ROOTKIT

ROOTKIT -MALWARE Vijay krishnan Avinesh Dupat

ROOTKIT Collection of tools (programs) that enable administrator-level access to a computer or computer network.

The main purpose of a Rootkit is to make unauthorized modifications to the softwarein your PC

What is it used for?Provide an attacker full access via backdoor techniques.Conceal othermalware.Appropriate the compromised machine as azombie computerfor attacks on other computers.Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software

Rootkit AttackAttacker identifies an existing vulnerability in a target system.

After gaining access to a vulnerable system, the attacker can install a rootkit manually.

Can covertly steal userpasswords,credit cardinformation, computing resources, or to conduct other unauthorized activities without the knowledge of administrator

MODUS OPERANDISpyware : Modifying software programs for the purpose of infecting it with spyware.

Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program

Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit

Source code modification :modifying the code in the PC's software right at the main source

Types of RootkitsUser mode :run on a computer through administrator privileges

Kernel mode :Installed at the same level as the PCs operating system

Firmware :Create malcode inside the firmware while you computer is shut down

Defensive MeasuresProactivePreventing the rootkit from being installedPreventing compromise in the first place

ReactiveDetecting the Rootkit after it has been installedRemoval of the Rootkit

Rootkit PreventionThe first step in prevention of Rootkit is to run inless privileged user mode.Use of thesccommand in Windows XP. This locks up the Windows Service database.UseHIPS(Host based Intrusion Prevention System) tool like AntiHookUse a tool like Sandboxie which creates a sandbox like environment within which we can run any program

RootKit PreventionCover all the infection vectorsRefrain from engaging in dangerous activities when logged in as administrator.Don'treademail, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal ServicesDisable unneeded features and serviceHave the latest Anti virus software

Rootkit DetectionVery Difficult because Rootkits goal is to hide Antivirus products that have various levels of success with detecting rootkits.Enumerate your system's contents and boot up using a known-good operating system.Use of a packet sniffer, such asWinDump, or a network firewall

Types of Rootkit DetectionAlternative trusted medium

Behavioral-based

Signature-based

Difference-based

Integrity checking

Memory dumps

RootKit RemovalRootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer

Rootkit Removal tools -> Eliminates Rootkits from the users system Eg : IceSword

RemovalRebuilding the System is the BEST solution!

Clean the infectionDisable rootkitBoot with clean CD and remove rootkits resources

Referenceshttp://www.spamlaws.com/how-rootkits-work.htmlwww.en.wikipedia.orghttp://swatrant.blogspot.com/2006/02/rootkit-detection-removal-and.htmlhttp://www.dba-oracle.com/forensics/t_forensics_network_attack.htmhttp://technet.microsoft.com/en-us/library/cc512642.aspxhttp://www.windowsitpro.com/article/antivirus/defending-against-rootkits.aspx

THANK YOU!