During a server audit, a security administrator does not notice abnormal activity. However, a
network security analyst notices connections to unauthorized ports from outside the corporate
network. Using specialized tools, the network security analyst also notices hidden processes
running. Which of the following has MOST likely been installed on the server?

A.
SPIM

B.
Backdoor

C.
Logic bomb

D.
Rootkit

Explanation:
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or
computer network. Typically, a cracker installs a rootkit on a computer after first obtaining userlevel access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is
installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer
and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a
“backdoor” into the system for the hacker’s use; alter log files; attack other machines on the
network; and alter existing system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun

and Linux operating systems were the primary targets for a hacker looking to install a rootkit.
Today, rootkits are available for a number of operating systems, including Windows, and are
increasingly difficult to detect on any network.