Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a...
-
Upload
charity-wilkerson -
Category
Documents
-
view
218 -
download
2
Transcript of Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a...
Vijay Krishnan
Avinesh Dupat
ROOTKIT -MALWARE
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications
The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC
ROOTKIT
Provide an attacker full access via backdoor techniques.
Conceal other malware.Appropriate the compromised machine as
a zombie computer for attacks on other computers.
Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation
software and security software
What is it used for?
Attacker identifies an existing vulnerability in a target system.
After gaining access to a vulnerable system, the attacker can install a rootkit manually.
Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator
Rootkit Attack
Spyware : Modifying software programs for the purpose of infecting it with spyware.
Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program
Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit
Source code modification :modifying the code in the PC's software right at the main source
MODUS OPERANDI
User mode : Run on a computer through administrator privileges
Kernel mode : Installed at the same level as the PCs operating system
Bootkits : A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems
Firmware : Create malcode inside the firmware while you computer is shut down
Types of Rootkits
ProactivePreventing the rootkit from being installedPreventing compromise in the first place
ReactiveDetecting the Rootkit after it has been installedRemoval of the Rootkit
Defensive Measures
The first step in prevention of Rootkit is to run in less privileged user mode.
Use of the sc command in Windows XP. This locks up the Windows Service database.
Use HIPS (Host based Intrusion Prevention System) tool like AntiHook
Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program
Rootkit Prevention
Very Difficult because Rootkit’s goal is to hide Antivirus products that have various levels
of success with detecting rootkits.Enumerate your system's contents and boot
up using a known-good operating system.Use of a packet sniffer, such as WinDump, or
a network firewall
Rootkit Detection
Alternative trusted medium
Behavioral-based
Signature-based
Difference-based
Integrity checking
Memory dumps
Types of Rootkit Detection
Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer
Rootkit Removal tools -> Eliminates Rootkits from the user’s system
Eg : IceSword
RootKit Removal
Rootkit Revealer
IceSword
Rebuilding the System is the BEST solution!
Clean the infectionDisable rootkitBoot with clean CD and remove rootkit’s
resources
Removal
http://www.spamlaws.com/how-rootkits-work.html
www.en.wikipedia.orghttp://swatrant.blogspot.com/2006/02/rootkit-
detection-removal-and.htmlhttp://www.dba-oracle.com/forensics/t_forensi
cs_network_attack.htmhttp://technet.microsoft.com/en-us/library/cc5
12642.aspxhttp://www.windowsitpro.com/article/antiviru
s/defending-against-rootkits.aspx
References
THANK YOU!