View
227
Download
0
Category
Preview:
DESCRIPTION
What is a Rootkit, and how does it work Jonathan Barella
Citation preview
Rootkits Jonathan BarellaChad Petersen
Overview• What are rootkits• How do rootkits work• How to detect rootkits• How to remove rootkits
What is a Rootkit, and how does it work
Jonathan Barella
What are rootkits?• A rootkit is small sophisticated piece of support
software that can enable malicious software to run on the compromised computer
• Commonly associated with spies because of the common goals they share
• Used in almost every modern piece of malware in the wild today
What are rootkits?• Broadly defined by Symantec as “any software that acquires and
maintains privileged access to the Operating System (OS) while hiding its presence by subverting normal OS behavior”
• Designed with three main objectives• Run• Hide• Act
How do rootkits work?Subverting Normal OS Behavior• Vulnerabilities• Operating System• Applications
• Exploits• Java• HTML/Scripting
• Social Engineering• Spam• Downloading• Installation
How do rootkits work?Hooking Operating System APIs
How do rootkits work?Hiding in Unused Space on the Compromised System
How do rootkits work?
Infect the Master Boot Record (MBR)
How do rootkits work?
How do rootkits work?
This is the ultimate goal to be hidden from the systems view.
Finding And Removing Rootkits
Chad Petersen
Detection Methods• Behavioral• Integrity• Signature• Difference
Behavioral Detection• Pros• Can detect unknown rootkits
• Cons• Requires “normal” history• Not easy to use• False positives
Integrity Detection• Pros• Know what files change• When files change• What changes files
• Cons• Requires many updates• Rootkit can seed itself in update
Signature Based Detection• Pros• Reliably find known kits• Easy to use• Few false positives
• Cons• large number of updates• Does not detect new kits
Diff Based Detection• Pros• Good at finding anomalies in any
system
• Cons• does not work well if scan is ran
on infected system• Must have knowledge to
decipher flagged programs.
Be Vigilant• Lastly the user can sometimes tell when something is amis• Network traffic spike• Large decrease in performance• Rootkits can infect; user files, kernel files, the boot loader, a hypervisor, and
hardware firmware.
Steps Once Identified• Quarantine• Encryption• Permissions
• Decide• Repair or delete
Q&A
Recommended