Presentation is loading. Please wait.

Presentation is loading. Please wait.

How an attacker can maintain control over their victim’s system without being discovered.

Published byFrederick Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "How an attacker can maintain control over their victim’s system without being discovered."— Presentation transcript:

1 How an attacker can maintain control over their victim’s system without being discovered.

2 A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence[1].  The keyword to remember for a rootkit is undetectable; and the most common purposes for a rootkit are sustained access and eavesdropping.

3 Early 1990’s – Internet becomes popular 1 st Generation rootkits- Replaced potential tattletale binaries (e.g. netstat, ls) Easy to detect- Compare the hashes of the original binary with current one. First rootkits were mostly written for Unix based systems (hence rootkit, instead of Administratorkit) 1999- NTRootkit, an early Windows rootkit Rootkits did not really become part of security admin vernacular until mid 2000’s Kicked off an arms race- rootkit developers vs detection/prevention measures

4 Processes Files Network Connections Also: Various system statistics (e.g. CPU percentage)

5 Uh oh, you have a rootkit?

6 Zen quote

7 Proof of concept The Hello World of Rootkits

8

9 Hooking- Overwriting target function to act in favor of the rootkit Example 1- Overwrite legitimate function in memory Example 2- Overwrite legitimate function’s address in IAT to point to rootkit’s custom function instead

10 Similar concept, but different memory spaces, tables, functions…

11

12 Detecting a Presence Guard the Doors- Think intrusion detection Roaming Guard- Periodic System scans Detecting Behavior Sysinternals RootkitRevealer example Live Detections- Rootkit revealer GMER- Free, GNU-based. Helios- Behavioral analysis (can be used to detect many forms of malware) Sophos Anti-Rootkit- Free. Scans other forms of malware. Can scan a network, not just a single host. If kernel rootkit is suspected- Need to analyze system under a kernel debugger (kd.exe)

13 Still need to nuke system from orbit Questions?

Download ppt "How an attacker can maintain control over their victim’s system without being discovered."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…

Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.

1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.

Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Similar presentations

Ads by Google