Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rootkits What are they? What do they do? Where do they come from?

Published byLillian Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Rootkits What are they? What do they do? Where do they come from?"— Presentation transcript:

1 Rootkits What are they? What do they do? Where do they come from?

2 Introduction Bill Richards Bill Richards Adjunct Professor at Rose Since 2004Adjunct Professor at Rose Since 2004 Defense Information Systems Agency Defense Information Systems Agency Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 Network Security Officer since 2002Network Security Officer since 2002 Responsible for the security for 9 remote networksResponsible for the security for 9 remote networks 45+ Mainframes (IBM, UNISYS and TANDEM) 45+ Mainframes (IBM, UNISYS and TANDEM) 1400+ Mid-Tier Servers (UNIX and Windows) 1400+ Mid-Tier Servers (UNIX and Windows) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc)

3 Rootkits are a serious threat to network and system security and most administrators know little about them Defining characteristic is Stealth Viruses reproduce but rootkits hide! Difficult to detect Difficult to remove Carry a variety of payloads Key loggers Password Sniffers Remote Consoles Back doors And more!!!

4 What is a Rootkit? The term rootkit is old and pre-dates MS Windows The term rootkit is old and pre-dates MS Windows It gets it’s name from the UNIX superuser UserID - - root It gets it’s name from the UNIX superuser UserID - - root aka administrator for windoze users aka administrator for windoze users A rootkit does not typically not cause deliberate damage A rootkit does not typically not cause deliberate damage

5 What is a Rootkit? A collection files designed to hide from normal detection by hiding processes, ports, files, etc. Typically used to hide malicious software from detection while simultaneously collecting information: userid’s Password ip addresses, etc Some rootkits phone home and/or set up a backdoors

6 What is a Rootkit? A rootkit does NOT compromise a host by itself A vulnerability must be exploited to gain access to the host before a rootkit can be deployed The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy

7 Recent Rootkit History Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm

8 Rootkit History 1998 to 2002 Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm

9 How rootkits work A vulnerable system is detected and targeted A vulnerable system is detected and targeted unpatched, zero-day exploit, poor configuration, etc. The targeted system is exploited host via automated or manual means Root or Administrator access is obtained Payload is installed Rootkit is activated and redirects system calls Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed

10 How rootkits work docs rootkit windows dir c:\ ReadFile() NTFS command C:\ windows rootkit docs Rootkit DLL rootkit filters the results to hide itself docs windows DLL “tricked” into thinking it can’t execute command, calls rootkit

11 Hacker Defender (Hxdef) A rootkit for Windows NT 4.0, Windows 2000 and Windows XP Avoids antivirus detection Is able to hook into the Logon API to capture passwords The developers accept money for custom versions that avoid all detectors FU Nullifies Windows Event Viewer Hides Device Drivers Recently added “Shadow Walking” (Read Phrack63) Common Windows rootkits

12 Common UNIX rootkits SucKIT SucKIT Loaded through /dev/kmemLoaded through /dev/kmem Provides a password protected remote access connect-back shell initiated by a spoofed packetProvides a password protected remote access connect-back shell initiated by a spoofed packet This method bypasses most of firewall configurations)This method bypasses most of firewall configurations) Hides processes, files and connectionsHides processes, files and connections Adore Adore Hides files, processes, services, etc.Hides files, processes, services, etc. Can execute a process (e.g. /bin/sh) with root privileges.Can execute a process (e.g. /bin/sh) with root privileges. Controlled with a helper program avaControlled with a helper program ava Cannot be removed by the rmmod commandCannot be removed by the rmmod command kis kis A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machineA client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine It can hide processes, files, connections, redirect execution, and execute commands.It can hide processes, files, connections, redirect execution, and execute commands. It hides itself and can remove security modules already loadedIt hides itself and can remove security modules already loaded

13 Detection & Removal Detection that doesn’t always work: Antivirus (Norton, McAfee, AVG, etc.) Anti-Spyware (AdAware, Giant, Spybot, etc.) Port Scanning Manually Looking Detection that can work: Sudden System Instability/Sluggishness Sudden Spike in Traffic MS RootkitRevealer F-Secure Black Light

14 “list running processes” Rootkit “nothing to see here” Compromised OS “Online” detection (ex: virus scans) relies on the OS’s API to report files and processes. The API has been “hooked,” however, so the rootkit remains concealed. Detection & Removal

15 “list running processes” Rootkit “something found” Compromised OS Detection compares the results of the OS’s API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkits Black Light Rootkit Revealer Etc. “nothing found” Results != Possible Rootkit Detection & Removal

16 “list running processes” Rootkit “rootkit detected” Compromised OS Doing an “Offline” detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected. Knoppix WindowsPE W.O.L.F. Etc. Detection & Removal

17 Only 100% sure removal: Only 100% sure removal: Format drive and a clean installFormat drive and a clean install Some tools can remove some rootkits Some tools can remove some rootkits But what was hidden may not get cleanedBut what was hidden may not get cleaned You cannot trust a system that’s been rootkit’edYou cannot trust a system that’s been rootkit’ed Passwords on the rootkit’ed system are suspect Passwords on the rootkit’ed system are suspect So change your passwords on the clean hostSo change your passwords on the clean host Detection & Removal

18 Prevention Keep hosts updated Keep hosts updated OSOS ApplicationsApplications Limit host exposure Limit host exposure Un-needed servicesUn-needed services Use Firewalls Use Firewalls Situational Awareness Situational Awareness CERT, Bugtraq, Security Web sites, etc.CERT, Bugtraq, Security Web sites, etc.

19 Some Reference Sites http://www.rootkit.com http://www.rootkit.com http://www.rootkit.com http://www.packetstormsecurity.org http://www.packetstormsecurity.org http://www.packetstormsecurity.org http://www.rootkit.nl http://www.rootkit.nl http://www.rootkit.nl Questions?

20

Download ppt "Rootkits What are they? What do they do? Where do they come from?"

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.

Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Windows Malware: Detection And Removal TechBytes Tim Ramsey.

Windows Malware: Detection And Removal TechBytes Tim Ramsey.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google