Transcript Rootkits

Students: Jacek Czeszewski and
Marcos Verdini Rosa
Professor: José Manuel Magalhães Cruz
o Introduction
o How
a rootkit works
o Detection
o Preventing and Removing
o Attack damage
o References
A rootkit is a suite of one or more
programs that allows a third party
to hide files and activities from the
The original intent of rootkits (1996) appears
to have centered simply on hiding programs
that would allow an attacker to “sniff” or spy
on traffic going to and from a computer
Provide an attacker with full access via a backdoor,
permitting unauthorized access to, for example, steal
or falsify documents.
Conceal other malware, notably password-stealing
key loggers and computer viruses.
Appropriate the compromised machine as a zombie
computer for attacks on other computers.
Enforcement of digital rights management (DRM).
Conceal cheating in online games.
Detect attacks, for example, in a honeypot.
Enhance emulation software and security software.
Anti-theft protection.
Bypassing Microsoft Product Activation
 User
 Kernel mode
 Bootkits
 Hypervisor level
 Hardware/Firmware
 run
in Ring 3
 many installation vectors
 Make to execute inside any target
process or overwrite the memory
of a target application
 run
in Ring 0
 adding code or replacing portions
of the core operating system,
including both the kernel and
associated device drivers
 unrestricted security access
lows the malicious program to be executed
before the operating system boots
cannot be detected by standard means of
an operating system because all its
components reside outside of the standard
file systemserating system boots
uses hardware virtualization
trap a running instance of the operating
system by starting a thin hypervisor and
virtualizing the rest of the machine under it
dont have to load before the OS
 hidden
in BIOS, network card etc.
 only way to remove is to replace
infected hardware
 could be hidden outside the
computer for example in network
Physical access to the target system
Privilege Escalation
Obscure its presence from security tools
Modify the behavior of OS core parts
Load code into other processes
Stoned is the name of a boot sector computer
virus created in 1987, apparently in New
Zealand. It was one of the very first viruses.
A memory resident bootkit up to the Windows
Boot applications executed on startup
Drivers executed beside the Windows kernel
Your PC is now Stoned! (1987)
Your PC is now Stoned! ..again (2010)
Windows Boot Process
Windows boot system assumes an already
secure environment when starting
Hooking and Patching
Interrupt 13h hooked
Ntldr hooked for calling 32bit code and patching the
code integrity verification
Patching the NT kernel
Executing pay loads(driver)
Live CD
Infected PDF
 Signature-Based
 File
Integrity Monitoring
 Cross-View Analysis
 Hooking Detection
 Heuristics-Based Detection
 Network-Based Detection
3.1 Signature-Based Detection
analyzing rootkit to define fingerprint
integrating fingerprint in to the database
fingerprint can be used for rootkits detection
3.2 File Integrity Monitoring
calculates cryptographic hashes for critical,
unchanging operating system files and compares
them to known values that are stored in a database
3.3 Cross-View Analysis
It involves looking at the system from the high
level “user”, or API view, and comparing it to the
actual low level hardware view.
3.4 Hooking Detection
When the rootkit modifies a hook to point to a
malicious service or interrupt routine, the memory
location almost invariably is located outside this
specific range of the “clean” system, and is easily
3.5 Heuristics-Based Detection
Heuristics-Based detection of malware attempts to
classify malicious behavior according to certain
pre-determined rules.
3.6 Network-Based Detection
System periodically send a snapshot of the network
traffic and open ports to a trusted gateway for
The gateway compare this data with its “external”
view of the system’s network activity
 Operating
system updates
 Automatic updates
 Personal firewalls
 Host-based intrusion prevention
 Rootkit prevention techniques
number of security-software vendors offer
tools to automatically detect and remove
some rootkits
Some antivirus scanners can bypass file
system APIs, which are vulnerable to
manipulation by a rootkit
There are experts who believe that the only
reliable way to remove them is to re-install
the operating system from trusted media
in some cases the only possibility is to
replace some hardware
Home Users
Stealing Identity and private information
Turning Home User's computers into zombies
Loss of time, money and confidence
Enterprise and Government
Loss of confidential information, theft of
intellectual property
Reputation and customer trust
Additional costs of purchasing, installing, and
administering security measures
Increases system complexity
Stallings & Brown - Computer Security: Principles and
A comparative analysis of rootkit detection
techniques by Thomas Martin Arnold
Ric Vieler - Professional Rootkits