1 / 27

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006. Group 9 Greg Sheridan Terry Harvey. Group 10 Matthew Bowman Laura Silaghi Michael Sanders. Agenda. Rootkits User space vs. Kernel Space Detection Prevention Backdoors Different Implementations Detection

silas
Download Presentation

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rootkits, Backdoors, and TrojansECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey • Group 10 • Matthew Bowman • Laura Silaghi • Michael Sanders

  2. Agenda • Rootkits • User space vs. Kernel Space • Detection • Prevention • Backdoors • Different Implementations • Detection • Prevention • Trojans • Port & Web Knocking

  3. Rootkits “A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge.” -Wikipedia

  4. Rootkits Lrk4 • Linux user space • replaced system binaries • /bin/login • Added user rewt • Added ‘global’ password satori • /bin/ls • /dev/ptyr to hide files

  5. Rootkits Lrk4 • Detection • chkrootkit • matched “root” • strace • # of system calls is dependent on location • Prevention • Tripwire

  6. Rootkits Knark • Linux kernel space • redirected system calls • Added /proc/knark/ • Hiding Files • hidef/unhidef • Redirecting Binaries • ered • Other Knark functions?

  7. Rootkits Knark • Detection • kern_check • Detected changes in SCT addresses • rkhunter • Has a really bad aim • chkrootkit • What trick could be used to detect Knark, and how could this be avoided by Knark? • Prevention • Tripwire • Disable LM

  8. Rootkits sucKIT • Linux user space • Redirected pointer to the SCT • Attacks kernel via what user file?

  9. Rootkits sucKIT • Detection • chkrootkit Searching for Suckit rootkit… Warning: /sbin/init INFECTED • chkproc PID 1443(/proc/1443): not in readdir output PID 1443: not in ps output You have 1 process hidden for readdir command You have 1 process hidden for ps command • Prevention • Any ideas?

  10. Rootkits Hacker Defender • Windows • Changed memory segments and all running processes’ behaviors • Hide files • Hide processes • Hide services • All TCP ports become potential backdoors!

  11. Rootkits Hacker Defender • Detection • Any anti-virus software • Why is this so? • Rootkit Revealer • Compares Windows API vs. Registry Hive on disk • IceSword • Found the hidden files/folders, processes, and services • Prevention • Any ideas?

  12. Rootkits FU • Windows • via Direct Kernel Object Manipulation • Hide processes • Elevate process privileges • Fake out Windows Event Viewer • Hide device drivers

  13. Rootkits FU • Detection • Rootkit Revealer can’t see a thing • Prevention • Any ideas?

  14. Rootkits Prevention/Detection Audits • System binaries can’t be trusted • BusyBox • Other Linux bootable CD • Knoppix

  15. Agenda • Backdoors and Trojans • Netcat • ICMP Backdoor • VNC • BO2K Backdoor • Backdoors in C • Backdoor Detection • ACK Tunneling • Trojans • Port/Web Knocking

  16. Netcat • Netcat is a powerful TCP/IP protocol tool it can be used as a backend tool that can be controlled by other programs or as a standalone server client. • Server/Client • Program Control • File Transfer • Relay • Tunneling • FIFO • Covering Tracks

  17. ICMP Backdoor • Server installed on an infiltrated machine • Uses the ICMP packet to hide malicious network traffic • Why was the server echoing the commands back to the client?

  18. Virtual Network Connection (VNC) • A legitimate tool used by network administrators • Gives access to all operations for the user that is remotely logged in • Bad it hackers can gain access to a running VNC server

  19. BO2K Backdoor • Very well know windows backdoor • Server/Client • Many Predefined Functions • System Commands • Key Logging • GUI Commands • TCP/IP Commands • MS Networking • Process Control • Registry • Multimedia • File and Directory • File Compression

  20. Backdoors in C • Simple Linux telnet backdoor • 32 lines of code • Intercepts the login • Look for backdoor password • If not entered goes to the original login

  21. Backdoor Detection • Netcat, VNC, BO2K • Firewalls, Port scanning • Virus check • Process checking • ICMP Detection • Packet Throughput • Turn off ICMP through gateways • Backdoor in C • Checking for file integrity

  22. Backdoor Dection Cont.. • TCPView • Scans for active ports • Provides info on process using the port • Path info/command used to start process • Allows you to end running processes

  23. ACK Tunneling • Used to gain access to a computer behind a firewall • Most system admin setup firewalls in a way that will block most illegitimate Traffic • All stateless firewalls allow ACK messages to pass • Majority of firewalls are stateless • Statefull firewalls keep the state of the connections • Sets ACK flag to gain access

  24. Trojans “… A malicious program that is disguised as legitimate software. … They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” ~Wikipedia

  25. Trojans Cont… • eLitewrap • Wrapped a legitimate program with a malicious program that is run in the background • Don’t execute specious programs • Look for specious processes running • Explorer's Active X • Installed a backdoor from a webpage • Don’t allow Active X

  26. Port/Web Knocking • Port Knocking • Blocks all ports but still allows access • Will open specified port when a correct Knock sequence is preformed • Knock sequence • Series of attempts to open certain ports • Web Knocking • Is used where were web access is allowed through the firewall • Invalid web Command are sent to the server the are logged in the error log • A command script run intermittently runs to execute the commands

  27. Questions?

More Related