Windows Security and Rootkits Mike Willard January 2007.

Slides:



Advertisements
Similar presentations
This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Advertisements

Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.
How an attacker can maintain control over their victim’s system without being discovered.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Presented by Boris Yurovitsky
Lesson 4-Installing Network Operating Systems. Overview Installing and configuring Novell NetWare 6.0. Installing and configuring Windows 2000 Server.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Windows Anti-virus and Security WNUG Meeting
Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.
Capturing Computer Evidence Extracting Information.
Why Windows 98? Understanding the nature of the problem Windows 95 did not fail gracefully 95 was too reliant on customer knowledge Routine troubleshooting.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,
Modifying Network Packet Buffering in Network Layer CS518 Final Presentation and Instruction Guide Li Zhang.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Rootkits in Windows XP  What they are and how they work.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
TECHNOLOGY GUIDE THREE Protecting Your Information Assets.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Operating System What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. An operating.
Hidden Processes: The Implication for Intrusion Detection
CSCI 1033 Computer Hardware Course Overview. Go to enter TA in the “Enter Promotion Code” box on the bottom right corner.
Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
Securing the Linux Operating System Erik P. Friebolin.
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Information Security - 2
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
CIT 140: Introduction to ITSlide #1 CSC 140: Introduction to IT Operating Systems.
Computers: Tools for an Information Age
Hacking Windows.
Android Mobile Application Development
A+ Guide to Managing and Maintaining Your PC, 7e
TECHNOLOGY GUIDE THREE
Chapter 4 – Introduction to Operating System Concepts
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Intercept X for Server Early Access Program Sophos Tester
I have edited and added material.
Hiding Malware Rootkits
Implementing Client Security on Windows 2000 and Windows XP Level 150
Operating System Concepts
Operating System Concepts
Presentation transcript:

Windows Security and Rootkits Mike Willard January 2007

2Introduction Presentation Content Presentation Content Root kit technologies overview Root kit technologies overview Demonstrations – HackerDefender, Pwdump, Password hash cracking. Demonstrations – HackerDefender, Pwdump, Password hash cracking. CSU Windows Network Security Recommendations overview. CSU Windows Network Security Recommendations overview.

Rootkits

4 Rootkits What is a rootkit? What is a rootkit? Wikipedia.org - “A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system” Wikipedia.org - “A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system” Term originally from UNIX hackers. Compiled modified versions of common system utilities. (ps, ls, etc.) Term originally from UNIX hackers. Compiled modified versions of common system utilities. (ps, ls, etc.) Refers to a technology rather than specific program. Refers to a technology rather than specific program.

5 How do Rootkits work? Hardware is the lowest level and controls all access to physical resources. Hardware is the lowest level and controls all access to physical resources. Intel/x86 architecture implements security rings concept. Four rings (0-3). The lowest number is the “innermost ring” and has the greatest control. Intel/x86 architecture implements security rings concept. Four rings (0-3). The lowest number is the “innermost ring” and has the greatest control. Windows uses only ring 0 (kernel) and ring 3 (“Userland”). Windows uses only ring 0 (kernel) and ring 3 (“Userland”).

6 How do Rootkits work? Running code in ring 0 Running code in ring 0 Patch/replace the kernel on disk. Patch/replace the kernel on disk. Modify the kernel in memory - kernel loadable modules (device drivers, etc). Modify the kernel in memory - kernel loadable modules (device drivers, etc). Virtual Machine Based Rootkits (VMBR) Virtual Machine Based Rootkits (VMBR)

7 How do Rootkits work? Manipulating the kernel Manipulating the kernel Can hide processes, files, network activity, etc. Intercept keystrokes. Access data. Can hide processes, files, network activity, etc. Intercept keystrokes. Access data. Once hidden, can intercept keystrokes, etc. Once hidden, can intercept keystrokes, etc. Do this by manipulating tables in protected memory space. (Interrupt Descriptor Table, Import Address Table) Do this by manipulating tables in protected memory space. (Interrupt Descriptor Table, Import Address Table)

8 How do Rootkits work? Surviving Reboot Surviving Reboot Run key in registry. Run key in registry. Some.INI files (win.ini) Some.INI files (win.ini) Replace or infect an existing EXE or DLL file. Replace or infect an existing EXE or DLL file. Register as a driver. Register as a driver. Register as an add-on to an existing application (internet browser search bar). Register as an add-on to an existing application (internet browser search bar). Modify the boot loader (modify kernel before booting) Modify the boot loader (modify kernel before booting)

9 Detecting Rootkits Watch for inconsistencies. Watch for inconsistencies. Remote file scan. Remote file scan. RootkitRevealer (Sysinternals) RootkitRevealer (Sysinternals) Integrity Checkers (e.g. Tripwire) Integrity Checkers (e.g. Tripwire)

10 Future of Rootkits/Hacking Operating systems becoming more and more hardened Operating systems becoming more and more hardened Embedded Systems. Embedded Systems. Application Exploits. Application Exploits. Hardware Bios and Memory (e.g. Video Cards) Hardware Bios and Memory (e.g. Video Cards)

Demonstrations

CSU Windows Security Recommendations

13 Windows Security Tasks Windows Security Tasks Auditing Auditing Physical Security Physical Security Setup and Patching Setup and Patching Account Management Account Management Restrict Anonymous Access and NTLM Authentication Restrict Anonymous Access and NTLM Authentication

14Resources “Rootkits” by Greg Hoglund and James Butler “Rootkits” by Greg Hoglund and James Butler Rootkit web site Rootkit web site Top Security Tools Compilation Top Security Tools Compilation Sysinternals (now part of Microsoft) Utilities Sysinternals (now part of Microsoft) Utilities CSU Windows Security Guidelines (requires eID) CSU Windows Security Guidelines (requires eID) Windows Server 2003 Security Guide Windows Server 2003 Security Guide d89-b ea6c7b4db&displaylang=en d89-b ea6c7b4db&displaylang=en

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.