rootkit -malware
DESCRIPTION
ROOTKIT -MALWARE. Vijay krishnan Avinesh Dupat. ROOTKIT. Collection of tools (programs) that enable administrator-level access to a computer or computer network. The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC. - PowerPoint PPT PresentationTRANSCRIPT
ROOTKIT
ROOTKIT -MALWARE Vijay krishnan Avinesh Dupat
ROOTKIT Collection of tools (programs) that enable administrator-level access to a computer or computer network.
The main purpose of a Rootkit is to make unauthorized modifications to the softwarein your PC
What is it used for?Provide an attacker full access via backdoor techniques.Conceal othermalware.Appropriate the compromised machine as azombie computerfor attacks on other computers.Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software
Rootkit AttackAttacker identifies an existing vulnerability in a target system.
After gaining access to a vulnerable system, the attacker can install a rootkit manually.
Can covertly steal userpasswords,credit cardinformation, computing resources, or to conduct other unauthorized activities without the knowledge of administrator
MODUS OPERANDISpyware : Modifying software programs for the purpose of infecting it with spyware.
Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program
Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit
Source code modification :modifying the code in the PC's software right at the main source
Types of RootkitsUser mode :run on a computer through administrator privileges
Kernel mode :Installed at the same level as the PCs operating system
Firmware :Create malcode inside the firmware while you computer is shut down
Defensive MeasuresProactivePreventing the rootkit from being installedPreventing compromise in the first place
ReactiveDetecting the Rootkit after it has been installedRemoval of the Rootkit
Rootkit PreventionThe first step in prevention of Rootkit is to run inless privileged user mode.Use of thesccommand in Windows XP. This locks up the Windows Service database.UseHIPS(Host based Intrusion Prevention System) tool like AntiHookUse a tool like Sandboxie which creates a sandbox like environment within which we can run any program
RootKit PreventionCover all the infection vectorsRefrain from engaging in dangerous activities when logged in as administrator.Don'treademail, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal ServicesDisable unneeded features and serviceHave the latest Anti virus software
Rootkit DetectionVery Difficult because Rootkits goal is to hide Antivirus products that have various levels of success with detecting rootkits.Enumerate your system's contents and boot up using a known-good operating system.Use of a packet sniffer, such asWinDump, or a network firewall
Types of Rootkit DetectionAlternative trusted medium
Behavioral-based
Signature-based
Difference-based
Integrity checking
Memory dumps
RootKit RemovalRootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer
Rootkit Removal tools -> Eliminates Rootkits from the users system Eg : IceSword
RemovalRebuilding the System is the BEST solution!
Clean the infectionDisable rootkitBoot with clean CD and remove rootkits resources
Referenceshttp://www.spamlaws.com/how-rootkits-work.htmlwww.en.wikipedia.orghttp://swatrant.blogspot.com/2006/02/rootkit-detection-removal-and.htmlhttp://www.dba-oracle.com/forensics/t_forensics_network_attack.htmhttp://technet.microsoft.com/en-us/library/cc512642.aspxhttp://www.windowsitpro.com/article/antivirus/defending-against-rootkits.aspx
THANK YOU!