Rootkits
What is a rootkit?
 a collection of tools used by hackers to gain administrative privileges on
compromised machines
 used to help hide other forms of malware.
What does it do?
 allows someone, either legitimate or malicious, to maintain command and
control over a computer system, without the computer system user knowing
about it.
 owner of the rootkit can execute files and changing system configurations on
the target machine.
 Can access log files or monitor activity to covertly spy on the user's computer
usage.
 **There are legitimate uses for rootkits too.
How does it work?
 rootkits are just one component of what is called a blended threat.
 Blended threats typically consist of three snippets of code:
1. a dropper
2. loader
3. rootkit.
 The dropper is the code that gets the rootkit's installation started.
 Once initiated, the dropper launches the loader program and then deletes itself.
 the loader causes a buffer overflow, which loads the rootkit into memory.
How blend threat get to your computer?
 through social engineering
 exploiting known vulnerabilities
 even from brute forcing.
Types of rootkits
 User-mode rootkits
 run on a computer with administrative privileges.
 This allows to alter security and hide processes, files, system drivers, network ports, and even system
services.
 These rootkits remain installed on the infected computer by copying required files to the computer's
hard drive, automatically launching with every system boot.
 **These rootkits will be detected by the anti-malware software.
 Kernel-mode rootkit
 Will place the rootkit on the same level as the operating system and rootkit detection software.
 OS can no longer be trusted.
 One kernel-mode rootkit that's getting lots of attention is the Da IOS rootkit
 **windows blue screen error might be caused by these rootkits.
 User-mode/kernel-mode hybrid rootkit
 A hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode
characteristics (stealthy).
 The hybrid approach is very successful and the most popular rootkit currently.
 Firmware rootkits
 Can hide in firmware when the computer is shut down.
 Restart the computer, and the rootkit reinstalls itself.
 The altered firmware could be anything from microprocessor code to PCI expansion card firmware.
 If a removal program remove these rootkits, the next time the computer starts, the firmware rootkit is
there.
 Virtual rootkits
 They acts like a software implementation of hardware sets in a manner like that used by VMware.
 virtual rootkits are almost invisible.
 **The Blue Pill is one example of this type of rootkit.
How to detect it?
 There are various ways to scan memory or file system areas or look for hooks
into the system from rootkits.
 By system monitoring.
 It’s hard to detect rootkits.

Rootkits

  • 1.
  • 2.
    What is arootkit?  a collection of tools used by hackers to gain administrative privileges on compromised machines  used to help hide other forms of malware.
  • 3.
    What does itdo?  allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about it.  owner of the rootkit can execute files and changing system configurations on the target machine.  Can access log files or monitor activity to covertly spy on the user's computer usage.  **There are legitimate uses for rootkits too.
  • 4.
    How does itwork?  rootkits are just one component of what is called a blended threat.  Blended threats typically consist of three snippets of code: 1. a dropper 2. loader 3. rootkit.  The dropper is the code that gets the rootkit's installation started.  Once initiated, the dropper launches the loader program and then deletes itself.  the loader causes a buffer overflow, which loads the rootkit into memory.
  • 5.
    How blend threatget to your computer?  through social engineering  exploiting known vulnerabilities  even from brute forcing.
  • 6.
    Types of rootkits User-mode rootkits  run on a computer with administrative privileges.  This allows to alter security and hide processes, files, system drivers, network ports, and even system services.  These rootkits remain installed on the infected computer by copying required files to the computer's hard drive, automatically launching with every system boot.  **These rootkits will be detected by the anti-malware software.
  • 7.
     Kernel-mode rootkit Will place the rootkit on the same level as the operating system and rootkit detection software.  OS can no longer be trusted.  One kernel-mode rootkit that's getting lots of attention is the Da IOS rootkit  **windows blue screen error might be caused by these rootkits.  User-mode/kernel-mode hybrid rootkit  A hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy).  The hybrid approach is very successful and the most popular rootkit currently.
  • 8.
     Firmware rootkits Can hide in firmware when the computer is shut down.  Restart the computer, and the rootkit reinstalls itself.  The altered firmware could be anything from microprocessor code to PCI expansion card firmware.  If a removal program remove these rootkits, the next time the computer starts, the firmware rootkit is there.  Virtual rootkits  They acts like a software implementation of hardware sets in a manner like that used by VMware.  virtual rootkits are almost invisible.  **The Blue Pill is one example of this type of rootkit.
  • 9.
    How to detectit?  There are various ways to scan memory or file system areas or look for hooks into the system from rootkits.  By system monitoring.  It’s hard to detect rootkits.