Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal ...

11
Mathieu Castets October 17th, 2012

Transcript of Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal ...

Page 1: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Mathieu Castets

October 17th, 2012

Page 2: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

What is a rootkit?

History

Uses

Types

Detection

Removal

References2/11

Page 3: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Hackers have to access to the root-level to install a rootkit

Software that hides itself and allow intruders to maintain privileged access

Remotely run command actions or extract information

« root » traditional name of the privileged account on UNIX

« kit » software components that implement the tool 3/11

Page 4: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

In 1986, the first virus called « Brain virus » was discovered and used cloaking techniques to hide itself

UNIX: In 1990, written by Lane Davis and Steven Dake

Windows NT: In 1999, NTRootkit

Mac OSX: In 20094/11

Page 5: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

In 2005, Sony BMG published CDs with copy protection and DRM

The software silently installed a rootkit

To cloak itself, the rootkit hid from the user any file starting with $sys$

Software engineer Mark Russinovich discovered it on one of his computers

In 2006, Sony BMG released patches to uninstall the rootkit

5/11

Page 6: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Provide an attacker with full access Hide other malwares Appropriate the compromised machine as a

zombie computer Enforcement of digital rights management (DRM)

Hide cheating in online games Enhance emulation software and security

software Bypassing Windows Product Activation

6/11

Page 7: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Two groups:

Kernel mode/integration Patch system Detection can be complicated Most dangerous

Application level Replace original executable files Modify the behavior of applications

7/11

Page 8: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Alternative trusted medium: shut down computer and check its storage by booting the system with an alternative trusted media

Behavioral-based: analyzing system behavior like application calls and CPU utilisation

The other detection methods we can use are: Signature-based Difference-based Integrity checking Memory dumps

8/11

Page 9: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

Manual removal of a rootkit is often too difficult for a typical computer user

In 2005, Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some classes of rootkits

However, the best way to remove all rootkits is to re-install the operating system 9/11

Page 10: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

About.comhttp://netsecurity.about.com/od/

frequentlyaskedquestions/f/faq_rootkit.htm

Rootkitonline.comhttp://www.rootkitonline.com/types-of-rootkits.html

Informit.comhttp://www.informit.com/articles/article.aspx?

p=2346310/11

Page 11: Mathieu Castets October 17th, 2012. What is a rootkit? History Uses Types Detection Removal References 2/11.

11/11


Cybercrime und Cyberwar - Linuxwochen · 2015. 2. 6. · Virtualization Rootkit Blue Pill Bootloader Rootkit / Bootkit Evil Maid Attack Hardware/firmware Rootkit 07.05.2013 52 Botnetze

Cybercrime und Cyberwar - Linuxwochen · 2015. 2. 6. · Virtualization Rootkit Blue Pill Bootloader Rootkit / Bootkit Evil Maid Attack Hardware/firmware Rootkit 07.05.2013 52 Botnetze

Uroburos: the snake rootkit

Uroburos: the snake rootkit

New Thoughts in Ring3 NT Rootkit

New Thoughts in Ring3 NT Rootkit

Malware memory analysis of the Jynx2 Linux rootkit … · Malware memory analysis of the Jynx2 Linux rootkit (Part 1) Investigating a publicly available Linux rootkit using the Volatility

Malware memory analysis of the Jynx2 Linux rootkit … · Malware memory analysis of the Jynx2 Linux rootkit (Part 1) Investigating a publicly available Linux rootkit using the Volatility

Rootkit for the Masses

Rootkit for the Masses

Rootkit Final

Rootkit Final

r77 Rootkit - bytecode77.com

r77 Rootkit - bytecode77.com

The Rootkit Arsenal

The Rootkit Arsenal

Unbiased Spectral Survey of the low mass protostar IRAS 16293-2422 A. Castets et al.

Unbiased Spectral Survey of the low mass protostar IRAS 16293-2422 A. Castets et al.

Rootkit case

Rootkit case

Rootkit-Resistant Disks

Rootkit-Resistant Disks

2009 Hack.lu Slides WM6 Rootkit

2009 Hack.lu Slides WM6 Rootkit

VMM Based Rootkit Detection on Android

VMM Based Rootkit Detection on Android

Malware memory analysis of the Jynx2 Linux rootkit (Part 1) · Malware memory analysis of the Jynx2 Linux rootkit (Part 1) Investigating a publicly available Linux rootkit using the

Malware memory analysis of the Jynx2 Linux rootkit (Part 1) · Malware memory analysis of the Jynx2 Linux rootkit (Part 1) Investigating a publicly available Linux rootkit using the

Automated defense from rootkit attacks

Automated defense from rootkit attacks

ROOTKIT -MALWARE

ROOTKIT -MALWARE

Yet Another Android Rootkit

Yet Another Android Rootkit

Rootkit 101 - 2nd Edition

Rootkit 101 - 2nd Edition

Anti forensics the rootkit connection

Anti forensics the rootkit connection

Rootkit internales

Rootkit internales