290 likes | 887 Views
October 17th, 2012. Rootkits. Mathieu Castets. What is a rootkit ? History Uses Types Detection Removal References. Summary. Hackers have to access to the root-level to install a rootkit Software that hides itself and allow intruders to maintain privileged access
E N D
October 17th, 2012 Rootkits Mathieu Castets
Whatis a rootkit? • History • Uses • Types • Detection • Removal • References Summary
Hackers have to access to the root-level to install a rootkit Software that hides itself and allow intruders to maintain privileged access Remotely run command actions or extract information « root » traditional name of the privileged account on UNIX « kit » software components that implement the tool Whatis a rootkit?
In 1986, the first virus called « Brain virus » wasdiscovered and usedcloaking techniques to hideitself UNIX: In 1990, written by Lane Davis and Steven Dake Windows NT: In 1999, NTRootkit Mac OSX: In 2009 History
In 2005, Sony BMG published CDs with copy protection and DRM The software silently installed a rootkit To cloak itself, the rootkit hid from the user any file starting with $sys$ Software engineer Mark Russinovich discovered it on one of his computers In 2006, Sony BMG released patches to uninstall the rootkit History: Sony bmgscandal
Provide an attacker with full access • Hide other malwares • Appropriate the compromised machine as a zombie computer • Enforcement of digital rights management (DRM) • Hide cheating in online games • Enhance emulation software and security software • Bypassing Windows Product Activation uses
Two groups: • Kernel mode/integration • Patch system • Detection can be complicated • Most dangerous • Application level • Replace original executable files • Modify the behavior of applications types
Alternative trusted medium: shut down computer and check its storage by booting the system with an alternative trusted media • Behavioral-based: analyzing system behavior like application calls and CPU utilisation • The other detection methods we can use are: • Signature-based • Difference-based • Integrity checking • Memory dumps detection
Manual removal of a rootkit is often too difficult for a typical computer user In 2005, Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some classes of rootkits However, the best way to remove all rootkits is to re-install the operating system removal
About.com http://netsecurity.about.com/od/frequentlyaskedquestions/f/faq_rootkit.htm Rootkitonline.com http://www.rootkitonline.com/types-of-rootkits.html Informit.com http://www.informit.com/articles/article.aspx?p=23463 References