed address, so that the servers trying to respond 445 00:25:11,520 --> 00:25:15,240 Speaker 1: to UM an address that doesn't actually exist, and you 446 00:25:15,320 --> 00:25:17,719 Speaker 1: just overwhelmed the server, or you may even have it 447 00:25:17,760 --> 00:25:22,119 Speaker 1: where you crash it by sending responses to that server 448 00:25:22,240 --> 00:25:24,880 Speaker 1: as if the server had had sent a ping out 449 00:25:24,960 --> 00:25:27,960 Speaker 1: to the victims computer, so it's like you're answering a 450 00:25:28,040 --> 00:25:30,440 Speaker 1: question that hasn't been asked yet and that can also 451 00:25:30,520 --> 00:25:33,399 Speaker 1: overwhelm the server. Those are just two very simple versions 452 00:25:33,400 --> 00:25:36,560 Speaker 1: of denial of service attacks and a distributed denial of 453 00:25:36,600 --> 00:25:38,720 Speaker 1: service attacks when you're using an entire bot net to 454 00:25:38,800 --> 00:25:43,359 Speaker 1: do it. Yeah, whole whole basically a series of computers 455 00:25:43,640 --> 00:25:45,879 Speaker 1: that is under the control of uh, you know, the 456 00:25:45,960 --> 00:25:48,960 Speaker 1: function is robots, that's why they call it. But yeah, 457 00:25:48,960 --> 00:25:51,680 Speaker 1: it's it's a whole group of computers under the control 458 00:25:51,760 --> 00:25:56,840 Speaker 1: of you know, a hacker, hacker organization UM And yeah, 459 00:25:56,880 --> 00:26:00,240 Speaker 1: I mean talking about the level of sophistication necessary to this. 460 00:26:00,840 --> 00:26:05,320 Speaker 1: Operating systems of all stripes have vulnerabilities in them, and 461 00:26:05,320 --> 00:26:09,240 Speaker 1: it takes somebody who knows where to uh where the 462 00:26:09,320 --> 00:26:13,879 Speaker 1: exploit can function for them and serve them to write 463 00:26:13,920 --> 00:26:18,080 Speaker 1: the the the root kit or virus or trojan or whatever. 464 00:26:18,359 --> 00:26:23,760 Speaker 1: To take advantage of those vulnerabilities, especially something kernel level, 465 00:26:23,880 --> 00:26:27,399 Speaker 1: it takes a lot of sophistication, but um, they also 466 00:26:27,520 --> 00:26:30,399 Speaker 1: it also does take, as as Jonathan mentioned earlier, some 467 00:26:30,400 --> 00:26:34,560 Speaker 1: some social engineering because in a lot most I would 468 00:26:34,560 --> 00:26:38,080 Speaker 1: say probably all cases, I say probably, I'm just hedging 469 00:26:38,119 --> 00:26:40,560 Speaker 1: my bets there. But basically they have to convince you 470 00:26:40,600 --> 00:26:44,280 Speaker 1: to install this. Sony convinced people to install the root 471 00:26:44,359 --> 00:26:46,440 Speaker 1: kit by when you popped it in the CD, I'm 472 00:26:46,640 --> 00:26:50,080 Speaker 1: you know, and asked you questions, you know, and you know, 473 00:26:50,160 --> 00:26:53,000 Speaker 1: for mac os ten people complain about the viruses that 474 00:26:53,040 --> 00:26:56,760 Speaker 1: people discover because um they say, well, you know, you 475 00:26:56,800 --> 00:26:59,720 Speaker 1: still have to be convinced to install that. Well yeah, 476 00:26:59,800 --> 00:27:03,000 Speaker 1: I mean in these cases to access that level. If 477 00:27:03,040 --> 00:27:06,679 Speaker 1: you are the administrative user on that computer, something is 478 00:27:06,680 --> 00:27:09,159 Speaker 1: going to ask you if you can install it, and 479 00:27:09,160 --> 00:27:11,480 Speaker 1: it will probably say it's I don't know, an anti 480 00:27:11,560 --> 00:27:15,640 Speaker 1: virus program or you know, hey, we're adding some sophisticated 481 00:27:15,680 --> 00:27:20,399 Speaker 1: stuff so you can enjoy this media content even more richly. 482 00:27:20,600 --> 00:27:23,320 Speaker 1: Wouldn't you like to have that? And okay, sure, and 483 00:27:23,400 --> 00:27:25,680 Speaker 1: you can even have this happen if you're getting a 484 00:27:25,760 --> 00:27:29,840 Speaker 1: legitimate program. There's there's no there's no nothing stopping a 485 00:27:29,920 --> 00:27:33,560 Speaker 1: programmer from building a root kit in with any kind 486 00:27:33,640 --> 00:27:37,000 Speaker 1: of program at all. I mean, maybe that the next 487 00:27:37,119 --> 00:27:39,320 Speaker 1: video game you buy for your computer has a root 488 00:27:39,400 --> 00:27:42,240 Speaker 1: kit in it because one of the programmers decided to 489 00:27:42,280 --> 00:27:45,119 Speaker 1: include it. And uh, and I mean that can happen. 490 00:27:45,480 --> 00:27:49,560 Speaker 1: In fact, you could argue that when we install programs 491 00:27:49,680 --> 00:27:52,800 Speaker 1: on our machines were essentially taking it on faith that 492 00:27:52,880 --> 00:27:55,439 Speaker 1: the programs did not put anything in there with the 493 00:27:55,480 --> 00:27:59,080 Speaker 1: intent to take over our machine. That's it's and that's 494 00:27:59,119 --> 00:28:00,760 Speaker 1: kind of scary when you think about it. And also 495 00:28:00,960 --> 00:28:04,680 Speaker 1: it's a good reminder that the best way to UM 496 00:28:04,880 --> 00:28:08,280 Speaker 1: to have to battle root kits is just to avoid 497 00:28:08,400 --> 00:28:11,920 Speaker 1: getting hit by them. Don't and ston't click on weird links, 498 00:28:12,000 --> 00:28:15,480 Speaker 1: don't open weird attachments from people you don't know. Don't 499 00:28:15,640 --> 00:28:20,520 Speaker 1: run applications that you know you you aren't positive came 500 00:28:20,560 --> 00:28:24,040 Speaker 1: from a legitimate source. Because even though, like I said, 501 00:28:24,760 --> 00:28:27,600 Speaker 1: theoretically at kit could come from a legitimate source, after 502 00:28:27,640 --> 00:28:30,879 Speaker 1: all the Sony one did, UM, the chances are of 503 00:28:30,960 --> 00:28:33,960 Speaker 1: that happening are are lower than if you were just 504 00:28:34,040 --> 00:28:37,280 Speaker 1: running any kind of application you came across in you know, 505 00:28:37,320 --> 00:28:42,160 Speaker 1: in your worldwide web travels. Um, go ahead, you're saying something, well, 506 00:28:42,160 --> 00:28:44,760 Speaker 1: I was going to say. Typically, in cases like this, 507 00:28:44,840 --> 00:28:48,480 Speaker 1: we've said it's important for you to keep your anti 508 00:28:48,560 --> 00:28:53,600 Speaker 1: virus software up to date. However, with more modern kernel 509 00:28:53,720 --> 00:28:58,240 Speaker 1: level root kits, there's probably not a whole lot anti 510 00:28:58,320 --> 00:29:00,360 Speaker 1: virus software is going to be able to do techt 511 00:29:00,560 --> 00:29:04,120 Speaker 1: at all. Yeah, because essentially it's the root kit itself 512 00:29:04,200 --> 00:29:07,280 Speaker 1: is telling the antivirus software I'm not I'm not dangerous. Yeah, 513 00:29:07,320 --> 00:29:11,360 Speaker 1: I'm not malware, and the antivirus software is a yoke. Yeah, 514 00:29:11,400 --> 00:29:14,360 Speaker 1: and it's got the root kid is installed at such 515 00:29:14,400 --> 00:29:19,040 Speaker 1: a level that the antivirus software really can't you know, 516 00:29:19,080 --> 00:29:22,760 Speaker 1: it can be fooled. One other interesting thing before we 517 00:29:22,800 --> 00:29:27,160 Speaker 1: wrap up. I learned, um that multiple root kits on 518 00:29:27,200 --> 00:29:30,760 Speaker 1: a single machine can cause stability issues. Yeah, so your 519 00:29:30,800 --> 00:29:34,200 Speaker 1: machine could could crash because you've got two different root 520 00:29:34,280 --> 00:29:39,600 Speaker 1: kits attempting to manipulate the kernel of your operating system. 521 00:29:39,680 --> 00:29:43,200 Speaker 1: And that is a bad thing. Um. And that also, 522 00:29:43,320 --> 00:29:46,880 Speaker 1: hackers don't necessarily checked to see if the machine they're 523 00:29:46,920 --> 00:29:49,400 Speaker 1: about to infect already has a root kit on it. Yeah, 524 00:29:49,480 --> 00:29:52,040 Speaker 1: it's just not one of the things they necessarily think 525 00:29:52,040 --> 00:29:54,360 Speaker 1: of when they're doing it. So if if you happen 526 00:29:54,400 --> 00:29:56,720 Speaker 1: to be kind of click happy and you're clicking lots 527 00:29:56,720 --> 00:29:59,480 Speaker 1: of different applications, and you get two root kits on 528 00:29:59,520 --> 00:30:01,520 Speaker 1: your machine, you could end up making it just a 529 00:30:02,240 --> 00:30:05,520 Speaker 1: crash happy device. Um. When when we talked about the 530 00:30:05,520 --> 00:30:07,800 Speaker 1: Wiki leaks thing, I talked about it is possible for 531 00:30:07,880 --> 00:30:10,480 Speaker 1: a single computer to be controlled by both sides of 532 00:30:10,480 --> 00:30:13,640 Speaker 1: a cyber war. That's still technically true, but it does 533 00:30:13,720 --> 00:30:16,600 Speaker 1: create stability issues. So there's a chance that you know, 534 00:30:16,720 --> 00:30:20,560 Speaker 1: you wouldn't really be launching any attacks with your machine necessarily, 535 00:30:21,320 --> 00:30:23,920 Speaker 1: just because you wouldn't have it active long enough for 536 00:30:23,920 --> 00:30:27,160 Speaker 1: it to do anything. Yeah, and um, there is one 537 00:30:27,160 --> 00:30:29,840 Speaker 1: piece of advice of our typical advice that we can 538 00:30:29,880 --> 00:30:32,440 Speaker 1: offer you. Um, it's still a good idea to back 539 00:30:32,560 --> 00:30:36,840 Speaker 1: up your hard drive. And that's especially important because the 540 00:30:36,920 --> 00:30:41,080 Speaker 1: only way to technically to completely wipe a root kid 541 00:30:41,080 --> 00:30:44,280 Speaker 1: off your hard drive is to completely wipe it off 542 00:30:44,680 --> 00:30:48,280 Speaker 1: and reinstall your operating system. And even then, there are 543 00:30:48,360 --> 00:30:51,280 Speaker 1: some root kits that have been proven, at least in labs, 544 00:30:52,000 --> 00:30:56,560 Speaker 1: to affect the bios, which is even worse. Yeah, when 545 00:30:56,600 --> 00:31:00,640 Speaker 1: you affect the bios than even when you wipe the 546 00:31:00,680 --> 00:31:04,240 Speaker 1: operating system completely out and reinstall it, it's still there. 547 00:31:04,920 --> 00:31:09,440 Speaker 1: So in an absolute worst case scenario, you would need 548 00:31:09,480 --> 00:31:11,840 Speaker 1: to get a new machine, but that still means back 549 00:31:11,880 --> 00:31:13,760 Speaker 1: up your hard drive because otherwise you wouldn't be able 550 00:31:13,760 --> 00:31:16,320 Speaker 1: to have transferred over to your new machine. UM there 551 00:31:16,320 --> 00:31:18,600 Speaker 1: are a lot of great cloud based services now to 552 00:31:18,720 --> 00:31:21,360 Speaker 1: where you can back up your your information to the cloud, 553 00:31:21,440 --> 00:31:23,280 Speaker 1: so that way you don't have to worry about like 554 00:31:23,280 --> 00:31:27,680 Speaker 1: if your machine is beyond saving, then you can still 555 00:31:27,720 --> 00:31:29,800 Speaker 1: get to that data you with a new machine without 556 00:31:29,840 --> 00:31:32,240 Speaker 1: having to hook up an external hard drive or something 557 00:31:32,280 --> 00:31:35,920 Speaker 1: like that. UM Before, before I completely wrap this up, 558 00:31:35,960 --> 00:31:38,040 Speaker 1: I just wanted to mention two books that I used 559 00:31:38,040 --> 00:31:40,160 Speaker 1: while researching this that I think if you want to 560 00:31:40,280 --> 00:31:43,720 Speaker 1: learn more about root kits UM it's written from two 561 00:31:43,840 --> 00:31:47,080 Speaker 1: very different perspectives these two books. The first is root 562 00:31:47,160 --> 00:31:51,840 Speaker 1: kits Subverting the Windows Kernel by Greg Hogland and James Butler. 563 00:31:52,560 --> 00:31:55,600 Speaker 1: The second was written by a hacker, someone who someone 564 00:31:55,640 --> 00:31:59,120 Speaker 1: who worked in UM computer security and now works in 565 00:31:59,560 --> 00:32:05,880 Speaker 1: anti computer forensics. Yeah. Uh, that novel or that novel novel, 566 00:32:05,920 --> 00:32:09,400 Speaker 1: it's a book so tired. The root kit Arsenal by 567 00:32:09,520 --> 00:32:14,200 Speaker 1: the Reverend Bill Blunder. That's that's that's his handle. I'm 568 00:32:14,240 --> 00:32:16,360 Speaker 1: actually at Bill Blunder's his name as far as I know, 569 00:32:16,440 --> 00:32:18,520 Speaker 1: But the Reverend, I guess, is a handle that he uses. 570 00:32:19,000 --> 00:32:22,280 Speaker 1: UM and UH, and both of those books have a 571 00:32:22,320 --> 00:32:25,880 Speaker 1: fascinating discussion about what root kits are, what they are not, 572 00:32:26,800 --> 00:32:30,840 Speaker 1: what they do and UM and why they would be useful. 573 00:32:31,200 --> 00:32:34,400 Speaker 1: Keep in mind that there are governments that use these, 574 00:32:34,840 --> 00:32:38,800 Speaker 1: there are companies that use these. If your computer is 575 00:32:38,840 --> 00:32:43,200 Speaker 1: ever seized from you and searched by computer forensics experts, 576 00:32:43,960 --> 00:32:46,000 Speaker 1: there's the possibility that when you get it back, it 577 00:32:46,080 --> 00:32:49,760 Speaker 1: has one of these on it. Just say in behave 578 00:32:50,360 --> 00:32:54,280 Speaker 1: That's what I'm saying. Okay, it would be nice. Yeah, yeah, 579 00:32:54,440 --> 00:32:56,840 Speaker 1: or at least be aware. If you're not going to behave, 580 00:32:57,200 --> 00:33:01,120 Speaker 1: be aware, but behave all. And so that wraps this up. 581 00:33:01,160 --> 00:33:03,239 Speaker 1: If you have any suggestions for topics that we can 582 00:33:03,280 --> 00:33:05,440 Speaker 1: address in the future, you can let us know via 583 00:33:05,520 --> 00:33:09,480 Speaker 1: Twitter or Facebook. That handle is tech Stuff h s 584 00:33:09,680 --> 00:33:13,560 Speaker 1: W or you can email us that address is tech 585 00:33:13,640 --> 00:33:16,160 Speaker 1: stuff at how stuff works dot com. And Chris and 586 00:33:16,240 --> 00:33:20,720 Speaker 1: I will talk to you again really soon for more 587 00:33:20,760 --> 00:33:23,280 Speaker 1: on this and thousands of other topics. Visit how stuff 588 00:33:23,280 --> 00:33:26,120 Speaker 1: Works dot com. So learn more about the podcast, click 589 00:33:26,120 --> 00:33:28,480 Speaker 1: on the podcast icon in the upper right corner of 590 00:33:28,480 --> 00:33:32,360 Speaker 1: our homepage. The How Stuff Works iPhone app has arrived. 591 00:33:32,480 --> 00:33:39,920 Speaker 1: Download it today on iTunes. Brought to you by the 592 00:33:39,960 --> 00:33:43,320 Speaker 1: reinvented two thousand twelve camera. It's ready, are you