Some rootkits install a backdoor. Not all rootkits install a backdoor -- some merely conceal themselves and operate locally. The famous Sony Rootkit is one such example of a rootkit which did not add a backdoor.
The defining characteristic of a rootkit is that it conceals its presence from the rest of the system. Backdoor.OSX.Mokes.a doesn't really do this -- it's only a backdoor. Not a rootkit.
Backdoor is a politically loaded term at this point. Backdoors (in privacy-related discourse) are vulnerabilities inserted intentionally by the manufacturer or government with supply-chain cooperation. The claim "Backdoor found in X's product" is roughly equivalent to the claim "Evidence found that X is a collaborator with the surveillance state" to many people, so we might want to be careful about throwing it around when we don't mean that.
That is different wording. One can find an OS X backdoor in Microsoft Word, for example. Here the OS X backdoor was found not in OS X but in some other program.
Whether the terminology is technically correct or not, I think it's obvious that it can easily be interpreted in different ways, some of which are incorrect. As such, while it may not be wrong, it is poorly chosen, and may be misleading. A better way to phrase it might have been "A sophisticated backdoor targeting OS X discovered".
Yes, that's exactly what I was trying to address. I should have quoted the first sentence of the parent to make that obvious, since there were a few assertions in that comment.
Calling it a backdoor may be correct, but calling it an "OS X backdoor", particularly with no other context in the title, is not. It's merely clickbait.
Yes, I concluded from the title it's backdoor in OS X itself (which would be huge news), not merely a backdoor kit running on OS X (which is not really all that notable, absolutely no surprise that backdoor kits exist for OS X and this one is nothing special among them as it seems).
Let's call it "a window with a shitty lock" instead of a "back door", if it's an unintentional vulnerability. Then we can just use "back door [left open]" to mean something intentional. Or, you know "key under a rock in the garden" because only certain people know where it is. Actually, I think that's where "Window( with a )S(hitty lock)" 95 first got it's name.
rootkit comes from unix, it was a tool helping to restore admin privileges even after the admin found that the host was hacked (that's where the name comes from root = admin on unix). Its goal was to be invisible.
The sony rootkit was named somewhat incorrectly, because it also tried to hide itself and no other existing malware names fit it.
rootkit comes from unix, it was a tool helping to restore admin privileges even after the admin found that the host was hacked (that's where the name comes from root = admin on unix). Its goal was to be invisible.
Are you sure? It also commonly referred to such kits being used by hostile parties. I've personally interrupted an attempt at installing the "Hungarian Rootkit" in the 90's. (I put unpatched Red Hat 6 online when Red Hat 7 was out.)
(that's where the name comes from root = admin on unix)
The fact that you think this is something that bears explaining is interesting in the context of HN. I hope this is based on something you've noticed about recent user trends here. There was a time when someone would be very surprised if a user here didn't already know this.
I see my response was ambiguous. Of course I meant rootkit was always malicious. It was used by intruder to gain root back after admin though he restored the host after being hacked.
Rootkits are the reason why it is recommended to wipe the whole system after being hacked, because you can't be sure there there wasn't anything installed.
> It also commonly referred to such kits being used by hostile parties.
I suspect that's exactly what he means - a rootkit is deployed by an intruder so that when the admin discovers the host has been compromised and patches the vulnerability, the rootkit, if not addressed, will grant the intruder root capabilities once more.
Looks to me like your run-of-the-mill malware. A rootkit is typically something that uses OS hooks to hide itself from the list of running processes for instance.
If you previously establish that the vulnerability was introduced by a third party, then "backdoor" might be an OK term afterward - after the context has been introuced.
In an example without context (like, a headline), "backdoor" strongly implies that it was built by the vendor. I have to disagree with you and concur with the other commenters saying this was a very misleading choice of words by Kaspersky. They should have just said "malware".
I agree. My first reaction when I read the headline was, I thought Apple had put it there, which I found disturbing seeing as how Apple has publicly spoken out against backdoors. I think a better title would be something like "Sophisticated OS X Backdooring Malware Discovered". That would make it clear that the backdoor is not present in the binaries shipped by Apple.
I make the same association. A door is part of a building, and is put there during construction (initial release) or in owner-planned renovations (software updates).
I've never heard of someone breaking into a building by cutting a hole into a wall to install their own entry door that they have a key to, but that's the scenario this "OS X backdoor" is describing.
Rootkit is more commonly used for something that actively messes with the system to avoid detection for itself and potentially other malware, often by intercepting system calls and removing evidence from the responses.
Malware that just runs some code to provide a backdoor isn't necessarily a rootkit. E.g. if I install a VNC server on your system and turn off the tray icon, it is a backdoor. I could use a rootkit in combination to also hide it's files on disk, remove it from process listings, hide it's open sockets, ...
A rootkit is a different beast. A backdoor is simply a (covert) way to gain remote access to a system. A rootkit involves being able to elevate user permissions such that you have full control over the computer. Rootkits also typically use such permissions to hide themselves from normal user accounts.
I guess in a way you could see them as related, in that they both are access tools. A backdoor gets you remote access to the system in the first place. A rootkit gets you elevated access after you are in the system.
A rootkit is the thing you install once you have root - not a way to get root initially. It usually gives the attacker a means to access the machine in the future, even if the vulnerability she used is fixed in the future.
Rootkits are designed to hide themselves. They are essentially attacker installed backdooors.
A backdoor is basically a rootkit that is part of the original software as written by the original developer. The words have different connotations (rootkit is extremely negative, backdoors slightly less).
"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software."
"A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.
A backdoor may take the form of a hidden part of a program,[1] a separate program (e.g. Back Orifice may subvert the system through a rootkit), or may be a hardware feature.[2] Although normally surreptitiously installed, in some cases backdoors are deliberate and widely known. These kinds of backdoors might have "legitimate" uses such as providing the manufacturer with a way to restore user passwords."
No, that is really wrong. Rootkits aren't for privilege escalation, see the paragraph immediately following your quote:
"... an attacker can install it once they've obtained root or Administrator access."
Calling BO a backdoor is a major corruption of the word, as you loose the only word for describing intentionally weakened security - so that you may describe a thing which already has several more explicitly defining names: malware, trojan, dropper, etc.
There are too many "No, that's wrong"'s here for a bunch of people that aren't getting this quite correct. You do not need root access to install a rootkit, you simply need to exploit a security flaw that allows you to install, run, and avoid detection. This is easiest done by modifying the host to disable it's ability to even find you on the device. This is much more difficult on modern systems, so for most modern systems, they're installed as trojans using the privilege escalation of another application or install.
The connotation difference is the difference between getting hit with a 10mm and a 9mm. Negligible, as it's leaving a hole that you really don't want there.
No, it refers to different things. Back-door is a technique or practice and a rootkit is a type of malware. Rootkits often (but not always) install backdoors.
I don't like the use of backdoor for malicious cracks, as it confuses the argument between malware and bad security practices. Though technically, backdoor is the correct term.