1 / 12

Rootkits

Rootkits. Jonathan Hobbs. What is a rootkit?. A tool set installed to grant a user root access First modern rootkits emerged in the mid 1990s Before rootkits there were log cleaners. Goal of a Rootkit. Maintain access Execute malware Remain hidden. Types of Rootkits. Binary rootkits

dalisha
Download Presentation

Rootkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rootkits Jonathan Hobbs

  2. What is a rootkit? • A tool set installed to grant a user root access • First modern rootkits emerged in the mid 1990s • Before rootkits there were log cleaners

  3. Goal of a Rootkit • Maintain access • Execute malware • Remain hidden

  4. Types of Rootkits • Binary rootkits • Remote & local access • Hide processes, connections, files, and user activity • Kernel- and User-level rootkits • Loadable Kernel Module • Firmware rootkits

  5. Installation • Rootkit installation can be achieved in two ways • Trojan Horse • Root or administrator level access • Local or remote • UNIX rootkit installation process (LKM backdoor example) • Disable shell history • Setup directory structure for rootkit • Freeze system logs • Deploy backdoor

  6. Architecture • Scanner • Scans for vulnerable systems • Installer • Payload

  7. Payloads • Back doors • Packet sniffers • Log and file wipers • Denial of service

  8. Detection Evasion & System Manipulation • Techniques include • Masquerading • Hooking • Direct Kernel Object Manipulation (DKOM)

  9. Hooking and Masquerading • Rootkit payload pretending to be normal programs’ • Windows: using the System Service Dispatch Table (SSDT) https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1588822

  10. DKOM • Windows EPROCESS • Connected by double-linked lists • Rootkit processes hidden by unlinking themselves from the list https://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf

  11. Summary • Rootkits have effectively compromised systems by manipulating the core operating system processes • Different types of rootkits exist which compromise the system at different levels • Rootkits require administrator access to a system for installation and execution

  12. Questions?

More Related