1 / 20

Rootkits

Rootkits . Jonathan Barella Chad Petersen. Overview. What are rootkits How do rootkits work How to detect rootkits How to remove rootkits. What is a Rootkit, and how does it work. Jonathan Barella. What are rootkits?.

sarah
Download Presentation

Rootkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rootkits Jonathan Barella Chad Petersen

  2. Overview • What are rootkits • How do rootkits work • How to detect rootkits • How to remove rootkits

  3. What is a Rootkit, and how does it work Jonathan Barella

  4. What are rootkits? • A rootkit is small sophisticated piece of support software that can enable malicious software to run on the compromised computer • Commonly associated with spies because of the common goals they share • Used in almost every modern piece of malware in the wild today

  5. What are rootkits? • Broadly defined by Symantec as “any software that acquires and maintains privileged access to the Operating System (OS) while hiding its presence by subverting normal OS behavior” • Designed with three main objectives • Run • Hide • Act

  6. How do rootkits work?Subverting Normal OS Behavior • Vulnerabilities • Operating System • Applications • Exploits • Java • HTML/Scripting • Social Engineering • Spam • Downloading • Installation

  7. How do rootkits work? Hooking Operating System APIs

  8. How do rootkits work? Hiding in Unused Space on the Compromised System

  9. How do rootkits work? Infect the Master Boot Record (MBR)

  10. How do rootkits work?

  11. How do rootkits work? This is the ultimate goal to be hidden from the systems view.

  12. Finding And Removing Rootkits Chad Petersen

  13. Detection Methods • Behavioral • Integrity • Signature • Difference

  14. Behavioral Detection • Pros • Can detect unknown rootkits • Cons • Requires “normal” history • Not easy to use • False positives

  15. Integrity Detection • Pros • Know what files change • When files change • What changes files • Cons • Requires many updates • Rootkit can seed itself in update

  16. Signature Based Detection • Pros • Reliably find known kits • Easy to use • Few false positives • Cons • large number of updates • Does not detect new kits

  17. Diff Based Detection • Pros • Good at finding anomalies in any system • Cons • does not work well if scan is ran on infected system • Must have knowledge to decipher flagged programs.

  18. Be Vigilant • Lastly the user can sometimes tell when something is amis • Network traffic spike • Large decrease in performance • Rootkits can infect; user files, kernel files, the boot loader, a hypervisor, and hardware firmware.

  19. Steps Once Identified • Quarantine • Encryption • Permissions • Decide • Repair or delete

  20. Q&A

More Related