Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Slides:

Advertisements

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Security Awareness: Applying Practical Security in Your World

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

eScan Total Security Suite with Cloud Security

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Hands-On Microsoft Windows Server 2008

Hacker Zombie Computer Reflectors Target.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware Fighting Spyware, Viruses, and Malware Ch 4.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Higher Computing Topic 8: Supporting Software Updated

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

For any query mail to or BITS Pilani Lecture # 1.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Computer Systems Security Part I ET4085 Keamanan Jaringan Telekomunikasi Tutun Juhana School of Electrical Engineering and Informatics Institut Teknologi.

Rootkits What are they? What do they do? Where do they come from?

RootKit By Parrag Mehta OUTLINE What is a RootKit ? Installation Types How do RootKits work ? Detection Removal Prevention Conclusion References.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Operating Systems Security

Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect rootkits How to remove rootkits.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Information Systems Design and Development Security Precautions Computing Science.

Computer Security Keeping you and your computer safe in the digital world.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.

Lecture 8. Cyber Security, Ethics and Trust

Chapter 1: Introduction

Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.

Hiding Malware Rootkits

Malicious Software Network security Master:Mr jangjou

Hardware Security – Highlevel Survey Review for Exam 4

Presentation transcript:

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz

o Introduction o How a rootkit works o Detection o Preventing and Removing o Attack damage o References

A rootkit is a suite of one or more programs that allows a third party to hide files and activities from the administrator of a computer system.

The original intent of rootkits (1996) appears to have centered simply on hiding programs that would allow an attacker to “sniff” or spy on traffic going to and from a computer system.

 Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents.  Conceal other malware, notably password-stealing key loggers and computer viruses.  Appropriate the compromised machine as a zombie computer for attacks on other computers.  Enforcement of digital rights management (DRM).  Conceal cheating in online games.  Detect attacks, for example, in a honeypot.  Enhance emulation software and security software.  Anti-theft protection.  Bypassing Microsoft Product Activation

 User mode  Kernel mode  Bootkits  Hypervisor level  Hardware/Firmware

 run in Ring 3  many installation vectors  Make to execute inside any target process or overwrite the memory of a target application

 run in Ring 0  adding code or replacing portions of the core operating system, including both the kernel and associated device drivers  unrestricted security access

 lows the malicious program to be executed before the operating system boots  cannot be detected by standard means of an operating system because all its components reside outside of the standard file systemserating system boots

 uses hardware virtualization  trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it  dont have to load before the OS

 hidden in BIOS, network card etc.  only way to remove is to replace infected hardware  could be hidden outside the computer for example in network printer

 Installation Physical access to the target system Privilege Escalation  Cloaking Obscure its presence from security tools Modify the behavior of OS core parts Load code into other processes

 Stoned is the name of a boot sector computer virus created in 1987, apparently in New Zealand. It was one of the very first viruses.  A memory resident bootkit up to the Windows kernel  Boot applications executed on startup  Drivers executed beside the Windows kernel

 Your PC is now Stoned! (1987)  Your PC is now Stoned!..again (2010)

Windows Boot Process  Windows boot system assumes an already secure environment when starting

Hooking and Patching  Interrupt 13h hooked  Ntldr hooked for calling 32- bit code and patching the code integrity verification  Patching the NT kernel  Executing pay loads(driver)

Installation  Live CD  Infected PDF

Demonstration

 Signature-Based  File Integrity Monitoring  Cross-View Analysis  Hooking Detection  Heuristics-Based Detection  Network-Based Detection

3.1 Signature-Based Detection analyzing rootkit to define fingerprint integrating fingerprint in to the database fingerprint can be used for rootkits detection 3.2 File Integrity Monitoring calculates cryptographic hashes for critical, unchanging operating system files and compares them to known values that are stored in a database

3.3 Cross-View Analysis It involves looking at the system from the high level “user”, or API view, and comparing it to the actual low level hardware view. 3.4 Hooking Detection When the rootkit modifies a hook to point to a malicious service or interrupt routine, the memory location almost invariably is located outside this specific range of the “clean” system, and is easily detected.

3.5 Heuristics-Based Detection Heuristics-Based detection of malware attempts to classify malicious behavior according to certain pre-determined rules. 3.6 Network-Based Detection System periodically send a snapshot of the network traffic and open ports to a trusted gateway for analysis. The gateway compare this data with its “external” view of the system’s network activity

 Operating system updates  Automatic updates  Personal firewalls  Host-based intrusion prevention systems  Rootkit prevention techniques

 number of security-software vendors offer tools to automatically detect and remove some rootkits  Some antivirus scanners can bypass file system APIs, which are vulnerable to manipulation by a rootkit  There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media  in some cases the only possibility is to replace some hardware

Home Users  Stealing Identity and private information  Turning Home User's computers into zombies  Loss of time, money and confidence

Enterprise and Government  Loss of confidential information, theft of intellectual property  Reputation and customer trust  Additional costs of purchasing, installing, and administering security measures Increases system complexity

 Stallings & Brown - Computer Security: Principles and Practice  A comparative analysis of rootkit detection techniques by Thomas Martin Arnold  Ric Vieler - Professional Rootkits   