ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Slides:

Advertisements

Similar presentations

Operating System Security : David Phillips A Study of Windows Rootkits.

Advertisements

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

How an attacker can maintain control over their victim’s system without being discovered.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

شناسايي سيستم روند نماي کلي انجام يک حملة کامپيوتري شناسايي مواضع و نقاط ضعف سيستم هدف هجوم اوليه تثبيت مواضع برنامه ريزي مرحله بعد عمليات دسترسی جلوگيري.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Windows Security and Rootkits Mike Willard January 2007.

1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Rootkits: Sneaky, Stealthy Toolboxes

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Video Following is a video of what can happen if you don’t update your security settings! security.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Hacker Zombie Computer Reflectors Target.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

CIS 450 – Network Security Chapter 15 – Preserving Access.

Honeypot and Intrusion Detection System

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

Rootkits in Windows XP  What they are and how they work.

Omicron Consulting 1700 Market Street Philadelphia, PA Troubleshooting Windows Problems Presented by: David F. Soll Vice President, Omicron Consulting.

Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.

Copyright Security-Assessment.com 2006 Defeating Live Forensics in the Windows Kernel Presented by Darren Bilby AUSCERT 2006.

Copyright Security-Assessment.com 2006 Low Down and Dirty: Anti-forensic Rootkits Presented by Darren Bilby Ruxcon 2006.

Windows Vista Security David Kenney Christopher Lange.

Module 1: Installing and Configuring Servers. Module Overview Installing Windows Server 2008 Managing Server Roles and Features Overview of the Server.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Rootkits What are they? What do they do? Where do they come from?

RootKit By Parrag Mehta OUTLINE What is a RootKit ? Installation Types How do RootKits work ? Detection Removal Prevention Conclusion References.

Computer security By Isabelle Cooper.

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Network Protection Against: Worms, Viruses, and Root Kits Ryan Del Vecchio Cosc. 352 October 1, 2008.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Chapter Objectives In this chapter, you will learn:

Backdoor Attacks.

Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.

CONFIGURING HARDWARE DEVICE & START UP PROCESS

Backtracking Intrusions

Rootkits Jonathan Hobbs.

Presentation transcript:

ROOT KITS

Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection and elimination Detection demo Hardware rootkits Conclusion Bibliography

History in brief.. First mainstream media coverage of a rootkit Discovered by Mark Russinovich when using his rootkit detection software Sony used “rootkit” technology to protect their copy protection mechanism from users Anything that was named $SYS was hidden from the system, even the Administrator

What is a Rootkit? “A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system.“ – G. Hoglund ( A toolkit used for preservation of remote access or “root” “A tool used to open a backdoor so that the attacker can have a un-interrupted access to the compromised machine and it will hide itself so that it remains un- detected. A rootkit is not A virus or worm

Rootkits - Why Should You Care? Your current methods for investigating a suspicious machine could be defunct If you can’t detect a backdoor on any given machine, how do you know your machine is clean? New viruses will use new rootkit technology

Current Rootkit Capabilities Hide processes Hide files Hide registry entries Hide services Completely bypass personal firewalls Undetectable by anti virus Remotely undetectable Covert channels - undetectable on the network Defeat cryptographic hash checking Install silently All capabilities ever used by viruses or worms

Levels of access in windows Ring 3 – User Land User Administrator System Ring 0 – Kernel Land Drivers

What Happens When You Read a File? Readfile() called on File1.txt Transition to Ring 0 NtReadFile() processed I/O Subsystem called IRP generated Data at File1.txt requested from ntfs.sys Data on D: requested from dmio.sys Data on disk 2 requested from disk.sys

Userland (Ring 3) Rootkits Binary replacement eg modified Exe or Dll Binary modification in memory eg He4Hook User land hooking eg Hacker Defender IAT hooking

Kernel (Ring 0) Rootkits Kernel Hooking E.g. NtRootkit Driver replacement E.g. replace ntfs.sys with ntfss.sys Direct Kernel Object Manipulation – DKOM E.g. Fu, FuTo

Kernel (Ring 0) Rootkits IO Request Packet (IRP) Hooking – IRP Dispatch Table E.g. He4Hook (some versions)

Ring 3 Rootkit: Hacker Defender Hacker Defender Most widely used rootkit on Windows Hides processes Hides TCP / UDP port bindings Uses simple INI file configuration Easy to detect and remove with defaults Not too difficult to modify to avoid detection

demo

Present system.

Another system

On the command prompt..

In the context of rootkit dir in another system

Detection Methodologies Traditional Detection Check integrity of important OS elements against a hash database (sigcheck) Look for unidentified processes (task manager) Check for open ports Can be subverted easily

Detection Methodologies Signature based Look for known rootkits, viruses, backdoors Antivirus Look for “bad things” living in memory Requires updated databases Doesn’t detect anything it hasn’t seen before

Detection Methodologies Hook detection Look for modified IAT tables Look for inline hooks Look for modification to important tables E.g. VICE System Virginity Verifier IceSword

Detection Methodologies Cross View Detection Take a view of a system at a high level. e.g. Windows Explorer Take a view of the system at a low (trusted) level. e.g. Raw Disk Registry, Files, Processes Compare the two Examples Sysinternals - Rootkit Revealer Microsoft Research – Strider Ghostbuster

Good Tools Root kit revealer Ice sword F-Secure Black light System Virginity Verifier Dark Spy RK Detector

Detecting the Hacker Defender rootkit F-Secure backlight

Oops there’s another one hidden..

Where else they can hide?? Hardware Rootkits A OS reinstall won’t save you Hard to remove. Device is usually destroyed Difficult to implement Very hard to detect With more and more memory on devices they are becoming prevalent with time VideoCardKit Stores code in FLASH or EEPROM

Conclusions  Rootkit technology is an arms race  Hard to tell who is winning  Antivirus may catch up (one day…)  Firewalls do not provide protection  No Single tool will detect all rootkits, run at least 3 tools

Bibliography rootkits-2005-part- onehttp://portal.acm.org/citation.cfm?id=

Questions ????