Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to...

Preview:

Click to see full reader

DESCRIPTION

What is a Rootkit, and how does it work Jonathan Barella

Citation preview

Rootkits Jonathan BarellaChad Petersen

Overview• What are rootkits• How do rootkits work• How to detect rootkits• How to remove rootkits

What is a Rootkit, and how does it work

Jonathan Barella

What are rootkits?• A rootkit is small sophisticated piece of support

software that can enable malicious software to run on the compromised computer

• Commonly associated with spies because of the common goals they share

• Used in almost every modern piece of malware in the wild today

What are rootkits?• Broadly defined by Symantec as “any software that acquires and

maintains privileged access to the Operating System (OS) while hiding its presence by subverting normal OS behavior”

• Designed with three main objectives• Run• Hide• Act

How do rootkits work?Subverting Normal OS Behavior• Vulnerabilities• Operating System• Applications

• Exploits• Java• HTML/Scripting

• Social Engineering• Spam• Downloading• Installation

How do rootkits work?Hooking Operating System APIs

How do rootkits work?Hiding in Unused Space on the Compromised System

How do rootkits work?

Infect the Master Boot Record (MBR)

How do rootkits work?

How do rootkits work?

This is the ultimate goal to be hidden from the systems view.

Finding And Removing Rootkits

Chad Petersen

Detection Methods• Behavioral• Integrity• Signature• Difference

Behavioral Detection• Pros• Can detect unknown rootkits

• Cons• Requires “normal” history• Not easy to use• False positives

Integrity Detection• Pros• Know what files change• When files change• What changes files

• Cons• Requires many updates• Rootkit can seed itself in update

Signature Based Detection• Pros• Reliably find known kits• Easy to use• Few false positives

• Cons• large number of updates• Does not detect new kits

Diff Based Detection• Pros• Good at finding anomalies in any

system

• Cons• does not work well if scan is ran

on infected system• Must have knowledge to

decipher flagged programs.

Be Vigilant• Lastly the user can sometimes tell when something is amis• Network traffic spike• Large decrease in performance• Rootkits can infect; user files, kernel files, the boot loader, a hypervisor, and

hardware firmware.

Steps Once Identified• Quarantine• Encryption• Permissions

• Decide• Repair or delete

Q&A

Recommended

User-mode rootkits
Documents
Cisco Ios Rootkits
Documents
January - Rootkits
Documents
Rootkits for JavaScript Environments
Documents
Detecting Rootkits in Memory DumpsPersistent rootkits Persistent Rootkits wants to survive a reboot, hence the rootkit must be initiated from some ware • Registry keys (run keys,
Documents
Database Rootkits
Documents
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion
Documents
Rootkits: What they are and how to find them Part 2
Documents
Rootkits: Attacking Personal Firewalls
Documents
Rootkits Investigation Procedures
Documents
Hidden Rootkits in Windows
Documents
Elaborado por: Carla Barella ( UME- Ijui )
Documents
Designing Bsd Rootkits
Documents
Rootkits Crafting OS X Kernel Rootkits - beefchunk.combeefchunk.com/.../security/bh_us_08_dauganno_irk_os_x_rootkits.pdf · Types of Rootkits rootkit: ... • network • trivial
Documents
Detecting Rootkits in Memory Dumps
Documents
Barella Shower Trolley catalogue_2015
Documents
Kernel-Land Rootkits
Documents
Windows Nt Rootkits
Documents
Hardware-Assisted Rootkits & Instrumentation
Technology
Rootkits Analysis and Detection
Documents