2. Vijay krishnan Avinesh Dupat

3.  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC

4.  Provide an attacker full access via backdoor techniques.  Conceal other malware.  Appropriate the compromised machine as a zombie computer for attacks on other computers.  Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software

5.  Attacker identifies an existing vulnerability in a target system.  After gaining access to a vulnerable system, the attacker can install a rootkit manually.  Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator

6.  Spyware : Modifying software programs for the purpose of infecting it with spyware.  Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program  Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit  Source code modification :modifying the code in the PC's software right at the main source

7.  User mode :run on a computer through administrator privileges  Kernel mode :Installed at the same level as the PCs operating system  Firmware :Create malcode inside the firmware while you computer is shut down

8.  Proactive  Preventing the rootkit from being installed  Preventing compromise in the first place  Reactive  Detecting the Rootkit after it has been installed  Removal of the Rootkit

9.  The first step in prevention of Rootkit is to run in less privileged user mode.  Use of the sc command in Windows XP. This locks up the Windows Service database.  Use HIPS (Host based Intrusion Prevention System) tool like AntiHook  Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program

10.  Cover all the infection vectors  Refrain from engaging in dangerous activities when logged in as administrator.  Don't read email, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal Services  Disable unneeded features and service  Have the latest Anti virus software

11.  Very Difficult because Rootkit’s goal is to hide  Antivirus products that have various levels of success with detecting rootkits.  Enumerate your system's contents and boot up using a known-good operating system.  Use of a packet sniffer, such as WinDump, or a network firewall

12.  Alternative trusted medium  Behavioral-based  Signature-based  Difference-based  Integrity checking  Memory dumps

13.  Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer  Rootkit Removal tools -> Eliminates Rootkits from the user’s system Eg : IceSword

14.  Rebuilding the System is the BEST solution!  Clean the infection  Disable rootkit  Boot with clean CD and remove rootkit’s resources

15.  http://www.spamlaws.com/how-rootkits- work.html http://www.spamlaws.com/how-rootkits- work.html  www.en.wikipedia.org www.en.wikipedia.org  http://swatrant.blogspot.com/2006/02/rootkit- detection-removal-and.html http://swatrant.blogspot.com/2006/02/rootkit- detection-removal-and.html  http://www.dba- oracle.com/forensics/t_forensics_network_attack. htm http://www.dba- oracle.com/forensics/t_forensics_network_attack. htm  http://technet.microsoft.com/en- us/library/cc512642.aspx http://technet.microsoft.com/en- us/library/cc512642.aspx  http://www.windowsitpro.com/article/antivirus /defending-against-rootkits.aspx http://www.windowsitpro.com/article/antivirus /defending-against-rootkits.aspx

16. THANK YOU!