Hidden Rootkits in Windows. Presented by: Brian Bourne, CMS Consulting Inc. CMS Consulting Inc. Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL –
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Presented by: Brian Bourne, CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange - SMS - ISA
MOM - Clustering - Office – Desktop Deployment - SQL –
Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for Experts
MS Infrastructure – Security - Vista and Office Deployment
Visit us online:www.cms.ca
Downloads – Resources – White Papers
For Security Solutions
For Advanced Infrastructure
For Network Solutions
For Information Worker
For Mobility Solutions
2. ~~~ ~~ ~~
What is a rootkit?
Kernal mode vs user mode
Popular and New rootkits
History of Rootkits
What can they hide
DEMO – Hacker Defender Anatomy 101
How they hide and go undetected
DEMO - Hacker Defender In Action!
DEMO – Covert Channels
DEMO – FUTo
Detection, Protection and Removal
DEMO – Detection
Hardware Virtualization Rootkits
What is a rootkit?
User-mode RootkitsThere are many methods by which rootkits attempt to evade detection. Example:
Kernel-mode RootkitsKernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
FifthGenerationHistory of Rootkits
AFX Rootkit 2005
Winlogon HijackPopular Rootkits
Commercially available products that use rootkit type technologies.
Reference: www.security.org.sg / www.hbgary.com / www.rootkit.com
Hacker Defender – In Action!
Hacker Defender – Covert Channel
How to detect rootkits?
*1 Could not detect FU because it does not hide folders/files. Only processes.
It’s a cat and mouse game
Stop rootkits from entering and executing in your environment.
November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/
TRAINING BY EXPERTS FOR EXPERTS
CMS Consulting Inc. environment.
Visit: CMS Consulting at http://www.cms.ca
Join: Toronto Area Security Klatch at http://www.task.to
Register: Security Education in Toronto at http://www.sector.ca