Slide 1

Slide 2

Vijay krishnan Avinesh Dupat

Slide 3

Collection of tools (programs) that enable administrator-level access to a computer or computer network. The main purpose of a Rootkit is to make unauthorized modifications to the software in your PC

Slide 4

Provide an attacker full access via backdoor techniques. Conceal other malware. Appropriate the compromised machine as a zombie computer for attacks on other computers. Non Hostile Rootkits-Anti-theft protection, Enforcement of DRM, Enhance emulation software and security software

Slide 5

Attacker identifies an existing vulnerability in a target system. After gaining access to a vulnerable system, the attacker can install a rootkit manually. Can covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities without the knowledge of administrator

Slide 6

Spyware : Modifying software programs for the purpose of infecting it with spyware. Backdoor :Modification that is built into a software program in your computer that is not part of the original design of the program Byte Patching :Bytes are constructed in a specific order which can be modified by a rootkit Source code modification :modifying the code in the PC's software right at the main source

Slide 7

User mode :run on a computer through administrator privileges Kernel mode :Installed at the same level as the PCs operating system Firmware :Create malcode inside the firmware while you computer is shut down

Slide 8

Proactive Preventing the rootkit from being installed Preventing compromise in the first place Reactive Detecting the Rootkit after it has been installed Removal of the Rootkit

Slide 9

The first step in prevention of Rootkit is to run in less privileged user mode. Use of the sc command in Windows XP. This locks up the Windows Service database. Use HIPS (Host based Intrusion Prevention System) tool like AntiHook Use a tool like Sandboxie which creates a sandbox like environment within which we can run any program

Slide 10

Cover all the infection vectors Refrain from engaging in dangerous activities when logged in as administrator. Don't read email, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal Services Disable unneeded features and service Have the latest Anti virus software

Slide 11

Very Difficult because Rootkits goal is to hide Antivirus products that have various levels of success with detecting rootkits. Enumerate your system's contents and boot up using a known-good operating system. Use of a packet sniffer, such as WinDump, or a network firewall

Slide 12

Alternative trusted medium Behavioral-based Signature-based Difference-based Integrity checking Memory dumps

Slide 13

Rootkit Detection tools -> Detect Rootkits Eg : Rootkit Revealer Rootkit Removal tools -> Eliminates Rootkits from the users system Eg : IceSword

Slide 14

Rebuilding the System is the BEST solution! Clean the infection Disable rootkit Boot with clean CD and remove rootkits resources

Slide 15

http://www.spamlaws.com/how-rootkits- work.html http://www.spamlaws.com/how-rootkits- work.html www.en.wikipedia.org www.en.wikipedia.org http://swatrant.blogspot.com/2006/02/rootkit- detection-removal-and.html http://swatrant.blogspot.com/2006/02/rootkit- detection-removal-and.html http://www.dba- oracle.com/forensics/t_forensics_network_attack. htm http://www.dba- oracle.com/forensics/t_forensics_network_attack. htm http://technet.microsoft.com/en- us/library/cc512642.aspx http://technet.microsoft.com/en- us/library/cc512642.aspx http://www.windowsitpro.com/article/antivirus /defending-against-rootkits.aspx http://www.windowsitpro.com/article/antivirus /defending-against-rootkits.aspx

Slide 16

THANK YOU!