1. Rootkits

2. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals  The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products

3. EC-Council Rootkits  Rootkits are kernel programs which has the ability to hide itself and cover up traces of activities  When a rootkit is installed, it replaces certain operating system calls and utilities with its own, modified versions of those routines  For example, to hide the existence of a file, the rootkit intercepts all system calls that can carry a file name argument, such as open(), chdir() and unlink()

4. EC-Council Why rootkits?  If hacker wants to do something to your system, such as plant a virus, a Trojan horse program or spyware, he has to gain access to the system's root directory and the unlimited power that goes with that access.  Once established as root, the intruder can modify system commands to hide his tracks from the systems administrator and preserve his root access.  Hackers achieve this via a rootkit.

5. EC-Council Rootkits in Linux  Rootkits are also referred to a set of modified and recompiled Unix tools (typically including ps, netstat and passwd) designed to hide any trace of the intruder's presence or existence  A rootkit may include programs to monitor traffic, create a back door into the system, alter log files and attack other machines on the network

6. EC-Council Detecting rootkits  Detecting rootkits is a problem  Once infected with a rootkit, you can't trust your operating system  You can't believe what the system tells you when you request a list of running processes or files in a directory  One way to get around this is to shut down the suspect computer and check its storage after booting from alternative media that you know are clean, such as a bootable CD-ROM

7. EC-Council Sony Rootkit Case Study  Mark Russinovich discovered last October that some Sony BMG Music Entertainment CDs use rootkit technology to automatically install digital rights management software on Windows computers  The intent of this kludge was to prevent unauthorized digital copying of the music  The Sony music CD creates a hidden directory and installs several of its own device drivers; it then reroutes Windows systems calls to its own routines  It intercepts kernel-level application programming interfaces and tries to disguise its presence  Sony was hit with numerous lawsuits around the United States for planting a rootkits on users computer with their knowledge  For more information visit: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and- digital-rights.html http://www.sysinternals.com/blog/2005/10/sony-rootkits-and- digital-rights.html 

8. EC-Council Steps for Detecting Rootkits 1. Simple steps you can take to detect some of today's ghostware: 2. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results. 3. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results. 4. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). 5. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

9. EC-Council Rootkit detection tools  BlackLight from F-Secure Corp. http://www.f-secure.com/blacklight  RootkitRevealer from Sysinternals http://www.sysinternals.com/Utilities/RootkitRevea ler.htmlhttp://www.sysinternals.com/Utilities/RootkitRevea ler.html  Malicious Software Removal Tool from Microsoft Corp. http://www.microsoft.com/security/malware remove/default.mspxhttp://www.microsoft.com/security/malware remove/default.mspx