Presentation is loading. Please wait.

Presentation is loading. Please wait.

Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Published byCamilla Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major."— Presentation transcript:

1 Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major

2 Overview What is a rootkit?What is a rootkit? Types of rootkitsTypes of rootkits Rootkit historyRootkit history Rootkit tools & removalRootkit tools & removal Rootkit demonstrationRootkit demonstration Windows HardeningWindows Hardening Microsoft Security Essentials (MSE)Microsoft Security Essentials (MSE)

3 What is a “rootkit” ?? “… originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.” (Wikipedia)

4 What is a “rootkit” ?? Current definition: A rootkit is designed to hide the existence of certain processes or programs from normal methods of detection. (Wikipedia)

5 History of Rootkits Brain Virus (1968) First documented computer virusFirst documented computer virus Used cloaking techniques to hide itselfUsed cloaking techniques to hide itself Intercepted attempts to read the boot sector and redirected to disk where copies of the original boot sector were kept.Intercepted attempts to read the boot sector and redirected to disk where copies of the original boot sector were kept.

6 History of Rootkits C compiler exploit (1983) Discovered by Ken Thompson of Bell Labs (one of the creators of Unix)Discovered by Ken Thompson of Bell Labs (one of the creators of Unix) Subverted the C compiler by recompiling with two Trojan HorsesSubverted the C compiler by recompiling with two Trojan Horses

7 History of Rootkits C compiler exploit (1983) –First, detected attempts to compile “login” command Login would accept users correct password and one that the attacker specifiedLogin would accept users correct password and one that the attacker specified Allowed attacker to log into any account on the systemAllowed attacker to log into any account on the system

8 History of Rootkits C compiler exploit (1983) –Second, detected attempts to recompile Inserted same exploits into the new compilerInserted same exploits into the new compiler Inspection of source would not reveal any malicious codeInspection of source would not reveal any malicious code These exploits are equivalent to a rootkit

9 History of Rootkits Earliest known rootkit (1990) Written by Lane Davis and Steven DakeWritten by Lane Davis and Steven Dake Targeted SunOS UNIX operating systemTargeted SunOS UNIX operating system

10 History of Rootkits NTRootkit(1999) First malicious rootkit for Windows NTFirst malicious rootkit for Windows NT Created by Greg HoglundCreated by Greg Hoglund Implemented as a TrojanImplemented as a Trojan Used OS hooks to conceal presenceUsed OS hooks to conceal presence(McAfee)

11 History of Rootkits HackerDefender (2003) First rootkit targeting Mac OS XFirst rootkit targeting Mac OS X Used OS hooks to conceal presenceUsed OS hooks to conceal presence(McAfee)

12 History of Rootkits Greek wiretapping (2004-2005) AKA “Greek Watergate” Targeted mobile phones of important Greek government members and civil servantsTargeted mobile phones of important Greek government members and civil servants –Rootkit targeted the telephone exchange –Patched memory of exchange, audit log, active processes, and active data blocks

13 History of Rootkits Greek wiretapping (2004-2005) AKA “Greek Watergate” –Modified the data block checksum verification command –Backdoor allowed operator with sysadmin status to access surveillance information and allow rootkit updates –Rootkit discovered after an update prevented SMS messages from being delivered –Identity of perpetrators is still unknown

14 History of Rootkits Sony BMG (2005) Published CD’s with copy protection software Extended Copy Protection, created by First 4 InternetPublished CD’s with copy protection software Extended Copy Protection, created by First 4 Internet Software included a music player that silently installed a rootkit to hide files that started with $sys$Software included a music player that silently installed a rootkit to hide files that started with $sys$ Discovery of this rootkit led to malware taking advantage of affected systemsDiscovery of this rootkit led to malware taking advantage of affected systems()

15 History of Rootkits RootkitRevealer (2006) Created by Mark RussinovichCreated by Mark Russinovich Windows rootkit discovery softwareWindows rootkit discovery software Identifies Windows Registry and file system API discrepancies, which may indicate the presence of a rootkitIdentifies Windows Registry and file system API discrepancies, which may indicate the presence of a rootkit

16 History of Rootkits Stuxnet (2010) First to target programmable logic controllers (PLC)First to target programmable logic controllers (PLC)(Wikipedia)

17 History of Rootkits Ubisoft DRM (2012) Ubisoft’s game DRM used internet connection to ensure any game played was legalUbisoft’s game DRM used internet connection to ensure any game played was legal Created a backdoor allowing continued privileged access to user’s machine.Created a backdoor allowing continued privileged access to user’s machine. Ubisoft: “…not a rootkit.” Just a “coding error ” Hanlon’s Razor - “Never attribute to malice that which is adequately explained by stupidity.”Ubisoft: “…not a rootkit.” Just a “coding error ” Hanlon’s Razor - “Never attribute to malice that which is adequately explained by stupidity.” (Geek, lazygamer) (Geek)

18 Types of Rootkits Persistent RootkitsPersistent Rootkits Memory-Based RootkitsMemory-Based Rootkits User-mode RootkitsUser-mode Rootkits Kernel-mode RootkitsKernel-mode Rootkits (Windows Sysinternals)

19 Types of Rootkits Persistent Rootkits Malware activates each time the system bootsMalware activates each time the system boots Store code in a persistent store, such as the Registry or file systemStore code in a persistent store, such as the Registry or file system Configure a method by which the code executes without user interventionConfigure a method by which the code executes without user intervention

20 Types of Rootkits Memory-Based Rootkits Has no persistent codeHas no persistent code Does not survive a rebootDoes not survive a reboot

21 Types of Rootkits User-mode Rootkits Attempts to evade detection:Attempts to evade detection: –Windows native API is interface between user-mode clients and kernel-mode services –Sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API –This prevents detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration

22 Types of Rootkits Kernel-mode Rootkits Can intercept native API and directly manipulate kernel-mode data structuresCan intercept native API and directly manipulate kernel-mode data structures –Hides the presence of malware processes by removing the process from the kernel's list of active processes. –Malware process will not display in process management tools like Task Manager or Process Explorer.

23 Rootkit Removal OS ReinstallOS Reinstall –May require boot sector repair Rootkit Detection/Removal ToolsRootkit Detection/Removal Tools –Some tools are specific to one type of rootkit –We will demo two of these tools today. Manual RemovalManual Removal –Complicated. –It is advised that you do this in conjunction with rootkit detection tools. (e.g.: Blacklight)

24 Rootkit Tools The tools we will be using for our demo:The tools we will be using for our demo: –RootkitRevealer –Blacklight –FU Rootkit

25 Rootkit Tools RootkitRevealerRootkitRevealer –Displays Registry and File System API discrepancies –Works on user-mode and kernel-mode rootkits –Runs on Windows XP and Windows Server 2003

26 Rootkit Tools BlacklightBlacklight –Detects hidden processes, files, and directories –Helps remove hidden files and directories –Runs on Windows

27 Rootkit Tools FU RootkitFU Rootkit –Kernel-mode rootkit –Hides running processes and Kernel-mode modules –Directly modifies certain kernel data structures used by the operating system –Does not actively try to hide itself

28 RootkitDemonstration

29 Windows Hardening Download current Anti-Virus Solution and UpdateDownload current Anti-Virus Solution and Update Install all current Windows PatchesInstall all current Windows Patches Do not use windows with an Admin level accountDo not use windows with an Admin level account Always choose public network when setting up networkingAlways choose public network when setting up networking

30 Windows Hardening Turn on Data Execution PreventionTurn on Data Execution Prevention –If DEP sees a program using memory incorrectly it will shut the program down –Disable unnecessary network protocols like IPV6 and NetBIOS if not in use Practice Safe Browsing Habits: if in doubt don’t click it.Practice Safe Browsing Habits: if in doubt don’t click it.

31 Microsoft Security Essentials Built on the Microsoft Malware Prevention EngineBuilt on the Microsoft Malware Prevention Engine Designed for Small Business or Home UserDesigned for Small Business or Home User Does not include a firewallDoes not include a firewall –(uses Windows Firewall) Does not include centralized management features.Does not include centralized management features.

32 Microsoft Security Essentials Initial Public Beta – June 23 2009Initial Public Beta – June 23 2009 –Final Build of Version 1.0 Released Sept 29 2009 Version 2.0 released Dec 16 2010Version 2.0 released Dec 16 2010 –2.0 Included a Network Inspection System –Network intrusion detection for Windows Vista & 7 –2.0 Included new engine employing heuristics in malware detection. –Suspicious files are executed in a virtual machine that looks for suspect activity

33 Microsoft Security Essentials Version 4.0 released April 24 2012Version 4.0 released April 24 2012 –Improved memory overhead –Improved Scanning Engine September 2012September 2012 –MSE loses AV-Test Certification with poor protection score

34 Microsoft Security Essentials October 2012 Windows 8 is releasedOctober 2012 Windows 8 is released –does not have MSE –It is speculated that Microsoft switched their focus to windows defender for Windows 8 For a Free Solution MSE is still a very good productFor a Free Solution MSE is still a very good product

35 Conclusions Rootkits evade detection by intercepting the native system calls and disguising its activities.Rootkits evade detection by intercepting the native system calls and disguising its activities. Rootkit detection software can identify potential rootkits (but may not remove them)Rootkit detection software can identify potential rootkits (but may not remove them) Windows hardening starts with basics: updates and a security software solution!Windows hardening starts with basics: updates and a security software solution!

36 Summary Definition of a RootkitDefinition of a Rootkit Rootkit HistoryRootkit History Types of RootkitsTypes of Rootkits Rootkit RemovalRootkit Removal Rootkit Tools & DemonstrationRootkit Tools & Demonstration Windows HardeningWindows Hardening Microsoft Security EssentialsMicrosoft Security Essentials

37 References McAfee: http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/ white_papers/threat_center/wp_akapoor_rootkits1_en.pdfMcAfee: http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/ white_papers/threat_center/wp_akapoor_rootkits1_en.pdf http://en.wikipedia.org/wiki/Rootkithttp://en.wikipedia.org/wiki/Rootkit http://en.wikipedia.org/wiki/RootkitRevealerhttp://en.wikipedia.org/wiki/RootkitRevealer http://technet.microsoft.com/en-us/sysinternals/bb897445.aspxhttp://technet.microsoft.com/en-us/sysinternals/bb897445.aspx http://www.f-secure.com/v-descs/fu.shtmlhttp://www.f-secure.com/v-descs/fu.shtml http://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtmlhttp://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtml http://www.geek.com/games/ubisoft-uplay-drm-found-to-include-a-rootkit-1506163/http://www.geek.com/games/ubisoft-uplay-drm-found-to-include-a-rootkit-1506163/ http://www.lazygamer.net/general-news/ubisoft-rootkit-just-a-bug/http://www.lazygamer.net/general-news/ubisoft-rootkit-just-a-bug/

Download ppt "Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major."

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
How to avoid Viruses and Malware on your Computer Use a firewall Using a firewall is like locking the front door to your house—it helps keep intruders.

How to avoid Viruses and Malware on your Computer Use a firewall Using a firewall is like locking the front door to your house—it helps keep intruders.
Computer Viruses.

Computer Viruses.
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
 Lesson 05: Computer Maintenance. Keep Software Up-To-Date Patches Security Holes Improves Software Stability Improves Software Performance Adds.

 Lesson 05: Computer Maintenance. Keep Software Up-To-Date Patches Security Holes Improves Software Stability Improves Software Performance Adds.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google