Rootkits What are they? What do they do? Where do they come from?

Slides:

Advertisements

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

Advertisements

Operating System Security : David Phillips A Study of Windows Rootkits.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Trojan Horse Program Presented by : Lori Agrawal.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Windows Malware: Detection And Removal TechBytes Tim Ramsey.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

1 Computer Security: Protect your PC and Protect Yourself.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Introduction to Honeypot, Botnet, and Security Measurement

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Hacker Zombie Computer Reflectors Target.

Malware Fighting Spyware, Viruses, and Malware Ch 4.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

CERN’s Computer Security Challenge

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

Spyware, Viruses and Malware What the fuss is all about.

Honeypot and Intrusion Detection System

Module 14: Configuring Server Security Compliance

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Module 6: Designing Security for Network Hosts

RootKit By Parrag Mehta OUTLINE What is a RootKit ? Installation Types How do RootKits work ? Detection Removal Prevention Conclusion References.

Malicious Software.

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

Administering Microsoft Windows Server 2003 Chapter 2.

Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

Computer Security By Duncan Hall.

Understand Malware LESSON Security Fundamentals.

W elcome to our Presentation. Presentation Topic Virus.

Cybersecurity Test Review Introduction to Digital Technology.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.

By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Remember effective ways to search +walk (includes words) Intitle:iPad Intext:ipad site:pbs.org Site:gov filetype:jpg.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Computer Security Keeping you and your computer safe in the digital world.

Firmware threat Dhaval Chauhan MIS 534.

Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.

Information Security Session October 24, 2005

Rootkits Jonathan Hobbs.

Presentation transcript:

Rootkits What are they? What do they do? Where do they come from?

Introduction Bill Richards Bill Richards Adjunct Professor at Rose Since 2004Adjunct Professor at Rose Since 2004 Defense Information Systems Agency Defense Information Systems Agency Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 Network Security Officer since 2002Network Security Officer since 2002 Responsible for the security for 9 remote networksResponsible for the security for 9 remote networks 45+ Mainframes (IBM, UNISYS and TANDEM) 45+ Mainframes (IBM, UNISYS and TANDEM) Mid-Tier Servers (UNIX and Windows) Mid-Tier Servers (UNIX and Windows) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc)

Rootkits are a serious threat to network and system security and most administrators know little about them Defining characteristic is Stealth Viruses reproduce but rootkits hide! Difficult to detect Difficult to remove Carry a variety of payloads Key loggers Password Sniffers Remote Consoles Back doors And more!!!

What is a Rootkit? The term rootkit is old and pre-dates MS Windows The term rootkit is old and pre-dates MS Windows It gets it’s name from the UNIX superuser UserID - - root It gets it’s name from the UNIX superuser UserID - - root aka administrator for windoze users aka administrator for windoze users A rootkit does not typically not cause deliberate damage A rootkit does not typically not cause deliberate damage

What is a Rootkit? A collection files designed to hide from normal detection by hiding processes, ports, files, etc. Typically used to hide malicious software from detection while simultaneously collecting information: userid’s Password ip addresses, etc Some rootkits phone home and/or set up a backdoors

What is a Rootkit? A rootkit does NOT compromise a host by itself A vulnerability must be exploited to gain access to the host before a rootkit can be deployed The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy

Recent Rootkit History Source:

Rootkit History 1998 to 2002 Source:

How rootkits work A vulnerable system is detected and targeted A vulnerable system is detected and targeted unpatched, zero-day exploit, poor configuration, etc. The targeted system is exploited host via automated or manual means Root or Administrator access is obtained Payload is installed Rootkit is activated and redirects system calls Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed

How rootkits work docs rootkit windows dir c:\ ReadFile() NTFS command C:\ windows rootkit docs Rootkit DLL rootkit filters the results to hide itself docs windows DLL “tricked” into thinking it can’t execute command, calls rootkit

Hacker Defender (Hxdef) A rootkit for Windows NT 4.0, Windows 2000 and Windows XP Avoids antivirus detection Is able to hook into the Logon API to capture passwords The developers accept money for custom versions that avoid all detectors FU Nullifies Windows Event Viewer Hides Device Drivers Recently added “Shadow Walking” (Read Phrack63) Common Windows rootkits

Common UNIX rootkits SucKIT SucKIT Loaded through /dev/kmemLoaded through /dev/kmem Provides a password protected remote access connect-back shell initiated by a spoofed packetProvides a password protected remote access connect-back shell initiated by a spoofed packet This method bypasses most of firewall configurations)This method bypasses most of firewall configurations) Hides processes, files and connectionsHides processes, files and connections Adore Adore Hides files, processes, services, etc.Hides files, processes, services, etc. Can execute a process (e.g. /bin/sh) with root privileges.Can execute a process (e.g. /bin/sh) with root privileges. Controlled with a helper program avaControlled with a helper program ava Cannot be removed by the rmmod commandCannot be removed by the rmmod command kis kis A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machineA client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine It can hide processes, files, connections, redirect execution, and execute commands.It can hide processes, files, connections, redirect execution, and execute commands. It hides itself and can remove security modules already loadedIt hides itself and can remove security modules already loaded

Detection & Removal Detection that doesn’t always work: Antivirus (Norton, McAfee, AVG, etc.) Anti-Spyware (AdAware, Giant, Spybot, etc.) Port Scanning Manually Looking Detection that can work: Sudden System Instability/Sluggishness Sudden Spike in Traffic MS RootkitRevealer F-Secure Black Light

“list running processes” Rootkit “nothing to see here” Compromised OS “Online” detection (ex: virus scans) relies on the OS’s API to report files and processes. The API has been “hooked,” however, so the rootkit remains concealed. Detection & Removal

“list running processes” Rootkit “something found” Compromised OS Detection compares the results of the OS’s API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkits Black Light Rootkit Revealer Etc. “nothing found” Results != Possible Rootkit Detection & Removal

“list running processes” Rootkit “rootkit detected” Compromised OS Doing an “Offline” detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected. Knoppix WindowsPE W.O.L.F. Etc. Detection & Removal

Only 100% sure removal: Only 100% sure removal: Format drive and a clean installFormat drive and a clean install Some tools can remove some rootkits Some tools can remove some rootkits But what was hidden may not get cleanedBut what was hidden may not get cleaned You cannot trust a system that’s been rootkit’edYou cannot trust a system that’s been rootkit’ed Passwords on the rootkit’ed system are suspect Passwords on the rootkit’ed system are suspect So change your passwords on the clean hostSo change your passwords on the clean host Detection & Removal

Prevention Keep hosts updated Keep hosts updated OSOS ApplicationsApplications Limit host exposure Limit host exposure Un-needed servicesUn-needed services Use Firewalls Use Firewalls Situational Awareness Situational Awareness CERT, Bugtraq, Security Web sites, etc.CERT, Bugtraq, Security Web sites, etc.

Some Reference Sites Questions?