Presentation is loading. Please wait.

Presentation is loading. Please wait.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Published byAubrie Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz."— Presentation transcript:

1 Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz

2 o Introduction o How a rootkit works o Detection o Preventing and Removing o Attack damage o References

3 A rootkit is a suite of one or more programs that allows a third party to hide files and activities from the administrator of a computer system.

4 The original intent of rootkits (1996) appears to have centered simply on hiding programs that would allow an attacker to “sniff” or spy on traffic going to and from a computer system.

5  Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents.  Conceal other malware, notably password-stealing key loggers and computer viruses.  Appropriate the compromised machine as a zombie computer for attacks on other computers.  Enforcement of digital rights management (DRM).  Conceal cheating in online games.  Detect attacks, for example, in a honeypot.  Enhance emulation software and security software.  Anti-theft protection.  Bypassing Microsoft Product Activation

6  User mode  Kernel mode  Bootkits  Hypervisor level  Hardware/Firmware

7  run in Ring 3  many installation vectors  Make to execute inside any target process or overwrite the memory of a target application

8  run in Ring 0  adding code or replacing portions of the core operating system, including both the kernel and associated device drivers  unrestricted security access

9  lows the malicious program to be executed before the operating system boots  cannot be detected by standard means of an operating system because all its components reside outside of the standard file systemserating system boots

10  uses hardware virtualization  trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it  dont have to load before the OS

11  hidden in BIOS, network card etc.  only way to remove is to replace infected hardware  could be hidden outside the computer for example in network printer

12  Installation Physical access to the target system Privilege Escalation  Cloaking Obscure its presence from security tools Modify the behavior of OS core parts Load code into other processes

13  Stoned is the name of a boot sector computer virus created in 1987, apparently in New Zealand. It was one of the very first viruses.  A memory resident bootkit up to the Windows kernel  Boot applications executed on startup  Drivers executed beside the Windows kernel

14  Your PC is now Stoned! (1987)  Your PC is now Stoned!..again (2010)

15 Windows Boot Process  Windows boot system assumes an already secure environment when starting

16 Hooking and Patching  Interrupt 13h hooked  Ntldr hooked for calling 32- bit code and patching the code integrity verification  Patching the NT kernel  Executing pay loads(driver)

17 Installation  Live CD  Infected PDF

18 Demonstration

19  Signature-Based  File Integrity Monitoring  Cross-View Analysis  Hooking Detection  Heuristics-Based Detection  Network-Based Detection

20 3.1 Signature-Based Detection analyzing rootkit to define fingerprint integrating fingerprint in to the database fingerprint can be used for rootkits detection 3.2 File Integrity Monitoring calculates cryptographic hashes for critical, unchanging operating system files and compares them to known values that are stored in a database

21 3.3 Cross-View Analysis It involves looking at the system from the high level “user”, or API view, and comparing it to the actual low level hardware view. 3.4 Hooking Detection When the rootkit modifies a hook to point to a malicious service or interrupt routine, the memory location almost invariably is located outside this specific range of the “clean” system, and is easily detected.

22 3.5 Heuristics-Based Detection Heuristics-Based detection of malware attempts to classify malicious behavior according to certain pre-determined rules. 3.6 Network-Based Detection System periodically send a snapshot of the network traffic and open ports to a trusted gateway for analysis. The gateway compare this data with its “external” view of the system’s network activity

23  Operating system updates  Automatic updates  Personal firewalls  Host-based intrusion prevention systems  Rootkit prevention techniques

24  number of security-software vendors offer tools to automatically detect and remove some rootkits  Some antivirus scanners can bypass file system APIs, which are vulnerable to manipulation by a rootkit  There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media  in some cases the only possibility is to replace some hardware

25 Home Users  Stealing Identity and private information  Turning Home User's computers into zombies  Loss of time, money and confidence

26 Enterprise and Government  Loss of confidential information, theft of intellectual property  Reputation and customer trust  Additional costs of purchasing, installing, and administering security measures Increases system complexity

27  Stallings & Brown - Computer Security: Principles and Practice  A comparative analysis of rootkit detection techniques by Thomas Martin Arnold  Ric Vieler - Professional Rootkits  http://en.wikipedia.org/wiki/Rootkit  http://opensecuritytraining.info/Rootkits.html  http://www.stoned-vienna.com

Download ppt "Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz."

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Similar presentations

Ads by Google