How an attacker can maintain control over their victim’s system without being discovered.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Operating System Security : David Phillips A Study of Windows Rootkits.
Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
System Security Scanning and Discovery Chapter 14.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Intrusion Detection Systems and Practices
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 15 – Preserving Access.
Honeypot and Intrusion Detection System
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Rootkits in Windows XP  What they are and how they work.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey
Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Linux Networking and Security
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
CHAPTER 9 Sniffing.
Hidden Processes: The Implication for Intrusion Detection
Rootkits What are they? What do they do? Where do they come from?
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Botnets A collection of compromised machines
Chapter 9 Intruders.
Wireless Network Security
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Botnets A collection of compromised machines
Hidden Processes: The Implication for Intrusion Detection
Chap 10 Malicious Software.
Intrusion Detection Systems (IDS)
Chapter 9 Intruders.
Rootkits Jonathan Hobbs.
Hiding Malware Rootkits
Chap 10 Malicious Software.
Data Recovery: Why Secure Deletion is so Important.
6. Application Software Security
Meltdown & Spectre Attacks
Presentation transcript:

How an attacker can maintain control over their victim’s system without being discovered.

A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence[1].  The keyword to remember for a rootkit is undetectable; and the most common purposes for a rootkit are sustained access and eavesdropping.

Early 1990’s – Internet becomes popular 1 st Generation rootkits- Replaced potential tattletale binaries (e.g. netstat, ls) Easy to detect- Compare the hashes of the original binary with current one. First rootkits were mostly written for Unix based systems (hence rootkit, instead of Administratorkit) NTRootkit, an early Windows rootkit Rootkits did not really become part of security admin vernacular until mid 2000’s Kicked off an arms race- rootkit developers vs detection/prevention measures

Processes Files Network Connections Also: Various system statistics (e.g. CPU percentage)

Uh oh, you have a rootkit?

Zen quote

Proof of concept The Hello World of Rootkits

Hooking- Overwriting target function to act in favor of the rootkit Example 1- Overwrite legitimate function in memory Example 2- Overwrite legitimate function’s address in IAT to point to rootkit’s custom function instead

Similar concept, but different memory spaces, tables, functions…

Detecting a Presence Guard the Doors- Think intrusion detection Roaming Guard- Periodic System scans Detecting Behavior Sysinternals RootkitRevealer example Live Detections- Rootkit revealer GMER- Free, GNU-based. Helios- Behavioral analysis (can be used to detect many forms of malware) Sophos Anti-Rootkit- Free. Scans other forms of malware. Can scan a network, not just a single host. If kernel rootkit is suspected- Need to analyze system under a kernel debugger (kd.exe)

Still need to nuke system from orbit Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.