140 likes | 173 Views
LKM Rootkits. Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar. Agenda. What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion.
E N D
LKM Rootkits Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar
Agenda What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion
What are rootkits? tools to conceal information hides files and processes prevents detection backdoor creation remote injection/execution of scripts stealing of confidential information
Brief history Ken Thompson’s rootkit Brain virus SunOS rootkit, 1990 SonyBMG rootkit Greek wiretapping CarrierIQ rootkit on smartphone and handheld devices
What are LKM rootkits? Insertion of malicious code into kernel on the fly Enables overriding kernel system calls Enables manipulation of /dev/kmem device file, allowing intruder to virtually control the kernel on runtime, monitoring every read/write memory operations Allows for CPU register hooking Facilitates Kernel object hooking Allows direct kernel object manipulation
Malware classification and rootkit’s standing As per the proposed malware classification by Joanna Rutkowska in Black Hat 2006, malwares can be classified as below – Type 0 malware Type 1 malware Type 2 malware Type 3 malware
Rootkit objectives Based on the analysis of Nick Petroni and J. Hicks from University of Maryland, College Park, the objectives of each rootkit fall in one or more of the following categories HID PE REE REC NEU
LKM rootkit features File hiding Process hiding Backdoor creation Defense neutralization Survival beyond system reboot Keystroke logging Network layer obfuscation
Case study - Phalanx Phalanx’s special features include the following – SSH credential stealing Manipulating memory operations by hijacking /dev/kmem Sophisticated socket, process and file hiding mechanisms TTY sniffer, keystroke logging Doesn’t show up in process listing via ps or ls /proc
Detection mechanisms Use of signature based rootkit detection software like rkhunter, chkrootkit etc. Regularly examining systems where SSH keys are used as part of password less authentication mechanism Encouraging users to use keys with passphrases Applying regular security patches to the system LKM filtering HIDS LIDS State based control-flow integrity test (SBCFI) Detection based on distribution of system calls (Anderson-Darling)
Conclusion In this presentation, we have provided a general overview of rootkit, LKM rootkits in particular, their objectives, specific features, infection mechanisms/attack methodologies and various detection mechanisms for both user-space and kernel-space rootkits.
References Below is the list of references – http://smartech.gatech.edu/jspui/handle/1853/34844 http://www.cs.umd.edu/~mwh/papers/CS-TR-4880.pdf http://bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf http://dl.acm.org/citation.cfm?id=1368515 http://research.microsoft.com/pubs/153181/hookmapraid08.pdf http://www.mobile-download.net/Soft/Soft_2334.htm http://en.wikipedia.org/wiki/Rootkit http://packetstormsecurity.org/search/?q=phalanx