180 likes | 333 Views
ROOTKIT -MALWARE. Vijay Krishnan Avinesh Dupat. ROOTKIT.
E N D
ROOTKIT -MALWARE Vijay Krishnan Avinesh Dupat
ROOTKIT • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications • The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC
What is it used for? • Provide an attacker full access via backdoor techniques. • Conceal other malware. • Appropriate the compromised machine as a zombie computer for attacks on other computers. • Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software
Rootkit Attack • Attacker identifies an existing vulnerability in a target system. • After gaining access to a vulnerable system, the attacker can install a rootkit manually. • Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator
MODUS OPERANDI • Spyware : Modifying software programs for the purpose of infecting it with spyware. • Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program • Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit • Source code modification :modifying the code in the PC's software right at the main source
Types of Rootkits • User mode : Run on a computer through administrator privileges • Kernel mode : Installed at the same level as the PCs operating system • Bootkits : A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems • Firmware : Create malcode inside the firmware while you computer is shut down
Defensive Measures • Proactive • Preventing the rootkit from being installed • Preventing compromise in the first place • Reactive • Detecting the Rootkit after it has been installed • Removal of the Rootkit
Rootkit Prevention • The first step in prevention of Rootkit is to run in less privileged user mode. • Use of the sc command in Windows XP. This locks up the Windows Service database. • Use HIPS (Host based Intrusion Prevention System) tool like AntiHook • Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program
Rootkit Detection • Very Difficult because Rootkit’s goal is to hide • Antivirus products that have various levels of success with detecting rootkits. • Enumerate your system's contents and boot up using a known-good operating system. • Use of a packet sniffer, such as WinDump, or a network firewall
Types of Rootkit Detection • Alternative trusted medium • Behavioral-based • Signature-based • Difference-based • Integrity checking • Memory dumps
RootKit Removal • Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer • Rootkit Removal tools -> Eliminates Rootkits from the user’s system Eg : IceSword
Removal • Rebuilding the System is the BEST solution! • Clean the infection • Disable rootkit • Boot with clean CD and remove rootkit’s resources
References • http://www.spamlaws.com/how-rootkits-work.html • www.en.wikipedia.org • http://swatrant.blogspot.com/2006/02/rootkit-detection-removal-and.html • http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm • http://technet.microsoft.com/en-us/library/cc512642.aspx • http://www.windowsitpro.com/article/antivirus/defending-against-rootkits.aspx