Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to...
-
Upload
bethany-heather-porter -
Category
Documents
-
view
226 -
download
0
description
Transcript of Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to...
![Page 1: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/1.jpg)
Rootkits Jonathan BarellaChad Petersen
![Page 2: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/2.jpg)
Overview• What are rootkits• How do rootkits work• How to detect rootkits• How to remove rootkits
![Page 3: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/3.jpg)
What is a Rootkit, and how does it work
Jonathan Barella
![Page 4: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/4.jpg)
What are rootkits?• A rootkit is small sophisticated piece of support
software that can enable malicious software to run on the compromised computer
• Commonly associated with spies because of the common goals they share
• Used in almost every modern piece of malware in the wild today
![Page 5: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/5.jpg)
What are rootkits?• Broadly defined by Symantec as “any software that acquires and
maintains privileged access to the Operating System (OS) while hiding its presence by subverting normal OS behavior”
• Designed with three main objectives• Run• Hide• Act
![Page 6: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/6.jpg)
How do rootkits work?Subverting Normal OS Behavior• Vulnerabilities• Operating System• Applications
• Exploits• Java• HTML/Scripting
• Social Engineering• Spam• Downloading• Installation
![Page 7: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/7.jpg)
How do rootkits work?Hooking Operating System APIs
![Page 8: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/8.jpg)
How do rootkits work?Hiding in Unused Space on the Compromised System
![Page 9: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/9.jpg)
How do rootkits work?
Infect the Master Boot Record (MBR)
![Page 10: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/10.jpg)
How do rootkits work?
![Page 11: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/11.jpg)
How do rootkits work?
This is the ultimate goal to be hidden from the systems view.
![Page 12: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/12.jpg)
Finding And Removing Rootkits
Chad Petersen
![Page 13: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/13.jpg)
Detection Methods• Behavioral• Integrity• Signature• Difference
![Page 14: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/14.jpg)
Behavioral Detection• Pros• Can detect unknown rootkits
• Cons• Requires “normal” history• Not easy to use• False positives
![Page 15: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/15.jpg)
Integrity Detection• Pros• Know what files change• When files change• What changes files
• Cons• Requires many updates• Rootkit can seed itself in update
![Page 16: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/16.jpg)
Signature Based Detection• Pros• Reliably find known kits• Easy to use• Few false positives
• Cons• large number of updates• Does not detect new kits
![Page 17: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/17.jpg)
Diff Based Detection• Pros• Good at finding anomalies in any
system
• Cons• does not work well if scan is ran
on infected system• Must have knowledge to
decipher flagged programs.
![Page 18: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/18.jpg)
Be Vigilant• Lastly the user can sometimes tell when something is amis• Network traffic spike• Large decrease in performance• Rootkits can infect; user files, kernel files, the boot loader, a hypervisor, and
hardware firmware.
![Page 19: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/19.jpg)
Steps Once Identified• Quarantine• Encryption• Permissions
• Decide• Repair or delete
![Page 20: Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect…](https://reader035.fdocuments.us/reader035/viewer/2022062306/5a4d1be37f8b9ab0599e0c30/html5/thumbnails/20.jpg)
Q&A