Download presentation
Presentation is loading. Please wait.
1
Windows Security and Rootkits Mike Willard Mike.willard@colostate.edu January 2007
2
2Introduction Presentation Content Presentation Content Root kit technologies overview Root kit technologies overview Demonstrations – HackerDefender, Pwdump, Password hash cracking. Demonstrations – HackerDefender, Pwdump, Password hash cracking. CSU Windows Network Security Recommendations overview. CSU Windows Network Security Recommendations overview.
3
Rootkits
4
4 Rootkits What is a rootkit? What is a rootkit? Wikipedia.org - “A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system” Wikipedia.org - “A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system” Term originally from UNIX hackers. Compiled modified versions of common system utilities. (ps, ls, etc.) Term originally from UNIX hackers. Compiled modified versions of common system utilities. (ps, ls, etc.) Refers to a technology rather than specific program. Refers to a technology rather than specific program.
5
5 How do Rootkits work? Hardware is the lowest level and controls all access to physical resources. Hardware is the lowest level and controls all access to physical resources. Intel/x86 architecture implements security rings concept. Four rings (0-3). The lowest number is the “innermost ring” and has the greatest control. Intel/x86 architecture implements security rings concept. Four rings (0-3). The lowest number is the “innermost ring” and has the greatest control. Windows uses only ring 0 (kernel) and ring 3 (“Userland”). Windows uses only ring 0 (kernel) and ring 3 (“Userland”).
6
6 How do Rootkits work? Running code in ring 0 Running code in ring 0 Patch/replace the kernel on disk. Patch/replace the kernel on disk. Modify the kernel in memory - kernel loadable modules (device drivers, etc). Modify the kernel in memory - kernel loadable modules (device drivers, etc). Virtual Machine Based Rootkits (VMBR) Virtual Machine Based Rootkits (VMBR)
7
7 How do Rootkits work? Manipulating the kernel Manipulating the kernel Can hide processes, files, network activity, etc. Intercept keystrokes. Access data. Can hide processes, files, network activity, etc. Intercept keystrokes. Access data. Once hidden, can intercept keystrokes, etc. Once hidden, can intercept keystrokes, etc. Do this by manipulating tables in protected memory space. (Interrupt Descriptor Table, Import Address Table) Do this by manipulating tables in protected memory space. (Interrupt Descriptor Table, Import Address Table)
8
8 How do Rootkits work? Surviving Reboot Surviving Reboot Run key in registry. Run key in registry. Some.INI files (win.ini) Some.INI files (win.ini) Replace or infect an existing EXE or DLL file. Replace or infect an existing EXE or DLL file. Register as a driver. Register as a driver. Register as an add-on to an existing application (internet browser search bar). Register as an add-on to an existing application (internet browser search bar). Modify the boot loader (modify kernel before booting) Modify the boot loader (modify kernel before booting)
9
9 Detecting Rootkits Watch for inconsistencies. Watch for inconsistencies. Remote file scan. Remote file scan. RootkitRevealer (Sysinternals) RootkitRevealer (Sysinternals) Integrity Checkers (e.g. Tripwire) Integrity Checkers (e.g. Tripwire)
10
10 Future of Rootkits/Hacking Operating systems becoming more and more hardened Operating systems becoming more and more hardened Embedded Systems. Embedded Systems. Application Exploits. Application Exploits. Hardware Bios and Memory (e.g. Video Cards) Hardware Bios and Memory (e.g. Video Cards)
11
Demonstrations
12
CSU Windows Security Recommendations
13
13 Windows Security Tasks Windows Security Tasks Auditing Auditing Physical Security Physical Security Setup and Patching Setup and Patching Account Management Account Management Restrict Anonymous Access and NTLM Authentication Restrict Anonymous Access and NTLM Authentication
14
14Resources “Rootkits” by Greg Hoglund and James Butler “Rootkits” by Greg Hoglund and James Butler Rootkit web site Rootkit web site http://www.rootkit.com Top Security Tools Compilation Top Security Tools Compilation http://sectools.org Sysinternals (now part of Microsoft) Utilities Sysinternals (now part of Microsoft) Utilities http://www.sysinternals.com CSU Windows Security Guidelines (requires eID) CSU Windows Security Guidelines (requires eID) http://windows.colostate.edu/index.aspx?page=for_it_admins Windows Server 2003 Security Guide Windows Server 2003 Security Guide http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1- 0685-4d89-b655-521ea6c7b4db&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1- 0685-4d89-b655-521ea6c7b4db&displaylang=en
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.