1 / 16

ROOTKIT -MALWARE

ROOTKIT -MALWARE. Vijay Krishnan Avinesh Dupat. ROOTKIT.

kleind
Download Presentation

ROOTKIT -MALWARE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ROOTKIT -MALWARE Vijay Krishnan Avinesh Dupat

  2. ROOTKIT • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications • The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC

  3. What is it used for? • Provide an attacker full access via backdoor techniques. • Conceal other malware. • Appropriate the compromised machine as a zombie computer for attacks on other computers. • Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software

  4. Rootkit Attack •  Attacker identifies an existing vulnerability in a target system. • After gaining access to a vulnerable system, the attacker can install a rootkit manually.  • Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator

  5. MODUS OPERANDI • Spyware : Modifying software programs for the purpose of infecting it with spyware.  • Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program • Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit • Source code modification :modifying the code in the PC's software right at the main source

  6. Types of Rootkits • User mode : Run on a computer through administrator privileges  • Kernel mode : Installed at the same level as the PCs operating system • Bootkits : A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems • Firmware : Create malcode inside the firmware while you computer is shut down

  7. Defensive Measures • Proactive • Preventing the rootkit from being installed • Preventing compromise in the first place • Reactive • Detecting the Rootkit after it has been installed • Removal of the Rootkit

  8. Rootkit Prevention • The first step in prevention of Rootkit is to run in less privileged user mode. • Use of the sc command in Windows XP. This locks up the Windows Service database. • Use HIPS (Host based Intrusion Prevention System) tool like AntiHook • Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program

  9. Rootkit Detection • Very Difficult because Rootkit’s goal is to hide • Antivirus products that have various levels of success with detecting rootkits. • Enumerate your system's contents and boot up using a known-good operating system. • Use of a packet sniffer, such as WinDump, or a network firewall 

  10. Types of Rootkit Detection • Alternative trusted medium • Behavioral-based • Signature-based • Difference-based • Integrity checking • Memory dumps

  11. RootKit Removal • Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer • Rootkit Removal tools -> Eliminates Rootkits from the user’s system Eg : IceSword

  12. Rootkit Revealer

  13. IceSword

  14. Removal • Rebuilding the System is the BEST solution! • Clean the infection • Disable rootkit • Boot with clean CD and remove rootkit’s resources

  15. References • http://www.spamlaws.com/how-rootkits-work.html • www.en.wikipedia.org • http://swatrant.blogspot.com/2006/02/rootkit-detection-removal-and.html • http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm • http://technet.microsoft.com/en-us/library/cc512642.aspx • http://www.windowsitpro.com/article/antivirus/defending-against-rootkits.aspx

  16. THANK YOU!

More Related