TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

Slides:



Advertisements
Similar presentations
Vpn-info.com.
Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Operating System Security : David Phillips A Study of Windows Rootkits.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Video Following is a video of what can happen if you don’t update your security settings! security.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Protecting Your Computer & Your Information
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Rootkits in Windows XP  What they are and how they work.
Structure Classifications &
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Higher Computing Topic 8: Supporting Software Updated
Information Technology Software. SYSTEM SOFTWARE.
Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.
Backup Procedure  To prevent against data loss, computer users should have backup procedures  A backup is a copy of information stored on a computer.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Types of Electronic Infection
Compatibility and Interoperability Requirements
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Computer Systems Security Part I ET4085 Keamanan Jaringan Telekomunikasi Tutun Juhana School of Electrical Engineering and Informatics Institut Teknologi.
Chapter Thirteen Booting Windows XP. Objectives Understand the Windows XP boot process Understand the Windows XP boot process Troubleshoot system restoration.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Viruses can get onto your computer via:  Junk mail  Downloads  Pop-ups.
Malicious Software.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
W elcome to our Presentation. Presentation Topic Virus.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.
1 Computer Virus and Antivirus A presentation by Sumon chakreborty Roll no-91/CSE/ Reg.no of
Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect rootkits How to remove rootkits.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
Remember effective ways to search +walk (includes words) Intitle:iPad Intext:ipad site:pbs.org Site:gov filetype:jpg.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Computer Security Keeping you and your computer safe in the digital world.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
For more information on Rouge, visit:
Chapter 40 Internet Security.
Chapter Objectives In this chapter, you will learn:
Botnets A collection of compromised machines
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Botnets A collection of compromised machines
Presentation transcript:

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn

Topic: TDL3 Rootkit variant SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) TDL3 Rootkit, version Combination of MBR rootkit, Rustock.C and old Tdss variants. Stealthiest in the world.

Rootkits Wikipedia – “A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications” High risk, 1-in-5 Windows machines. “Root” and “kit”

Rootkits Netsecurity.about.com – “A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about it” Typically 32-bit problems

Rootkits Rootkit are not really viruses Machine independent Remote access Anti-virus level access

Prevention Digital Signature check for rogue drivers “PatchGuard” prevents some changes to Windows kernel. Vista and Win7 do not allow Admin

TDL3 Rootkit Also known as Alureon rootkit More sophisticated Version Targets 64-bit machines that were previously considered safer Spread through websites and exploit kits

TDL3 Rootkit Gains control during the boot sequence Alters Master Boot Record. This gets around the 1 st two preventions. Enacts a restart, which loads the altered MBR and catches process signals. Encrypted with ROR loop (rotate right).

TDL3 Rootkit Details Kernel code appears as raw bytes, passes security. TDL3 encodes and decodes files on the fly, so it can pass as being a piece of the kernel code. At startup, hunts for driver object. Overwrites 824 bytes, avoiding file size check Fake driver object, captures disk I/O, hunts for kernel32.dll Infection

TDL3 Rootkit Has a watchdog thread to prevent any change to the service registry key No one can get a handle to infected driver file(red flag) In Feb. it caused BSOD with MS update RVA(Relative Virutal Address) offsets of Windows kernel APIs modified and use them to find functions. On the update, the values were changed. After restart, the rootkit called an invalid address

TDL3 fights back While this caused a BSOD, it did bring notice to a potential problem TDL3 authors updated within hours that worked with the update. Process was called tdlcmd.dll or z00clicker.dll

TDL3 Rootkit First significant 64-bit rootkit Malware begets more malware Anti-virus lag Security chess match

Cited Sites rootkit/ rootkit/ x-goes-in-the-wild.html x-goes-in-the-wild.html MS-TDL-authors-apologize.html MS-TDL-authors-apologize.html silently-owns-the-net.html