1 / 27

Rootkits

Rootkits. Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz. Introduction How a rootkit works Detection Preventing and Removing Attack damage References. 1. Introduction.

sinjin
Download Presentation

Rootkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Rootkits Students: JacekCzeszewskiand Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz

  2. Introduction • How a rootkit works • Detection • Preventingand Removing • Attack damage • References

  3. 1. Introduction A rootkit is a suite of one or more programs that allows a third party to hide files and activities from the administrator of a computer system.

  4. 1.1 Origins The original intent of rootkits (1996) appears to have centered simply on hiding programs that would allow an attacker to “sniff” or spy on traffic going to and from a computer system.

  5. 1.2 Functionality • Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. • Conceal other malware, notably password-stealing key loggers and computer viruses. • Appropriate the compromised machine as a zombie computer for attacks on other computers. • Enforcement of digital rights management (DRM). • Conceal cheating in online games. • Detect attacks, for example, in a honeypot. • Enhance emulation software and security software. • Anti-theft protection. • Bypassing Microsoft Product Activation

  6. 1.3 Types of rootkits • User mode • Kernel mode • Bootkits • Hypervisor level • Hardware/Firmware

  7. 1.3.1 User mode • run in Ring 3 • manyinstallationvectors • Make to executeinsideany target processoroverwritethe memory of a target application

  8. 1.3.2 Kernel mode • run in Ring 0 • adding code or replacing portions of the core operating system, including both the kernel and associated device drivers • unrestrictedsecurityaccess

  9. 1.3.3 Bootkits • lows the malicious program to be executed before the operating system boots • cannot be detected by standard means of an operating system because all its components reside outside of the standard file systemserating system boots

  10. 1.3.4 Hypervisor level • uses hardware virtualization • trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it • donthave to load before the OS

  11. 1.3.5 Hardware/Firmware • hidden in BIOS, network card etc. • only way to remove is to replace infected hardware • could be hidden outside the computer for example in network printer

  12. 2. How a rootkit works • Installation • Physical access to the target system • Privilege Escalation • Cloaking • Obscure its presence from security tools • Modify the behavior of OS core parts • Load code into other processes

  13. 2. Study Case: Stoned Bootkit • Stoned is the name of a boot sector computer virus created in 1987, apparently in New Zealand. It was one of the very first viruses. • A memory resident bootkit up to the Windows kernel • Boot applications executed on startup • Drivers executed beside the Windows kernel

  14. 2. Study Case: Stoned Bootkit • Your PC is now Stoned! (1987) • Your PC is now Stoned! ..again (2010)

  15. 2. Study Case: Stoned Bootkit Windows Boot Process • Windows boot system assumes an already secure environment when starting

  16. 2. Study Case: Stoned Bootkit Hooking and Patching • Interrupt 13h hooked • Ntldr hooked for calling 32-bit code and patching the code integrity verification • Patching the NT kernel • Executing pay loads(driver)

  17. 2. Study Case: Stoned Bootkit Installation • Live CD • Infected PDF

  18. 2. Study Case: Stoned Bootkit Demonstration

  19. 3. Detection • Signature-Based • File IntegrityMonitoring • Cross-View Analysis • HookingDetection • Heuristics-BasedDetection • Network-BasedDetection

  20. 3.1 Signature-BasedDetection • analyzingrootkitto definefingerprint • integrating fingerprint in to the database • fingerprint can be used for rootkits detection 3.2 File Integrity Monitoring • calculatescryptographichashes for critical, unchangingoperating system files and comparesthem to knownvaluesthatarestored in a database

  21. 3.3 Cross-ViewAnalysis • It involves looking at the system from the high level “user”, or API view, and comparing it to the actual low level hardware view. 3.4 HookingDetection • When the rootkit modifies a hook to point to a malicious service or interrupt routine, the memory location almost invariably is located outside this specific range of the “clean” system, and is easily detected.

  22. 3.5 Heuristics-BasedDetection • Heuristics-Based detection of malware attempts to classify malicious behavior according to certain pre-determined rules. 3.6 Network-BasedDetection • System periodically send a snapshot of the network traffic and open ports to a trusted gateway for analysis. • The gateway compare this data with its “external” view of the system’s network activity

  23. 4. Preventingand Removing • Operating system updates • Automatic updates • Personal firewalls • Host-basedintrusionpreventionsystems • Rootkitpreventiontechniques

  24. 4. Preventingand Removing • number of security-software vendors offer tools to automatically detect and remove some rootkits • Some antivirus scanners can bypass file system APIs, which are vulnerable to manipulation by a rootkit • There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media • in some cases the only possibility is to replace somehardware

  25. 5. Attack damage Home Users • Stealing Identity and private information • Turning Home User's computers into zombies • Loss of time, money and confidence

  26. 5. Attack damage Enterprise and Government • Loss of confidential information, theft of intellectual property • Reputation and customer trust • Additional costs of purchasing, installing, and administering security measures • Increases system complexity

  27. 6. References • Stallings & Brown - Computer Security: Principles and Practice • A comparative analysis of rootkit detection techniquesby ThomasMartinArnold • RicVieler - Professional Rootkits • http://en.wikipedia.org/wiki/Rootkit • http://opensecuritytraining.info/Rootkits.html • http://www.stoned-vienna.com

More Related