Rootkits - Clemson

Download Report

Transcript Rootkits - Clemson 

By Tyler Scott




What is a Rootkit
What Rootkits do
The Types of Rootkits
How to remove Rootkits


Set of tools (software) that enable continued
privileged access to a computer
Hides its presence from administrators by
circumventing standard operating system
functionality or other applications


Modern rootkits do not elevate access they make
payload undetectable by adding stealth capabilities
Malicious side effects





Provide an attacker with a backdoor
Conceal other malware key loggers/computer viruses
Create zombie machines
Digital rights management (DRM/Sony).
Intended side effects




Conceal cheating in online games
Detect attacks
Anti-theft protection ex low jack software( BIOS-based rootkit)
Bypassing Microsoft Product Activation




User-Mode
Kernel-Mode
Bootkits
Hardware/Firmware



Limited access
Infects user level processes
Hooks or overwrites a running processes
memory to alter the way program acts


Full access to the machine
Infects
Kernel level processes
 Kernel code
 Drivers etc.


Alters the way your operating system as all
processes act







Infects the Master Boot Record (MBR).
Executed before the operating system boots.
Starts after the bios selects the boot device
Hard to detect
Files reside outside of the standard file
systems.
Persists through transition kernel mode
Runs in Normal Mode and Safe Mode.

Persistent malware images created in hardware








Network card
Hard drive
Bios
Hard to detect because firmware/hardware is not
normally scanned for infection
Examples
2008 Rootkits intercepted and transmitted credit card
information via mobile phone networks in Europe
2009 BIOS-level Windows rootkit was able to survive
disk replacement and operating system re-installation
Rootkits CompuTrace and LoJack preinstalled in the
BIOS of laptops. Are used to trace the location of stolen
laptops





Removal is generally very hard
Flashing the bios.
Format the hard drive
Installing a clean version of the OS
Combo fix/Kaspersky tdsskiller



http://searchmidmarketsecurity.techtarget.co
m/definition/rootkit
http://en.wikipedia.org/wiki/Rootkit#Hyper
visor_level
http://support.kaspersky.com/viruses/solutio
ns?qid=208280748