Slide 1

Slide 2

ROOTKIT VIRUS by Himanshu Mishra

Slide 3

Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal

Slide 4

INTRODUCTION A set of software tools used by a third party after gaining access to a computer system in order to conceal the altering of files, or processes being executed by the third party without the user's knowledge.

Slide 5

INTRODUCTION Ctd The term rootkit is a concatenation of the root user account in Unix operating systems and the word kit, which refers to the software components that implement the tool.

Slide 6

HISTORY The very first documented computer virus to target the PC platform in 1986 For SunOS 4.1.1 earliest known rootkit in 1990 For Windows NT operating system rootkit appeared in 1999

Slide 7

USES Provide an attacker with full access via a back door Conceal other malware Conceal cheating in online games from software Appropriate the compromised machine as a zombie computer for attacks on other computers.

Slide 8

USES Ctd Detect attacks Enhance emulation software and security software Anti-theft protection Enforcement of DRM

Slide 9

CLASSIFICATION User-mode Kernel-Mode Boot loader level Hypervisor level Hardware/Firmware

Slide 10

CLASSIFICATION Ctd User-mode : User-mode rootkits run in Ring 3 as user rather than low-level system processes. Kernel-mode : Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding additional code or replacing portions of the core operating system, including both the kernel and associated device drivers.

Slide 11

CLASSIFICATION Ctd Computer security rings

Slide 12

CLASSIFICATION Ctd Boot loader level (Bootkit): Bootkit is used predominantly to attack full disk encryption systems. Hypervisor level: This type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept all hardware calls made by the original operating system.

Slide 13

CLASSIFICATION Ctd Hardware/Firmware: A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware.

Slide 14

INSTALLATION AND CLOAKING Rootkits employ a variety of techniques to gain control of a system The most common is to leverage security vulnerabilities. Another approach is to become a Trojan horse The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI) compensation method for distributors.

Slide 15

DETECTION Alternative trusted medium Behavioural-based Signature-based Difference-based Integrity checking Memory dumps

Slide 16

REMOVAL Some experts believe that the only reliable way to remove them is to re-install the operating system from trusted media. Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some rootkits.

Slide 17

Thank you reference: http://en.wikipedia.org/wiki/Rootkit http://en.wikipedia.org/wiki/Rootkit