Vijay Krishnan

Avinesh Dupat

ROOTKIT -MALWARE

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications

The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC

ROOTKIT

Provide an attacker full access via backdoor techniques.

Conceal other malware.Appropriate the compromised machine as

a zombie computer for attacks on other computers.

Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation

software and security software

What is it used for?

 Attacker identifies an existing vulnerability in a target system.

After gaining access to a vulnerable system, the attacker can install a rootkit manually. 

Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator

Rootkit Attack

Spyware : Modifying software programs for the purpose of infecting it with spyware. 

Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program

Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit

Source code modification :modifying the code in the PC's software right at the main source

MODUS OPERANDI

User mode : Run on a computer through administrator privileges 

Kernel mode : Installed at the same level as the PCs operating system

Bootkits : A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems

Firmware : Create malcode inside the firmware while you computer is shut down

Types of Rootkits

ProactivePreventing the rootkit from being installedPreventing compromise in the first place

ReactiveDetecting the Rootkit after it has been installedRemoval of the Rootkit

Defensive Measures

The first step in prevention of Rootkit is to run in less privileged user mode.

Use of the sc command in Windows XP. This locks up the Windows Service database.

Use HIPS (Host based Intrusion Prevention System) tool like AntiHook

Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program

Rootkit Prevention

Very Difficult because Rootkit’s goal is to hide Antivirus products that have various levels

of success with detecting rootkits.Enumerate your system's contents and boot

up using a known-good operating system.Use of a packet sniffer, such as WinDump, or

a network firewall 

Rootkit Detection

Alternative trusted medium

Behavioral-based

Signature-based

Difference-based

Integrity checking

Memory dumps

Types of Rootkit Detection

Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer

Rootkit Removal tools -> Eliminates Rootkits from the user’s system

Eg : IceSword

RootKit Removal

Rootkit Revealer

IceSword

Rebuilding the System is the BEST solution!

Clean the infectionDisable rootkitBoot with clean CD and remove rootkit’s

resources

Removal

http://www.spamlaws.com/how-rootkits-work.html

www.en.wikipedia.orghttp://swatrant.blogspot.com/2006/02/rootkit-

detection-removal-and.htmlhttp://www.dba-oracle.com/forensics/t_forensi

cs_network_attack.htmhttp://technet.microsoft.com/en-us/library/cc5

12642.aspxhttp://www.windowsitpro.com/article/antiviru

s/defending-against-rootkits.aspx

References

THANK YOU!