how an attacker can maintain control over their victim’s system without being discovered
TRANSCRIPT
What is a Rootkit?
• A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence[1].
The keyword to remember for a rootkit is undetectable; and the most common purposes for a rootkit are sustained access and eavesdropping.
Some History
• Early 1990’s – Internet becomes popular
• 1st Generation rootkits- Replaced potential tattletale binaries (e.g. netstat, ls)
• Easy to detect- Compare the hashes of the original binary with current one.
• First rootkits were mostly written for Unix based systems (hence rootkit,
instead of Administratorkit)
• 1999- NTRootkit, an early Windows rootkit
• Rootkits did not really become part of security admin vernacular until mid
2000’s
• Kicked off an arms race- rootkit developers vs detection/prevention measures
Main things to hide
• Processes
• Files
• Network Connections
• Also: Various system statistics (e.g. CPU percentage)
What’s going on in a userland rootkit?
• Hooking- Overwriting target function to act in favor of the rootkit
• Example 1- Overwrite legitimate function in memory
• Example 2- Overwrite legitimate function’s address in IAT to point to
rootkit’s custom function instead
What’s going on in a kernel rootkit?
Similar concept, but different memory spaces, tables, functions…
Detecting the Invisible• Detecting a Presence
• Guard the Doors- Think intrusion detection• Roaming Guard- Periodic System scans
• Detecting Behavior• Sysinternals RootkitRevealer example
• Live Detections-• Rootkit revealer• GMER- Free, GNU-based. • Helios- Behavioral analysis (can be used to detect many forms of malware)• Sophos Anti-Rootkit- Free. Scans other forms of malware. Can scan a network,
not just a single host.
• If kernel rootkit is suspected-• Need to analyze system under a kernel debugger (kd.exe)