How an attacker can maintain control over their victim’s system without being discovered.
13
How an attacker can maintain control over their victim’s system without being discovered. Rootkits
-
Upload
frederick-houston -
Category
Documents
-
view
219 -
download
1
Transcript of How an attacker can maintain control over their victim’s system without being discovered.
How an attacker can maintain control over their victim’s
system without being discovered.
Rootkits
What is a Rootkit?
• A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence[1].
The keyword to remember for a rootkit is undetectable; and the most common purposes for a rootkit are sustained access and eavesdropping.
Some History
• Early 1990’s – Internet becomes popular
• 1st Generation rootkits- Replaced potential tattletale binaries (e.g. netstat, ls)
• Easy to detect- Compare the hashes of the original binary with current one.
• First rootkits were mostly written for Unix based systems (hence rootkit,
instead of Administratorkit)
• 1999- NTRootkit, an early Windows rootkit
• Rootkits did not really become part of security admin vernacular until mid
2000’s
• Kicked off an arms race- rootkit developers vs detection/prevention measures
Main things to hide
• Processes
• Files
• Network Connections
• Also: Various system statistics (e.g. CPU percentage)
Current mindset on rootkits:• Uh oh, you have a rootkit?
This mindset solves nothingZen quote
Small POCProof of concept
The Hello World of Rootkits
What’s going on?
What’s going on in a userland rootkit?
• Hooking- Overwriting target function to act in favor of the rootkit
• Example 1- Overwrite legitimate function in memory
• Example 2- Overwrite legitimate function’s address in IAT to point to
rootkit’s custom function instead
What’s going on in a kernel rootkit?
Similar concept, but different memory spaces, tables, functions…
CODE
Detecting the Invisible• Detecting a Presence
• Guard the Doors- Think intrusion detection• Roaming Guard- Periodic System scans
• Detecting Behavior• Sysinternals RootkitRevealer example
• Live Detections-• Rootkit revealer• GMER- Free, GNU-based. • Helios- Behavioral analysis (can be used to detect many forms of malware)• Sophos Anti-Rootkit- Free. Scans other forms of malware. Can scan a network,
not just a single host.
• If kernel rootkit is suspected-• Need to analyze system under a kernel debugger (kd.exe)
End notes
• Still need to nuke system from orbit
• Questions?
