Introduction to InfoSec – Recitation 07 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Slides:



Advertisements
Similar presentations
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Advertisements

Operating System Security : David Phillips A Study of Windows Rootkits.
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
How an attacker can maintain control over their victim’s system without being discovered.
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Linux Networking and Security Chapter 10 File Security.
Chapter Nine Maintaining a Computer Part III: Malware.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Viruses.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Operating Systems Concepts 1/e Ruth Watson Chapter 4 Chapter 4 Windows Utilities Ruth Watson.
IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Honeypot and Intrusion Detection System
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Security monitoring boxes Andrew McNab University of Manchester.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
What is a port The Ports Collection is essentially a set of Makefiles, patches, and description files placed in /usr/ports. The port includes instructions.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Security Vulnerabilities in A Virtual Environment
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
GCSE Computing: A451 Computer Systems & Programming Topic 3 Software System Software (2) Utility Software.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
Computer Security Keeping you and your computer safe in the digital world.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Botnets A collection of compromised machines
Ilija Jovičić Sophos Consultant.
Introduction to Computers
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Botnets A collection of compromised machines
Backtracking Intrusions
Determined Human Adversaries: Mitigations
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Determined Human Adversaries: Mitigations
16. Account Monitoring and Control
Presentation transcript:

Introduction to InfoSec – Recitation 07 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Today Rootkits o Rootkits 101 o Motivations & basic methods Forensics o Forensics 101 o Threat types o Gathering information o Research methods o Planning for a future incident

What is a rootkit ? The name ‘rootkit’ originally came from UNIX/linux utilities that were used by hackers after gaining root on a target machine The goal of the rootkit is to allow a hacker to roam free about the system, while still maintaining root The rootkit hides the hacker and allows him to evade detection by the system admin

What can/should a rootkit do ? Hide the hacker’s files (a hacker would often have a “working directory” and/or files hidden at various locations) Hide the hacker-owned processes: o Eg. Any process starting with the words: “w00t” will not be visible. Hide open ports, hide sniffing Let the hacker back in without using an exploit o Using the exploit to re-enter can makes too much noise o No need to cleanup after re-entry

Application based rootkits The first rootkits seen in the 90s were replacements for the set of system utilities in /bin/ For example hackers used a modified version of /bin/ls In open-source systems such as Linux this is very easy o Download original code, modify, compile, install on target In closed-source systems such as Windows / proprietry UNIX o Binary patch the relevant files

Application Layer Dilemmas If you patch one program, you never know if you covered all your bases. e.g.: o patch ‘ps’ but forget to patch ‘top’ o Patch ‘ls’ but forget to patch ‘mc’ (midnight commander) What happens when the software gets upgraded?

Better solutions Patch system libraries to control the API Patch system-calls Patch Kernel structures

Rootkit Detection Whitelist based – o Integrity checking of binaries (compare md5 of files to a list of ‘known good’ signatures). o e.g.: tripwire Blacklist based – o Find signatures in files and memory known to be ‘evil’ o This is the technique most anti-viruses use Difference based – o Find differences between views that should be identical API vs. kernel memory memory vs. on disk o Most effective

Sony DRM: Famous Rootkit Case ve/2005/10/31/sony-rootkits-and-digital-rights- management-gone-too-far.aspx?Redirected=true ve/2005/10/31/sony-rootkits-and-digital-rights- management-gone-too-far.aspx?Redirected=true

Forensics 101 We have a suspected machine / network installation You know little to nothing about the specific threat, and even less about how it got there You want to know everything! o How they got there o Find and fix any damage they’ve done o Find out if they took any sensitive information o Who they are, what do they want? o Finally – figure out how to prevent the next incident

Threat Types Non targeted attack – script-kiddies, botnets, drive-by downloads, toolbars, scam sites, etc. Targeted attack, a.k.a. APT (Advanced Persistant Threats) – o They know who you are o They’ll invest lots of resources to get what they want o Very hard to defend against o But if you do your work well – you’ll know what they did

Basic Data Sources Running process list, loaded Kernel module list Complete memory image – RAM + Swap Anything that’s changed in the suspected time frame (time since last major system change is a good start) Checking file signatures against a whitelist Contents of config files – users, lowered hardening, anything an attack might want to change LOG FILES File / directory creation, modification and access times Network analysis – which machines download/upload more than they should? Which machines are talking to machines that they shouldn’t?

Gathering Information You could work in the client’s production environment But then you could make mistakes that will destroy valuable ‘bread crumbs’ and/or reveal information to the adversary You want a perfect memory snapshot, and a perfect disk image to take to the lab

Getting a snapshot of the system Getting the contents of the memory by asking the computer to hibernate / reading memory via FireWire Getting the contents of the disks by pulling the power immediately, and taking the disks to the lab o Extra: use advanced disk-recovery techniques to access deleted / overwritten data

Disks or Memory – choose one! If the attacker was smart – her tools will hide better in some scenarios o She’s put a hook on the hibernate function, to make the memory snapshot “clean”, and maybe even clean her rootkit from the disk o She might scrub her files off the disk after loading, only writing them back on a regular shutdown, or not at all… You may have a better tool (Liquid NO2 + magic) – but you’ll still have to choose one over the other

Malware Analysis First – a quick check against any known signatures Then, lots of looking for potential malware Once good candidates surface, lots of reverse engineering The goal is to spend a little time initially to classify every finding as “interesting”, “maybe”, or “junk” Finally, start diving into the “interesting” and “maybe” bins You may find hints that will make you go back on the field and collect more information

Expanding the Search You’ve identified a threat Next step is to build a detector, and spread it as far as you can Gather more information from new infections you found Continue to learn more about the attacker … Repeat

Planning for Forensics Instead of reacting – we can plan the system / network to facilitate forensics, and make it much harder for the attacker So, what should we do?

How to prepare Logging should be local AND network based, in multiple locations, and logging servers should be extremely secure Logging should be as deep as possible (forever is a good depth) Log anything important, especially anything touching the core secrets of the company Keep ‘good’ system images for important machines (and again – depth is your friend) Keep an accurate and central log for any maintenance event, to help quickly filter these events later on

Monitoring Find a SOC (Security Operations Center) solution that suits you, and USE it! Build rules to filter out the noise Build rules to highlight important events Central logging will permit high-order anomaly detection, data clustering and machine learning based filtering to help you analyze all that data If possible – make this system report to the system administrators in real-time! The key is to actively look for the threats, not just install-and-forget…

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.