Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection."— Presentation transcript:

1 ROOT KITS

2 Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection and elimination Detection demo Hardware rootkits Conclusion Bibliography

3 History in brief.. First mainstream media coverage of a rootkit Discovered by Mark Russinovich when using his rootkit detection software Sony used “rootkit” technology to protect their copy protection mechanism from users Anything that was named $SYS was hidden from the system, even the Administrator

4 What is a Rootkit? “A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system.“ – G. Hoglund (www.rootkit.com) A toolkit used for preservation of remote access or “root” “A tool used to open a backdoor so that the attacker can have a un-interrupted access to the compromised machine and it will hide itself so that it remains un- detected. A rootkit is not A virus or worm

5 Rootkits - Why Should You Care? Your current methods for investigating a suspicious machine could be defunct If you can’t detect a backdoor on any given machine, how do you know your machine is clean? New viruses will use new rootkit technology

6 Current Rootkit Capabilities Hide processes Hide files Hide registry entries Hide services Completely bypass personal firewalls Undetectable by anti virus Remotely undetectable Covert channels - undetectable on the network Defeat cryptographic hash checking Install silently All capabilities ever used by viruses or worms

7 Levels of access in windows Ring 3 – User Land User Administrator System Ring 0 – Kernel Land Drivers

8 What Happens When You Read a File? Readfile() called on File1.txt Transition to Ring 0 NtReadFile() processed I/O Subsystem called IRP generated Data at File1.txt requested from ntfs.sys Data on D: requested from dmio.sys Data on disk 2 requested from disk.sys

9 Userland (Ring 3) Rootkits Binary replacement eg modified Exe or Dll Binary modification in memory eg He4Hook User land hooking eg Hacker Defender IAT hooking

10 Kernel (Ring 0) Rootkits Kernel Hooking E.g. NtRootkit Driver replacement E.g. replace ntfs.sys with ntfss.sys Direct Kernel Object Manipulation – DKOM E.g. Fu, FuTo

11 Kernel (Ring 0) Rootkits IO Request Packet (IRP) Hooking – IRP Dispatch Table E.g. He4Hook (some versions)

12 Ring 3 Rootkit: Hacker Defender Hacker Defender Most widely used rootkit on Windows Hides processes Hides TCP / UDP port bindings Uses simple INI file configuration Easy to detect and remove with defaults Not too difficult to modify to avoid detection

13 demo

14 Present system.

15 Another system

16 On the command prompt..

17 In the context of rootkit dir in another system

18 Detection Methodologies Traditional Detection Check integrity of important OS elements against a hash database (sigcheck) Look for unidentified processes (task manager) Check for open ports Can be subverted easily

19 Detection Methodologies Signature based Look for known rootkits, viruses, backdoors Antivirus Look for “bad things” living in memory Requires updated databases Doesn’t detect anything it hasn’t seen before

20 Detection Methodologies Hook detection Look for modified IAT tables Look for inline hooks Look for modification to important tables E.g. VICE System Virginity Verifier IceSword

21 Detection Methodologies Cross View Detection Take a view of a system at a high level. e.g. Windows Explorer Take a view of the system at a low (trusted) level. e.g. Raw Disk Registry, Files, Processes Compare the two Examples Sysinternals - Rootkit Revealer Microsoft Research – Strider Ghostbuster

22 Good Tools Root kit revealer Ice sword F-Secure Black light System Virginity Verifier Dark Spy RK Detector

23 Detecting the Hacker Defender rootkit F-Secure backlight

24 Oops there’s another one hidden..

25 Where else they can hide?? Hardware Rootkits A OS reinstall won’t save you Hard to remove. Device is usually destroyed Difficult to implement Very hard to detect With more and more memory on devices they are becoming prevalent with time VideoCardKit Stores code in FLASH or EEPROM

26 Conclusions  Rootkit technology is an arms race  Hard to tell who is winning  Antivirus may catch up (one day…)  Firewalls do not provide protection  No Single tool will detect all rootkits, run at least 3 tools

27 Bibliography http://en.wikipedia.org/wiki/Rootkit http://www.youtube.com/watch?v=NJNYHpFipjM http://www.symantec.com/connect/articles/windows- rootkits-2005-part- onehttp://portal.acm.org/citation.cfm?id=1264211. http://portal.acm.org/citation.cfm?id=1264211 http://www.informit.com/articles/article.aspx?p=23463 http://technet.microsoft.com/en-us/library/cc768129.aspx http://en.wikipedia.org/wiki/Architecture_of_Windows_NT

28 Questions ????

Download ppt "ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection."

Similar presentations

Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
شناسايي سيستم روند نماي کلي انجام يک حملة کامپيوتري شناسايي مواضع و نقاط ضعف سيستم هدف هجوم اوليه تثبيت مواضع برنامه ريزي مرحله بعد عمليات دسترسی جلوگيري.

شناسايي سيستم روند نماي کلي انجام يک حملة کامپيوتري شناسايي مواضع و نقاط ضعف سيستم هدف هجوم اوليه تثبيت مواضع برنامه ريزي مرحله بعد عمليات دسترسی جلوگيري.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.

1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google