Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Rootkits.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Remote Control and Advanced Techniques. Remote Control Software What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local.
Hacker Zombie Computer Reflectors Target.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 15 – Preserving Access.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Troubleshooting Windows Vista Security Chapter 4.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.
Windows Vista Inside Out Ch 10: Ch 10: Security Essentials Last modified
Linux Networking and Security
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Rootkits What are they? What do they do? Where do they come from?
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Server Hardening Moses Ike and Paul Murley TexSAW 2015 Credit to Daniel Waymel and Corrin Thompson.
COEN 250 Computer Forensics Unix System Life Response.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
I NTRODUCTION TO F IREWALLS. O VERVIEW OF F IREWALLS As the name implies, a firewall acts to provide secured access between two networks A firewall may.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Port Scanning James Tate II
Malware and Computer Maintenance
Port Knocking Benjamin DiYanni.
Backdoor Attacks.
Chapter 2: System Structures
Remote Control and Advanced Techniques
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chap 10 Malicious Software.
I have edited and added material.
Chap 10 Malicious Software.
Presentation transcript:

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael Sanders

Agenda Rootkits User space vs. Kernel Space Detection Prevention Backdoors Different Implementations Detection Prevention Trojans Port & Web Knocking

Rootkits “A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge.” -Wikipedia

Rootkits Lrk4 Linux user space replaced system binaries /bin/login Added user rewt Added ‘global’ password satori /bin/ls /dev/ptyr to hide files

Rootkits Lrk4 Detection chkrootkit matched “root” strace # of system calls is dependent on location Prevention Tripwire

Rootkits Knark Linux kernel space redirected system calls Added /proc/knark/ Hiding Files hidef/unhidef Redirecting Binaries ered Other Knark functions?

Rootkits Knark Detection kern_check Detected changes in SCT addresses rkhunter Has a really bad aim chkrootkit What trick could be used to detect Knark, and how could this be avoided by Knark? Prevention Tripwire Disable LM

Rootkits sucKIT Linux user space Redirected pointer to the SCT Attacks kernel via what user file?

Rootkits sucKIT Detection chkrootkit Searching for Suckit rootkit… Warning: /sbin/init INFECTED chkproc PID 1443(/proc/1443): not in readdir output PID 1443: not in ps output You have 1 process hidden for readdir command You have 1 process hidden for ps command Prevention Any ideas?

Rootkits Hacker Defender Windows Changed memory segments and all running processes’ behaviors Hide files Hide processes Hide services All TCP ports become potential backdoors!

Rootkits Hacker Defender Detection Any anti-virus software Why is this so? Rootkit Revealer Compares Windows API vs. Registry Hive on disk IceSword Found the hidden files/folders, processes, and services Prevention Any ideas?

Rootkits FU Windows via Direct Kernel Object Manipulation Hide processes Elevate process privileges Fake out Windows Event Viewer Hide device drivers

Rootkits FU Detection Rootkit Revealer can’t see a thing Prevention Any ideas?

Rootkits Prevention/Detection Audits System binaries can’t be trusted BusyBox Other Linux bootable CD Knoppix

Agenda Backdoors and Trojans Netcat ICMP Backdoor VNC BO2K Backdoor Backdoors in C Backdoor Detection ACK Tunneling Trojans Port/Web Knocking

Netcat Netcat is a powerful TCP/IP protocol tool it can be used as a backend tool that can be controlled by other programs or as a standalone server client. Server/Client Program Control File Transfer Relay Tunneling FIFO Covering Tracks

ICMP Backdoor Server installed on an infiltrated machine Uses the ICMP packet to hide malicious network traffic Why was the server echoing the commands back to the client?

Virtual Network Connection (VNC) A legitimate tool used by network administrators Gives access to all operations for the user that is remotely logged in Bad it hackers can gain access to a running VNC server

BO2K Backdoor Very well know windows backdoor Server/Client Many Predefined Functions System Commands Key Logging GUI Commands TCP/IP Commands MS Networking Process Control Registry Multimedia File and Directory File Compression

Backdoors in C Simple Linux telnet backdoor 32 lines of code Intercepts the login Look for backdoor password If not entered goes to the original login

Backdoor Detection Netcat, VNC, BO2K Firewalls, Port scanning Virus check Process checking ICMP Detection Packet Throughput Turn off ICMP through gateways Backdoor in C Checking for file integrity

Backdoor Dection Cont.. TCPView Scans for active ports Provides info on process using the port Path info/command used to start process Allows you to end running processes

ACK Tunneling Used to gain access to a computer behind a firewall Most system admin setup firewalls in a way that will block most illegitimate Traffic All stateless firewalls allow ACK messages to pass Majority of firewalls are stateless Statefull firewalls keep the state of the connections Sets ACK flag to gain access

Trojans “… A malicious program that is disguised as legitimate software. … They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” ~Wikipedia

Trojans Cont… eLitewrap Wrapped a legitimate program with a malicious program that is run in the background Don’t execute specious programs Look for specious processes running Explorer's Active X Installed a backdoor from a webpage Don’t allow Active X

Port/Web Knocking Port Knocking Blocks all ports but still allows access Will open specified port when a correct Knock sequence is preformed Knock sequence Series of attempts to open certain ports Web Knocking Is used where were web access is allowed through the firewall Invalid web Command are sent to the server the are logged in the error log A command script run intermittently runs to execute the commands

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.