1 / 14

LKM Rootkits

LKM Rootkits. Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar. Agenda. What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion.

Download Presentation

LKM Rootkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LKM Rootkits Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar

  2. Agenda What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion

  3. What are rootkits? tools to conceal information hides files and processes prevents detection backdoor creation remote injection/execution of scripts stealing of confidential information

  4. Brief history Ken Thompson’s rootkit Brain virus SunOS rootkit, 1990 SonyBMG rootkit Greek wiretapping CarrierIQ rootkit on smartphone and handheld devices

  5. What are LKM rootkits? Insertion of malicious code into kernel on the fly Enables overriding kernel system calls Enables manipulation of /dev/kmem device file, allowing intruder to virtually control the kernel on runtime, monitoring every read/write memory operations Allows for CPU register hooking Facilitates Kernel object hooking Allows direct kernel object manipulation

  6. Malware classification and rootkit’s standing As per the proposed malware classification by Joanna Rutkowska in Black Hat 2006, malwares can be classified as below – Type 0 malware Type 1 malware Type 2 malware Type 3 malware

  7. Rootkit objectives Based on the analysis of Nick Petroni and J. Hicks from University of Maryland, College Park, the objectives of each rootkit fall in one or more of the following categories HID PE REE REC NEU

  8. LKM rootkit features File hiding Process hiding Backdoor creation Defense neutralization Survival beyond system reboot Keystroke logging Network layer obfuscation

  9. Case study - Phalanx Phalanx’s special features include the following – SSH credential stealing Manipulating memory operations by hijacking /dev/kmem Sophisticated socket, process and file hiding mechanisms TTY sniffer, keystroke logging Doesn’t show up in process listing via ps or ls /proc

  10. Detection mechanisms Use of signature based rootkit detection software like rkhunter, chkrootkit etc. Regularly examining systems where SSH keys are used as part of password less authentication mechanism Encouraging users to use keys with passphrases Applying regular security patches to the system LKM filtering HIDS LIDS State based control-flow integrity test (SBCFI) Detection based on distribution of system calls (Anderson-Darling)

  11. Conclusion In this presentation, we have provided a general overview of rootkit, LKM rootkits in particular, their objectives, specific features, infection mechanisms/attack methodologies and various detection mechanisms for both user-space and kernel-space rootkits.

  12. References Below is the list of references – http://smartech.gatech.edu/jspui/handle/1853/34844 http://www.cs.umd.edu/~mwh/papers/CS-TR-4880.pdf http://bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf http://dl.acm.org/citation.cfm?id=1368515 http://research.microsoft.com/pubs/153181/hookmapraid08.pdf http://www.mobile-download.net/Soft/Soft_2334.htm http://en.wikipedia.org/wiki/Rootkit http://packetstormsecurity.org/search/?q=phalanx

  13. Questions?

  14. Thank You

More Related