Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

Published bySusanna Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael."— Presentation transcript:

1 Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael Sanders

2 Agenda Rootkits User space vs. Kernel Space Detection Prevention Backdoors Different Implementations Detection Prevention Trojans Port & Web Knocking

3 Rootkits “A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge.” -Wikipedia

4 Rootkits Lrk4 Linux user space replaced system binaries /bin/login Added user rewt Added ‘global’ password satori /bin/ls /dev/ptyr to hide files

5 Rootkits Lrk4 Detection chkrootkit matched “root” strace # of system calls is dependent on location Prevention Tripwire

6 Rootkits Knark Linux kernel space redirected system calls Added /proc/knark/ Hiding Files hidef/unhidef Redirecting Binaries ered Other Knark functions?

7 Rootkits Knark Detection kern_check Detected changes in SCT addresses rkhunter Has a really bad aim chkrootkit What trick could be used to detect Knark, and how could this be avoided by Knark? Prevention Tripwire Disable LM

8 Rootkits sucKIT Linux user space Redirected pointer to the SCT Attacks kernel via what user file?

9 Rootkits sucKIT Detection chkrootkit Searching for Suckit rootkit… Warning: /sbin/init INFECTED chkproc PID 1443(/proc/1443): not in readdir output PID 1443: not in ps output You have 1 process hidden for readdir command You have 1 process hidden for ps command Prevention Any ideas?

10 Rootkits Hacker Defender Windows Changed memory segments and all running processes’ behaviors Hide files Hide processes Hide services All TCP ports become potential backdoors!

11 Rootkits Hacker Defender Detection Any anti-virus software Why is this so? Rootkit Revealer Compares Windows API vs. Registry Hive on disk IceSword Found the hidden files/folders, processes, and services Prevention Any ideas?

12 Rootkits FU Windows via Direct Kernel Object Manipulation Hide processes Elevate process privileges Fake out Windows Event Viewer Hide device drivers

13 Rootkits FU Detection Rootkit Revealer can’t see a thing Prevention Any ideas?

14 Rootkits Prevention/Detection Audits System binaries can’t be trusted BusyBox Other Linux bootable CD Knoppix

15 Agenda Backdoors and Trojans Netcat ICMP Backdoor VNC BO2K Backdoor Backdoors in C Backdoor Detection ACK Tunneling Trojans Port/Web Knocking

16 Netcat Netcat is a powerful TCP/IP protocol tool it can be used as a backend tool that can be controlled by other programs or as a standalone server client. Server/Client Program Control File Transfer Relay Tunneling FIFO Covering Tracks

17 ICMP Backdoor Server installed on an infiltrated machine Uses the ICMP packet to hide malicious network traffic Why was the server echoing the commands back to the client?

18 Virtual Network Connection (VNC) A legitimate tool used by network administrators Gives access to all operations for the user that is remotely logged in Bad it hackers can gain access to a running VNC server

19 BO2K Backdoor Very well know windows backdoor Server/Client Many Predefined Functions System Commands Key Logging GUI Commands TCP/IP Commands MS Networking Process Control Registry Multimedia File and Directory File Compression

20 Backdoors in C Simple Linux telnet backdoor 32 lines of code Intercepts the login Look for backdoor password If not entered goes to the original login

21 Backdoor Detection Netcat, VNC, BO2K Firewalls, Port scanning Virus check Process checking ICMP Detection Packet Throughput Turn off ICMP through gateways Backdoor in C Checking for file integrity

22 Backdoor Dection Cont.. TCPView Scans for active ports Provides info on process using the port Path info/command used to start process Allows you to end running processes

23 ACK Tunneling Used to gain access to a computer behind a firewall Most system admin setup firewalls in a way that will block most illegitimate Traffic All stateless firewalls allow ACK messages to pass Majority of firewalls are stateless Statefull firewalls keep the state of the connections Sets ACK flag to gain access

24 Trojans “… A malicious program that is disguised as legitimate software. … They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” ~Wikipedia

25 Trojans Cont… eLitewrap Wrapped a legitimate program with a malicious program that is run in the background Don’t execute specious programs Look for specious processes running Explorer's Active X Installed a backdoor from a webpage Don’t allow Active X

26 Port/Web Knocking Port Knocking Blocks all ports but still allows access Will open specified port when a correct Knock sequence is preformed Knock sequence Series of attempts to open certain ports Web Knocking Is used where were web access is allowed through the firewall Invalid web Command are sent to the server the are logged in the error log A command script run intermittently runs to execute the commands

27 Questions?

Download ppt "Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Rootkits.

Rootkits.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google