introduction to information security rootkits n.
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to Information Security - Rootkits PowerPoint Presentation
Download Presentation
Introduction to Information Security - Rootkits

Loading in 2 Seconds...

play fullscreen
1 / 11

Introduction to Information Security - Rootkits - PowerPoint PPT Presentation

  • Uploaded on

Introduction to Information Security - Rootkits. Itamargi at Nirkrako at Rootkits. What are they? Various types of rootkits. Detection Famous case. What is a rootkit ?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Introduction to Information Security - Rootkits' - kolya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to information security rootkits

Introduction to Information Security - Rootkits

Itamargi at

Nirkrako at

  • What are they?
  • Various types of rootkits.
  • Detection
  • Famous case
what is a rootkit
What is a rootkit ?
  • The name rootkit originally came from UNIX/linux set of utilities that was used post gaining root via a privilege escalation (PE) or a remote root exploit.
  • The goal of the rootkit is to allow a hacker to roam free about the system, while still maintaining root.
  • The rootkit hides the hacker and allows him to evade detection by the system admin.
  • Modus operandi:
    • Hack the system.
    • Install the system.
    • Explore the system.
    • **** the system.
what can should a rootkit do
What can/should a rootkit do ?
  • Hide the hackers files – a hacker would usually have a drop-off directory where he will create temporary files (such as zip files) or keep a PE file:
    • echo “int main{setuid(0);setgid(0);system(“/bin/sh”);} > a.c ; gcca.c –o a ; chmod 4755 a
    • Eg: all files in /usr/bin/.w00t/ are completely hidden.
  • Hide the hackers process:
    • Eg. Any process starting with the words: “w00t” will not be visible.
  • Hide sniffing: hide working in promiscuous mode.
  • Hide open ports
  • Let the hacker back in without using the exploit:
    • Using the exploit to re-enter usually makes too much noise.
    • No need to cleanup after re-entry.
application based rootkits
Application based rootkits
  • The first rootkits seen in the 90s were replacements for the set of system utilities in /bin/.
  • For example hackers used a modified version of /bin/ls.
  • In open-source systems such as linux this is very easy:
    • Download original code, modify, compile, spread.
  • In closed-source systems such as windows, older UNIX:
    • Binary patch the relevant files.
application layer dilemmas
Application Layer Dilemmas
  • If you patch one program, you never know if you covered all your bases. Eg.:
    • patch ‘ps’ but forget to patch ‘top’
    • Patch ‘ls’ but forget to patch ‘mc’ (midnight commander)
  • Software upgrades, if the software is upgraded
library rootkits
Library Rootkits
  • Patch the system libraries, such as libc, eg.:
    • readdir
  • Patching can be done offline to the library or via code injection techniques.
code injection api hooking
Code Injection/API Hooking
  • The idea is to dynamically patch a program’s behavior.
    • This is necessary for debuggers to work properly
  • We load a “shellcode” in the process memory using some technique.
    • Eg. Windows:
      • BOOL WriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );
    • Eg. Linux: ptrace with POKETEXT:
      • PTRACE_POKETEXT, PTRACE_POKEDATA Copies the word data to location addr in the child's memory. As above, the two requests are currently equivalent.
  • The shellcodecan load a DLL that does some more work.
  • Subverting functions is done by patching the original code.
    • Linux: The code segment permissions can be changed via mprotect()
    • Windows: VirtualProtect().
    • Windows has Detours – a library used to Hook APIs
syscall rootkit
Syscall rootkit
  • Rootkit based in a kernel driver. The rootkit driver is loaded into the operating system, once it is loaded it modifies the system_call table and subverts the original
rootkit detection
Rootkit detection
  • Looking at the rootkit from a different perspective
  • Signature based:
    • Look for signatures in files and memory know to belong to the rootkit. blacklist based.
    • This is the technique most anti-viruses use.
  • Difference based
    • Difference between view from memory to view on disk.
    • Offline vs. Online.
  • Integrity checking of binaries. Compare md5 of files to whitelist.
    • Eg.: tripwire application for *n?x

[Trace buster video]

sony drm famous rootkit case
Sony DRM: Famous Rootkit Case