This document discusses the history and evolution of rootkit technologies and their impact on digital forensics. It begins with defining rootkits as code used by attackers to surreptitiously execute and control systems while remaining undetected. The document then covers: (1) the origins and evolution of rootkits from modifying system binaries in the 1980s to more advanced techniques today, (2) the five classes of rootkits - application, library, kernel, firmware, and virtualized, and (3) how rootkits aim to hide themselves and impede forensic investigation, posing challenges for incident response.
Venus is similar in size and shape to Earth but has extreme surface conditions. It is covered by thick, toxic clouds that trap heat, causing surface temperatures over 900 degrees. While Venus may have had oceans in the past, any water has long since evaporated due to the intense heat. NASA plans to send a space shuttle to land on Venus and collect rock samples in 2013, though past attempts have failed.
Mars is named after the Roman god of war due to its red color. It has the largest volcano and canyon in the solar system. Mars has polar ice caps and evidence suggests water ice exists at the poles and mid-latitudes. Many space probes have explored Mars, with about 1/3 failing. The idea of intelligent life on Mars was popular in the late 19th century. Mars represents masculinity and youth in different cultures and is featured in many modern films and books.
This presentation discusses exoplanets, the question of whether life exists elsewhere in the galaxy, and constellations. It notes that over 500 exoplanets have been discovered since 1995 in our galaxy, though many are too far to see. Scientists hope to one day find Earth-like planets that could support life. Constellations were used in the past to navigate and mark the seasons, and different cultures saw different patterns and had their own stories to explain them. Now there are 88 constellations officially recognized by the International Astronomical Union.
The document discusses the mystery of the Bermuda Triangle and various theories about what causes ships and planes to disappear in this area. It notes several notable incidents like Flight 19 when 5 planes disappeared in 1945. It outlines supernatural theories involving the lost city of Atlantis or sea monsters. It also provides scientific explanations like compass variations, Gulf Stream currents, rogue waves, methane hydrates, human error, and hurricanes. While the causes remain mysterious, the document examines both supernatural and scientific perspectives on the phenomena in the Bermuda Triangle.
From the very beginning, Bermuda triangle is something that has always created a fusion in your brain.
This presentation aims to guide through some of the Common misconceptions and Scientific Facts of this Mystery.
This presentation is not at all aimed to make you believe in something, but it will definitely clear your Conception to a little.
Hope you Enjoy it.
UK Space Conference: James Webb Space Telescope (Gillian Wright)A. Rocketeer
The document discusses the James Webb Space Telescope, which will be the successor to the Hubble Space Telescope. It will have a 6.5 meter primary mirror, be optimized for infrared observations, and passively cooled to around 40K. The telescope will launch in June 2013 and be placed in an L2 orbit, with an expected mission lifetime of 5-10 years. It is a joint project between NASA, ESA, and the Canadian Space Agency.
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
Malicious mobile applications can steal private user data, make unauthorized phone calls or SMS messages, and install additional malware. They may access location data, camera, contacts, and other sensitive resources without permission. Users are often unaware an app is malicious as attackers design apps to appear legitimate.
Venus is similar in size and shape to Earth but has extreme surface conditions. It is covered by thick, toxic clouds that trap heat, causing surface temperatures over 900 degrees. While Venus may have had oceans in the past, any water has long since evaporated due to the intense heat. NASA plans to send a space shuttle to land on Venus and collect rock samples in 2013, though past attempts have failed.
Mars is named after the Roman god of war due to its red color. It has the largest volcano and canyon in the solar system. Mars has polar ice caps and evidence suggests water ice exists at the poles and mid-latitudes. Many space probes have explored Mars, with about 1/3 failing. The idea of intelligent life on Mars was popular in the late 19th century. Mars represents masculinity and youth in different cultures and is featured in many modern films and books.
This presentation discusses exoplanets, the question of whether life exists elsewhere in the galaxy, and constellations. It notes that over 500 exoplanets have been discovered since 1995 in our galaxy, though many are too far to see. Scientists hope to one day find Earth-like planets that could support life. Constellations were used in the past to navigate and mark the seasons, and different cultures saw different patterns and had their own stories to explain them. Now there are 88 constellations officially recognized by the International Astronomical Union.
The document discusses the mystery of the Bermuda Triangle and various theories about what causes ships and planes to disappear in this area. It notes several notable incidents like Flight 19 when 5 planes disappeared in 1945. It outlines supernatural theories involving the lost city of Atlantis or sea monsters. It also provides scientific explanations like compass variations, Gulf Stream currents, rogue waves, methane hydrates, human error, and hurricanes. While the causes remain mysterious, the document examines both supernatural and scientific perspectives on the phenomena in the Bermuda Triangle.
From the very beginning, Bermuda triangle is something that has always created a fusion in your brain.
This presentation aims to guide through some of the Common misconceptions and Scientific Facts of this Mystery.
This presentation is not at all aimed to make you believe in something, but it will definitely clear your Conception to a little.
Hope you Enjoy it.
UK Space Conference: James Webb Space Telescope (Gillian Wright)A. Rocketeer
The document discusses the James Webb Space Telescope, which will be the successor to the Hubble Space Telescope. It will have a 6.5 meter primary mirror, be optimized for infrared observations, and passively cooled to around 40K. The telescope will launch in June 2013 and be placed in an L2 orbit, with an expected mission lifetime of 5-10 years. It is a joint project between NASA, ESA, and the Canadian Space Agency.
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
Malicious mobile applications can steal private user data, make unauthorized phone calls or SMS messages, and install additional malware. They may access location data, camera, contacts, and other sensitive resources without permission. Users are often unaware an app is malicious as attackers design apps to appear legitimate.
This white paper includes all the basic things about Rootkit, how they work, their types, detection methods, their uses, the concept of payload, and rootkit removal.
This document discusses the history and evolution of rootkits from the 1980s to present day. It defines rootkits as software designed to take control of a system without authorization and hide its presence. The document outlines different classes of rootkits including application, library, kernel, and firmware level rootkits. It also discusses techniques for detecting rootkits at each level, noting that kernel and firmware level rootkits are the most difficult to detect.
A methodology to detect and characterize kernel level rootkit exploits involv...UltraUploader
This document proposes a methodology to detect and characterize kernel-level rootkit exploits that involve redirection of the system call table. It begins with background on rootkits and their threat. It then presents a mathematical framework to classify rootkit exploits as existing, modifications to existing, or entirely new. The framework analyzes differences between original programs and rootkit versions to derive signatures. Finally, it discusses existing detection methods and their limitations for detecting kernel-level rootkits, proposing new detection methods be developed based on the characterization analysis.
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
The document discusses several cyber threats including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems in 2010. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware discovered in 2012 that supported eliminating traces of its files. Gauss stole credentials and collected information from infected machines. All pose serious risks to computer networks and systems critical to society.
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Avishai Ziv
This white paper introduces LynxSecure, a type-0 hypervisor developed by LynuxWorks that provides real-time detection and protection against low-level rootkits and bootkits. LynxSecure monitors hardware areas like disk sectors and memory in real-time to detect unauthorized changes indicative of a rootkit infection. Upon detection, LynxSecure can alert administrators and restore infected systems to a clean state in real-time without taking them offline. The paper highlights how LynxSecure is able to detect and remediate a TDL-4 rootkit infection in real-time using its virtualization capabilities and ability to store and restore hardware snapshots.
Rootkits are collections of tools used by hackers to gain administrative privileges on compromised machines and help hide other malware. They allow unauthorized access and control over a computer without the user's knowledge by executing files, monitoring activity, and hiding their presence. Rootkits work by using a dropper to install a loader that loads the rootkit code into memory to covertly operate. There are different types of rootkits that hide in various parts of the computer like the user mode, kernel, firmware, or through virtualization but they are all very difficult to detect.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
This document discusses the creation of a backdoor to gain unauthorized access to a Windows computer. It begins with an abstract that outlines creating an advanced backdoor file that works like normal files but allows an attacker to retain access and make changes. The document then covers how backdoors work by bypassing authentication, different types of backdoors like Trojans and web shells, an overview of the proposed backdoor system using Python sockets and commands, and requirements for the system.
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
This document discusses detecting and confronting flash attacks from IoT botnets. It begins by providing background on the Internet of Things and how IoT devices are increasingly being compromised to form botnets. It then describes the architecture of the Mirai malware, which uses a scanner to find vulnerable IoT devices and a command-and-control server to direct attacks. The document proposes using a sparse autoencoder neural network to detect IoT botnets by analyzing network traffic patterns. It also details methods to detect cryptojacking activities on infected devices by analyzing network protocols and abnormal resource usage. Finally, it discusses setting up a Mirai botnet on a virtual private server to further study flash attacks and confrontations.
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMIJORCS
Attacks on the nation’s computer infrastructures are becoming an increasingly serious problem. Firewalls provide a certain amount of security, but can be fooled at times by attacks like IP spoofing and the so called authorized users. So an intelligent system that can detect attacks and intrusions is required. The tool GRANT (Global Real-time Analysis of Network Traffic) being a Linux based Intrusion Detection System(LIDs), takes the advantage of the security of a Linux box and secures the other nodes in the perimeter of the network. It is capable of detecting intrusions and probes as and when they occur and capable of responding to “already” successful attacks, thus causing minimal or no damage to the entire network. For better performance, this Linux Intrusion Detection System should be part of a defense in depth strategy such as Firewall and Intrusion Prevention.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
This document discusses various aspects of cyber warfare and security. It introduces cyber deterrence and its challenges. It then describes components of a reference model for cyber security including surveillance, penetration testing, honey nets, forensics, attribution, monitoring, reconnaissance, scanning, vulnerability analysis and exploitation. For each component, it provides details on the concept and relevant tools. The document aims to provide an overview of the cyber warfare landscape and approaches.
Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of their employees can sniff the whole traffic of the network. Anyone in the same physical location can plug into the network using Ethernet cable or connect wirelessly to that network and sniff the total traffic.
In other words, Sniffing allows you to see all sorts of traffic, both protected and unprotected. In the right conditions and with the right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.
1) The document proposes enhancing IDS systems with honeypot placement to detect zero-day attacks. A new network architecture is designed where honeypots attract attackers and log their activities to generate IDS signatures.
2) Experimental setup involves deploying a honeypot server using Honeyd and Arpd to monitor unused IP space and direct attacks. Tcpdump is used to analyze traffic and payloads directed at the honeypot.
3) Analysis of honeypot logs is used to write custom IDS rules matching observed payloads. This allows detection of new attacks before they can harm the internal network.
Keyloggers are a invasive software often used to harvest secret information. One of the main reasons for
this fast growth is the possibility for unprivileged programs running in the user space to secretly steal and record all the
keystrokes typed by the users on a system. The ability to run in unprivileged mode makes possible their implementation
and distribution. but, at the same time, allows one to understand and imitate their behavior in detail.
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...eLiberatica
This is a presentation held at eLiberatica 2007.
http://www.eliberatica.ro/2007/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
The New Mobile Landscape - OWASP IrelandTyler Shields
The document discusses threats to mobile devices and potential solutions. It outlines the mobile threat landscape including types of mobile malware, vulnerabilities, and statistics on infected platforms. It then examines players in the mobile ecosystem like MDM vendors, mobile anti-virus, application markets, and developers. Potential fixes are explored at the enterprise, consumer, vendor, and developer levels through capabilities mapping, malware detection, vulnerability analysis, and secure coding practices. The road ahead is seen through continued collaboration between these players and communities.
This document provides an overview and summary of mobile application risks. It begins with defining the mobile threat landscape, including statistics on the prevalence of Android malware. It then discusses the various types of mobile malware threats and behaviors. The document outlines vulnerabilities in mobile applications and ecosystems. It proposes approaches for securing the mobile environment, including static and dynamic behavioral analysis, malware detection, and vulnerability analysis. Finally, it discusses strategic control points for security and some enterprise solutions for mitigating risks of bring your own device policies.
More Related Content
Similar to Survey of Rootkit Technologies and Their Impact on Digital Forensics
This white paper includes all the basic things about Rootkit, how they work, their types, detection methods, their uses, the concept of payload, and rootkit removal.
This document discusses the history and evolution of rootkits from the 1980s to present day. It defines rootkits as software designed to take control of a system without authorization and hide its presence. The document outlines different classes of rootkits including application, library, kernel, and firmware level rootkits. It also discusses techniques for detecting rootkits at each level, noting that kernel and firmware level rootkits are the most difficult to detect.
A methodology to detect and characterize kernel level rootkit exploits involv...UltraUploader
This document proposes a methodology to detect and characterize kernel-level rootkit exploits that involve redirection of the system call table. It begins with background on rootkits and their threat. It then presents a mathematical framework to classify rootkit exploits as existing, modifications to existing, or entirely new. The framework analyzes differences between original programs and rootkit versions to derive signatures. Finally, it discusses existing detection methods and their limitations for detecting kernel-level rootkits, proposing new detection methods be developed based on the characterization analysis.
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
The document discusses several cyber threats including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems in 2010. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware discovered in 2012 that supported eliminating traces of its files. Gauss stole credentials and collected information from infected machines. All pose serious risks to computer networks and systems critical to society.
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Avishai Ziv
This white paper introduces LynxSecure, a type-0 hypervisor developed by LynuxWorks that provides real-time detection and protection against low-level rootkits and bootkits. LynxSecure monitors hardware areas like disk sectors and memory in real-time to detect unauthorized changes indicative of a rootkit infection. Upon detection, LynxSecure can alert administrators and restore infected systems to a clean state in real-time without taking them offline. The paper highlights how LynxSecure is able to detect and remediate a TDL-4 rootkit infection in real-time using its virtualization capabilities and ability to store and restore hardware snapshots.
Rootkits are collections of tools used by hackers to gain administrative privileges on compromised machines and help hide other malware. They allow unauthorized access and control over a computer without the user's knowledge by executing files, monitoring activity, and hiding their presence. Rootkits work by using a dropper to install a loader that loads the rootkit code into memory to covertly operate. There are different types of rootkits that hide in various parts of the computer like the user mode, kernel, firmware, or through virtualization but they are all very difficult to detect.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
This document discusses the creation of a backdoor to gain unauthorized access to a Windows computer. It begins with an abstract that outlines creating an advanced backdoor file that works like normal files but allows an attacker to retain access and make changes. The document then covers how backdoors work by bypassing authentication, different types of backdoors like Trojans and web shells, an overview of the proposed backdoor system using Python sockets and commands, and requirements for the system.
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
This document discusses detecting and confronting flash attacks from IoT botnets. It begins by providing background on the Internet of Things and how IoT devices are increasingly being compromised to form botnets. It then describes the architecture of the Mirai malware, which uses a scanner to find vulnerable IoT devices and a command-and-control server to direct attacks. The document proposes using a sparse autoencoder neural network to detect IoT botnets by analyzing network traffic patterns. It also details methods to detect cryptojacking activities on infected devices by analyzing network protocols and abnormal resource usage. Finally, it discusses setting up a Mirai botnet on a virtual private server to further study flash attacks and confrontations.
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMIJORCS
Attacks on the nation’s computer infrastructures are becoming an increasingly serious problem. Firewalls provide a certain amount of security, but can be fooled at times by attacks like IP spoofing and the so called authorized users. So an intelligent system that can detect attacks and intrusions is required. The tool GRANT (Global Real-time Analysis of Network Traffic) being a Linux based Intrusion Detection System(LIDs), takes the advantage of the security of a Linux box and secures the other nodes in the perimeter of the network. It is capable of detecting intrusions and probes as and when they occur and capable of responding to “already” successful attacks, thus causing minimal or no damage to the entire network. For better performance, this Linux Intrusion Detection System should be part of a defense in depth strategy such as Firewall and Intrusion Prevention.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
This document discusses various aspects of cyber warfare and security. It introduces cyber deterrence and its challenges. It then describes components of a reference model for cyber security including surveillance, penetration testing, honey nets, forensics, attribution, monitoring, reconnaissance, scanning, vulnerability analysis and exploitation. For each component, it provides details on the concept and relevant tools. The document aims to provide an overview of the cyber warfare landscape and approaches.
Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of their employees can sniff the whole traffic of the network. Anyone in the same physical location can plug into the network using Ethernet cable or connect wirelessly to that network and sniff the total traffic.
In other words, Sniffing allows you to see all sorts of traffic, both protected and unprotected. In the right conditions and with the right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.
1) The document proposes enhancing IDS systems with honeypot placement to detect zero-day attacks. A new network architecture is designed where honeypots attract attackers and log their activities to generate IDS signatures.
2) Experimental setup involves deploying a honeypot server using Honeyd and Arpd to monitor unused IP space and direct attacks. Tcpdump is used to analyze traffic and payloads directed at the honeypot.
3) Analysis of honeypot logs is used to write custom IDS rules matching observed payloads. This allows detection of new attacks before they can harm the internal network.
Keyloggers are a invasive software often used to harvest secret information. One of the main reasons for
this fast growth is the possibility for unprivileged programs running in the user space to secretly steal and record all the
keystrokes typed by the users on a system. The ability to run in unprivileged mode makes possible their implementation
and distribution. but, at the same time, allows one to understand and imitate their behavior in detail.
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...eLiberatica
This is a presentation held at eLiberatica 2007.
http://www.eliberatica.ro/2007/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
Similar to Survey of Rootkit Technologies and Their Impact on Digital Forensics (20)
The New Mobile Landscape - OWASP IrelandTyler Shields
The document discusses threats to mobile devices and potential solutions. It outlines the mobile threat landscape including types of mobile malware, vulnerabilities, and statistics on infected platforms. It then examines players in the mobile ecosystem like MDM vendors, mobile anti-virus, application markets, and developers. Potential fixes are explored at the enterprise, consumer, vendor, and developer levels through capabilities mapping, malware detection, vulnerability analysis, and secure coding practices. The road ahead is seen through continued collaboration between these players and communities.
This document provides an overview and summary of mobile application risks. It begins with defining the mobile threat landscape, including statistics on the prevalence of Android malware. It then discusses the various types of mobile malware threats and behaviors. The document outlines vulnerabilities in mobile applications and ecosystems. It proposes approaches for securing the mobile environment, including static and dynamic behavioral analysis, malware detection, and vulnerability analysis. Finally, it discusses strategic control points for security and some enterprise solutions for mitigating risks of bring your own device policies.
This document summarizes key points about mobile application privacy based on an analysis of over 53,000 applications:
1) Many applications request unnecessary permissions like location tracking and SMS access without proper disclosure to users.
2) Code reuse through third party libraries introduces privacy risks as the libraries' data practices are often unknown.
3) Developers should securely store sensitive data, encrypt data in transit, analyze all reused code for flaws, and avoid hardcoded secrets to better protect user privacy.
This document discusses the rise of mobile, social, and cloud computing as a "new computing paradigm" that requires a new approach to security. It notes that traditional security methods like firewalls and relying on application permissions are no longer effective due to the decentralized and interconnected nature of modern applications and data. The document provides statistics on mobile application permissions and third-party libraries that indicate many apps are overprivileged and reuse code of unknown integrity. It argues that securing data as it flows between devices, networks, and services is now critical and that the only real defense is to secure all code through practices like secure development and verification.
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
The document appears to be a syllabus for a course on social media security basics. It includes sections on definition of terms, risks, common attacks, and what can be done to protect yourself. Some common social media attacks mentioned are malware distribution, command and control of malware, compromise of sensitive data, social media worms like KoobFace that spread through messages/posts, targeted attacks, password/account hacking, and spam. The syllabus suggests users should avoid random links, use strong unique passwords, and not trust unsolicited messages. Vendors and enterprises are encouraged to implement better security practices while more research should be done on social media threats.
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
The document outlines the technical details of mobile spyware targeting Blackberry devices. It describes common spyware programs, how they are installed, their behaviors like logging calls, texts and location, and how they exfiltrate data. It also reviews the technical methods used, like accessing APIs to dump contacts and record audio. Blackberry security mechanisms like code signing and policies are discussed, but many default policies allow broad permissions.
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
The document discusses mobile spyware, providing background information and case studies of existing spyware programs like FlexiSpy and Mobile Spy. It notes the increasing popularity of smartphones and mobile applications as a driver for more mobile spyware. Key points covered include motivation for attackers, installation methods, effects and behaviors of spyware, and challenges around detection.
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
The document discusses mobile spyware, including case studies of FlexiSpy spyware which allows remote monitoring of SMS, calls, emails, and location on smartphones. It also provides statistics on mobile operating system and application market shares. The presenter's background in security research and consulting is provided.
Static Detection of Application BackdoorsTyler Shields
The document discusses detecting application backdoors through static analysis of executable code. It defines application backdoors as versions of legitimate software modified to bypass security under certain conditions. The summary discusses three main types of application backdoors that can be detected through static analysis:
1) Special credentials - Detecting hardcoded or computed credentials not from the authentication store.
2) Unintended network activity - Finding network activity not intended in the software design.
3) Deliberate information leakage - Identifying code that leaks sensitive information.
Static analysis rules can inspect for these patterns and other malicious indicators like embedded shell commands, time bombs, and rootkit-like behavior. Well-known backdoor mechanisms can be ob
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
The document discusses detecting "certified pre-owned" software, or software containing backdoors. It describes how static analysis of software binaries can detect various types of application backdoors, including special credentials, unintended network activity, and deliberate information leakage. The document focuses on detecting indicators that software is trying to hide its behavior, such as rootkit behavior and anti-debugging techniques, through static analysis of the software code. Rules can be developed for static analyzers to inspect software for these types of backdoor behaviors and indicators.
The document discusses various techniques for anti-debugging, which aims to hinder reverse engineering or debugging of software. It describes six major categories of anti-debugging techniques: API-based, exception-based, direct process/thread detection, modified code detection, hardware/register-based detection, and timing-based detection. The document provides code examples for API-based techniques including IsDebuggerPresent(), CheckRemoteDebuggerPresent(), OutputDebugString(), and FindWindow() calls. The goal is to educate developers on implementing anti-debugging in their software.
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
The document discusses mobile application security risks and recommendations. It summarizes the OWASP Mobile Top 10 security risks, describes how static analysis can reveal vulnerabilities without executing code, and analyzes results from analyzing over 53,000 Android applications. Key findings include the high percentage of applications requesting permissions for location, contacts, and SMS/calling functions. Many applications shared third-party libraries for advertising and analytics. The document recommends users carefully review an app's permissions and author before installing and to use security monitoring applications.
Owasp Ireland - The State of Software SecurityTyler Shields
This document summarizes the key findings from an analysis of application security data by Veracode. Some of the main findings include:
1) Most software applications were found to be insecure, with over 50% receiving high or critical risk ratings.
2) Third-party software applications and components make up a significant percentage of enterprise infrastructure and applications, but were found to have the lowest security quality.
3) Open source projects had faster remediation times and fewer vulnerabilities than commercial or outsourced software.
The document discusses these and other findings around languages used, differences between industries, and the need for multiple testing techniques to adequately assess application security.
The document discusses risk and defines it as the possibility of loss or injury. It then discusses crowd sourcing security testing and outlines some of the current inadequate solutions such as expensive security consultants, tools that don't scale, and developers who prioritize functionality over security. The document then summarizes the results of analyzing over 53,000 Android applications, finding most request GPS and contact permissions and lists the top third party libraries used. It concludes by proposing a whitelisting approach to security testing using static analysis and an unbiased third party.
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
The document discusses privacy risks associated with mobile applications. It notes that applications can access personal data and device sensors through vulnerabilities or malicious code at the application, OS, hardware and network layers. It also discusses how the complexity of developing mobile applications across multiple teams and outsourcing parts of the development process makes it difficult to ensure application security. Finally, it provides an example case study of how static analysis was used to investigate privacy issues with the Pandora Radio mobile application.
IT Hot Topics - Mobile Security Threats at Every LayerTyler Shields
The document defines the term "risk" as the possibility of loss or injury. It then discusses various challenges with relying on internal teams, crowd sourcing, software vendors, developers, and processes alone to adequately manage security risks. The document proposes conducting static analysis of applications to create a whitelist of approved software that could then be enforced through mobile device policy as a potential solution to improve on current inadequate approaches.
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
The document discusses the growing threat of smartphone attacks through mobile spyware, analyzing case studies of existing spyware programs like FlexiSpy and Mobile Spy that can track locations, read messages and calls, and more without the user's knowledge. It also outlines the security mechanisms of BlackBerry devices and how spyware can be installed, along with its potential effects and technical details, and ways to detect spyware and areas for future work.
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareTyler Shields
This document discusses smartphone backdoors and mobile device spyware. It begins by defining mobile spyware and how it is often inserted by those with access to source code or distribution binaries. It then covers the motivations of attackers in using mobile spyware such as retrieving private data from targets and maintaining access. The majority of the document analyzes the growing use of smartphones and mobile platforms as targets for spyware, using statistics on unit sales and application availability across platforms. It concludes by examining several case studies of existing mobile spyware programs and incidents.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Survey of Rootkit Technologies and Their Impact on Digital Forensics
1. Survey of Rootkit Technologies and
Their Impact on Digital Forensics
Tyler Shields
txs@donkeyonawaffle.org
tshields@alum.rit.edu
ABSTRACT existence of the code itself, and to allow surreptitious execution
A rootkit is code that is used by an attacker to keep the legitimate and control of a target system. Also known as stealth malware,
users and administrators of a system unaware of the code, and this definition of rootkit technologies can be extended to include
thus the attackers, presence on the compromised system. This some more “legitimate” examples of stealth technologies;
paper will discuss the history of rootkits specifically focusing on however we are going to keep the paper focused on the hiding of
the evolution of the rootkit from the basic modification of system code used to maintain long term compromise of a target system.
binaries to the cutting edge research being conducted today. A The term “digital forensics” in our context indicates the process of
discussion of each type of rootkit will be followed by an overview responding to a potential incident on a digital system. The digital
of rootkit detection techniques and how to know when a rootkit forensics process could include analysis of potentially any type of
has been deployed. Finally we will analyze the impact that digital system including Smartphone, PDA, desktop computer,
rootkits have on the digital forensics process. From live state laptop computer, mainframe system, etc. For clarity the specific
evidence acquisition to using the rootkit data as a source of usage of this term will be limited to desktop and server based
evidence itself, the impact on the digital forensic realm is systems that are common in home and corporate environments
important to understanding the potential pitfalls when conducting today.
an incident response or presenting evidence in a court of law.
The primary goal of a subversive system, such as a rootkit, is to
1.Introduction hide the existence of the rootkit itself along with its related
The term rootkit originally referred to a tool or suite of tools used functions. Additionally, it is common for a rootkit to attempt to
to maintain administrative level access on a compromised system. impede the evidence collection processes within the realm of
Something as simple as a modified configuration file or telnetd digital forensics. Given the primary goal of maintaining an
binary could be used to allow an attacker unfettered access to a elevated privilege level on the compromised host, in conjunction
target for an indeterminate amount of time. As computing systems with a secondary goal of disturbing the incident responder’s
and networks have evolved, so have the techniques that rootkit facilities for evidentiary data gathering, rootkit technologies and
authors employ. What began as basic user-land source code the detection of these subversive systems should be at the
available modified UNIX binaries has morphed over time to forefront of learning and research for all incident responders and
include user-mode modified system binaries, kernel mode control handlers.
systems, firmware layer backdoors, and even rootkit systems that
utilize virtual machine monitors to hide below the operating 2.History and Evolution of Rootkits
system. Over time the term rootkit has come to mean code that Rootkits, in the form of stealth functionality within malware, have
hides itself in an attempt to execute surreptitiously. What began as been in existence since at least the mid 1980s. The first notable
code, or a “kit” of code, which allowed an attacker the ability to piece of “stealth” code was the Brain virus. This virus affected the
maintain access to a target system at the root level (rootkit), has boot sector of storage media formatted with the DOS File
been modified over time to be a “set of programs and code that Allocation Table (FAT) system. What makes this virus interesting
allows a permanent or consistent, undetectable presence on a with regards to rootkit or stealth technologies was that this virus
computer.” [24] was the first one in existence to include code created to hide the
The impact that a rootkit can have on the digital forensics process virus from detection. [18] The anti-virus company F-Secure
is immense. By definition rootkits and the digital forensic describes the Brain virus stealth techniques in the following
detection of a subverted system is a cat-and-mouse game. As manner:
methods of rootkit detection and observation are improved, even “The Brain virus tries to hide from detection by hooking into INT
newer methods of subversion are created in response. When 13. When an attempt is made to read an infected boot sector,
responding to the compromise of a target system there is no Brain will just show you the original boot sector instead. This
guarantee that you will have newer and more up to date means that if you look at the boot sector using DEBUG or any
observation and detection methods than the author of the rootkit similar program, everything will look normal, if the virus is active
that has potentially been deployed. An incident responder must in memory. This means the virus is the first "stealth" virus as
take all precautions available to minimize the chance that their well.”[18]
investigation could be compromised or flawed.
Shortly after the release of the Brain virus, stealth malware
1.1Definition research progressed to the UNIX platform. Modified system
Rootkit technology, as defined in this paper, includes any binaries, along with “log cleaning” software, began to be
application code that is implemented in an effort to hide the discovered on compromised SUN Microsystems based machines
2. and released in “kits” for attackers to utilize. These modified an even playing field and can, at a minimum, architect themselves
binaries typically were installed with the goals of allowing root to avoid detection.
level remote access, root level local privilege escalation, hiding
This game continued through the early 2000s. [18] Rootkit
potential evidence and going undetected by system administrators.
research was recently reinvigorated when breakthroughs were
If successful, these binaries would allow the attacker to maintain
made in the area of virtualized computing systems. With the
root level access on a target host for an indeterminate amount of
advent of virtual machine emulators, rootkit researchers realized
time. Access was typically maintained by installing backdoors in
the possibility of injecting their stealth system at a software layer
common applications such as telnetd, ftpd, or generally allowing a
even lower than the kernel. If the attacker could get their rootkit
listener attached to a root level shell to execute on an arbitrary
system loaded prior to the operating system itself, or inserted at a
high TCP port. Log cleaning utilities were installed and executed
layer between the operating system and the hardware, and then
to hide the digital evidence left behind by the attacker during the
run the operating system within a virtual machine on top of the
compromise and to delay detection. Some rootkit researchers even
rootkit, detection would be significantly more difficult. Any
went so far as to modify the underlying libraries at the user-land
detection engine that was installed in the operating system, even
level thus affecting the system at a much lower level. Instead of
at the kernel level, could be subverted by intercepting the calls
having to modify individual binaries, they modified the libraries
from the kernel to the hardware itself.
that these binaries called, thus effecting all system binaries in an
indirect manner. Cutting edge research that is being conducted today involves the
creation and detection of virtualized rootkit technologies.
Further advances brought along the addition of packet capture and
Theoretical discussions have suggested that firmware level
“sniffing” code. These programs captured data traffic as it
rootkits could potentially exist at a layer yet below that of the
traversed the network on and around the compromised system. By
virtualized rootkit. If it were possible to modify the underlying
capturing this traffic, an attacker could extend her reach far
hardware to react and respond differently than normal, it should
beyond the original compromised system by gathering and storing
also be possible to utilize these modifications for subversion of all
authentication credentials to other systems, networks, and host
system layers that lie above the hardware layer itself.
devices.
In the mid 1990s the rootkit research community had realized that
3.Classes of Rootkits
user-land rootkits, as previously engineered to date, were getting
Rootkit and subversive malware come in five distinct
easier to detect. Host based security solutions such as the
classifications; application, library, kernel, firmware, and
application “Tripwire” [24] were implemented to deter
virtualized designs. When looking at the typical computer system
modification of sensitive system binaries and libraries generally
architecture we see a direct correlation between computing
making application level rootkit technology less effective and
architecture layers and the types of rootkit technologies in
easier to detect.
existence and being researched today.
In the 1997-1999 era, major advances in the research of rootkits “Adapted from “Forensic Discovery” by Farmer and Venema” [25]
occurred. Researchers began to realize that modification of the
operating system at a much lower layer, the kernel, could yield EXECUTABLE PROGRAM (APPLICATION LEVEL)
similar results to the binary modification approach and be far less SYSTEM LIBRARIES (LIBRARY LEVEL)
detectable via current techniques. By placing the rootkit at the
kernel level, the attacker would be guaranteed to be running at the OPERATING SYSTEM KERNEL (KERNEL LEVEL)
same level, or lower, than any kernel or user-land based detection
OPTIONAL VIRTUAL MACHINE MONITOR
software that was implemented to detect them.
(VIRTUALIZED ROOTKITS)
In the UNIX realm, kernel based rootkits meant using Loadable
Kernel Modules (LKM) to implement modifications in the core of HARDWARE (FIRMWARE LEVEL)
the operating system. Instead of rewriting and recompiling code
for each binary an attacker wished to control, it was now possible
to rewrite the underlying kernel objects that are called by the high In operating system discussions, the top of the stack is known as
level code, thus affecting all code that uses these functions. This user-land. This is where the programs execute, each in its own
model was extended into the Microsoft Windows space as well virtual memory space. A program that is not statically compiled
with the advent of the kernel modification attacks including will typically link with one or more libraries at run-time to
system hooking, device driver implementations of kernel mode dynamically load functions and allow for code reuse. [25]
rootkits, and direct kernel object modification (DKOM). The very
The system libraries as utilized by applications at run-time. They
core of the operating system could no longer be trusted.
allow binaries to request functions from the libraries such as
Modifications at the kernel level turned the tables on the detection printing to standard out, opening network sockets, etc. Together
of rootkits. Detection software had to reanalyze its current design the top two layers, application level and library level are
and migrate to the lower abstraction level if it were to stay considered user-space. [25]
competitive. It was now a true cat-and-mouse game between
Directly below user space is the kernel. The kernel facilitates
rootkit authors and the authors of rootkits detection systems. By
communication between the user-land processes and the
implementing rootkits at the same operating system layer as the
underlying hardware. Requests are made from libraries, and
more advanced rootkit detection systems, the attackers are now on
potentially application code itself, to the kernel to provide access
to files, directories, network resources, segregated process, etc.
3. The kernel checks the authentication level of the requesting patching. Once a process is found that utilizes the library to be
process or library with regard to the requested service and allows subverted, the rootkit intercepts the request for the library API
or denies the resources requested as appropriate. [25] instead executing its own code. Generally the rootkit code will
call the original API and modify or filter the responses from the
In a typical system, the kernel would communicate directly with
library to hide the existence of the rootkit and attackers files. [21]
the hardware, however, it is possible to inject another layer
between the two that acts as an intermediary. This layer, known as 3.3Kernel Level
the virtual machine monitor, or hypervisor, is a virtualization Kernel level rootkits are implemented by replacing or writing new
platform that can allow multiple operating systems to run on a code directly into the running system kernel. This goal is typically
single piece of hardware. [26] achieved by writing device driver code for windows or by creating
Finally, at the bottom of the stack lies the hardware itself. This and implementing a Loadable Kernel Module (LKM) on a UNIX
layer is the physical firmware controlled components that modify system.
the digital representation of data in memory and disc. [25] As a user land request for kernel resources is invoked, there is a
specific path of system calls that must occur. Hooking of any
3.1Application Level number of places along this path will result in the execution of the
Application level rootkits are also referred to as user-mode
subverted system code in the place of the original requested
rootkits. Typically these rootkits consist of recompiled binaries
functionality. At a high level, the request for kernel resources
that replace the normal system binaries and operate in a malicious
passes through a gate. This gate can be hooked to point to our
manner. In the Windows space, they can also take the form of the
malicious code via modification of system interrupt mappings or
modification of application loaded dll assigned memory. For the
modifications to function mappings for model specific registers.
purposes of this paper, any hooks to intercept events prior to them
reaching the intended application, binary patches, or injected code Kernel modification in UNIX systems is accomplished by the use
at the user land level is considered an application level rootkit. of an LKM. An LKM is a kernel subsystem that can be loaded and
unloaded dynamically into the running kernel after the system
Historically, application level rootkits have come in the form of
boot process is complete. [27] Windows achieves similar
Trojan binaries. These binaries were typically created from
functionality by loading device drivers into the kernel. [21] Both
modified operating system source code and recompiled to meet
methods allow a user with administrative rights over the system to
the needs of the intruder. If no source code were available, Trojan
create and execute hooks directly into the running kernel.
binaries were created from either patched legitimate system
binaries or created from scratch by a savvy attacker to emulate the A Windows specific example of kernel hooking is the common
functionality of a system binary while conducting nefarious method of modification of the system service descriptor table
activities. These binaries would have to be compiled specifically (SSDT). The SSDT is a table in kernel memory that holds the
for the type of system being subverted and as such were grouped function pointers that contain the addresses for system calls. By
together into “kits” that targeted individual operating system types generating a device driver that modifies the functions pointed to
and versions. Once the compromise of a target system occurred, by the SSDT, a rootkit can point system calls to code of its
the rootkit would be deployed and system binaries overwritten choosing. [21]
with the modified subverted binaries from the kit. [21]
A second Windows specific location of kernel hooking is
3.2Library Level modification of the Interrupt Descriptor Table (IDT). In
Library rootkits are installed onto a target system and patch, hook, Windows, the IDT is used to handle interrupts. The IDT tells the
or replace calls to system libraries. While these types of rootkits kernel how to handle interrupts that can be generated from any
technically reside in user space as well, we have broken them into number of sources including the keyboard, mouse, or when a
their own category for explanatory purposes. Implementing a system call is requested from user space. When a system call is
rootkit in this fashion allows the attacking process to stay hidden generated, the 0x2e interrupt is triggered. This triggers the SSDT
by returning modified data for requests that would reveal its to take control and execute the appropriate system call. By
existence. The primary difference between library level rootkits modifying the IDT a rootkit can effectively execute their
and other user-land rootkits is that the library based rootkits affect subversion code in place of the SSDT code thus blocking or
a large number of binaries on the system without direct modifying the execution of the particular system call. [23]
modification of more than just a few libraries. By moving one step In many instances kernel and user-land hooks may be the only
closer to the underlying operating system it’s possible to hide methods available for a rootkit to execute. Kernel hooking is an
from multiple different programs while minimizing the level of effective way to execute kernel level operating system subversion
system modifications and potential clues for an investigator. techniques; however hooks are typically trivial to detect (See
This type of rootkit system is typically deployed by modifying section on rootkit detection). There is at least one other, more
publicly available operating system source code to create stealthy and direct, method possible to subvert the kernel known
modified system libraries that execute the required functionality as run-time kernel modification or direct kernel object
of the rootkit owner. Upon deploying the rootkit to the modification (DKOM). All operating systems store accounting
compromised host, the original system libraries of the information in memory. DKOM is modification of the kernel
compromised machine are replaced with the modified versions. It bookkeeping and reporting systems as the kernel is running.
is also possible to create a library modification rootkit that Modification of live kernel data is a very fragile process. One
constantly monitors the system for new processes that require mistake will inevitably result in an unstable system and most
specific libraries. This technique is known as run-time library likely the operating system will enter an unrecoverable state.
4. DKOM is limited in that this technique can only modify data that second way in which other types of rootkits are limited is with
is accounted for in the running kernel. Data such as lists of regards to size versus functionality. The more functional the
running processes, operational device drivers, active network rootkit, the larger the size, and the easier it is to detect its
ports, and thread details are all kept in the running kernel and can existence. Virtualized rootkits are not limited in similar manners.
be modified by the DKOM model. [23] [3]
3.4Firmware Level With the exception of firmware rootkits, virtualized rootkits are
If an attacker is looking to utilize a simple, and highly the lowest level of software rootkit in existence to date.
undetectable, sequence of steps, a firmware level rootkit can be Virtualized rootkits insert themselves into the system below that
extremely effective. Firmware level rootkits are implemented at of the general operating system. Installation of the rootkit may
the hardware level, and lay near the bottom of the system stack. modify the normal system boot sequence or may migrate the
By modifying code directly on the hardware, an attacker can existing operating system into the rootkit hypervisor without
implement a program of her choosing, while remaining extremely requiring a reboot. To migrate an operating system into a virtual
difficult to detect. Targets of firmware level rootkits include machine without requiring a reboot requires special hardware (see
peripheral hardware, disk controllers, USB keys, processors, and “Hardware Assisted Virtual Machine Rootkits” below). When the
firmware memory. At this point in time, firmware level rootkits compromised system is rebooted, instead of loading the operating
are mostly theoretical and have only recently been demonstrated system, the affected system loads the virtualized rootkit which in
in a fully functional proof of concept. Very limited public turn loads the operating system on top of it. Because the attacker
research has been done in this area. uses virtual machine technology, the users of the operating system
never know that they are running in a virtual machine. The point
The general concept of firmware rootkits is the idea that firmware of insertion into the system stack allows the virtualized rootkit the
can be modified from the operating system directly. In particular, ability to trap, drop, create, and otherwise modify all requests to
BIOS, ACPI, expansion ROMS, and network card PXE systems and from the hardware layer.
can typically be modified by administratively run code. What
makes firmware rootkits interesting is that in many instances, 3.5.1Software Based Virtualized Rootkits
these firmware devices are executed at boot time, well before the A virtualized rootkit uses a virtual machine monitor (VMM) to
actual execution of the operating system. This leaves a window of manage the resources of the underlying hardware and provides an
opportunity for a subversive piece of firmware to hook interrupts emulated interface of the hardware layer to one or more virtual
that may be called by the operating system at a later time. For machines (VM). The VMM acts as an intermediary between the
example, it is possible to hook the int10 interrupt, the video installed VM, which in this case is the original operating system
interrupt, and have the firmware modify program execution based on the target host, and the underlying hardware layer. By inserting
on the execution of this interrupt. [28] the virtual machine beneath the entirety of the original operating
system and emulating the hardware via software representation, it
The network card PXE firmware is another interesting target. This
is possible for the software based virtualized rootkit to trap any
firmware gets executed prior to the operating system start up to
and all requests to the hardware and present back a falsified and
determine if the host should download and/or boot over a network
filtered result. The VMM exports the hardware level abstractions
connection. Modification of this firmware leaves attack vectors
to the guest operating system via software based emulated
open including the ability to install, run, and potentially update a
hardware. The end result is a rootkit implemented in software at a
rootkit that is located within this or other pieces of firmware. [28]
layer that is virtually undetectable to any software installed in the
Once a rootkit has been installed in a piece of firmware it is very original operating system, even at the most privileged kernel level.
difficult to remove. Reinstallation of the operating system, To install a software based virtualized rootkit, a reboot of the
formatting the hard disk, and even physically removing and guest operating system is required such that the guest system and
installing a new storage mechanism will not result in the removal target of the rootkit can be executed from within the VMM.
of the subversive code. The effected piece of firmware must be
returned to its safe state to ensure the removal of the firmware 3.5.2Hardware Assisted Virtual Machine Rootkits
rootkit. Hardware assisted virtual machine rootkits are similar to software
virtualized rootkits in that they run at one abstraction layer lower
3.5Virtualized Rootkits than the entire operating system, thus becoming virtually
Some of the more recent research in the arena of rootkits has undetectable to the higher layer operating system components.
surrounded virtualized rootkits [3] [6] [7] [9]. The other types of However, unlike the typical software based virtualized rootkit, the
rootkits, application level, library level, and even kernel mode, are hardware assisted virtualized rootkit loads itself under an already
limited in a few select ways. It has not been possible for other running operating system and turns the running operating system
types of rootkits, with the exception of firmware rootkits, to gain a into its guest VM. This process is referred to as “forking” or
clear advantage over rootkit detection software because they “migrating” the OS to a guest state. This is possible based on the
operate at the same or higher layers within the operating system hardware itself supporting virtualized hosts thus allowing the new
than their defensive counterparts. If both an attacker and a virtual machine to shim itself between the now guest operating
defender operate at exactly the same level, a stalemate occurs in system and the underlying hardware. The hypervisor is loaded
which the attacker can modify its methods, but will be easily into the guest operating system via traditional kernel loading
detected by defensive software that adds similar methods to its methods, in the windows case this would be a segment of driver
detection routines. The end result is a cat and mouse game of code. A section of memory is then allocated for the hypervisor
offensive modifications and defensive counter modifications. The and it is loaded into the system. The original operating system is
5. then transferred to a guest of the newly installed hypervisor. Upon presence based rootkit detection system can choose to guard the
successful loading of the hypervisor, the loader code is removed doors or scan the room.
from the original guest system thus leaving no trace of the original
The first and most straightforward method of generically detecting
installation of the hypervisor at the lower layer. The installation of
rootkit systems is utilizing a differential approach. The concept is
the hypervisor relies upon the AMD-V [29] and/or Intel VT-x
simple in explanation but may be potentially difficult in
[30] hardware virtualization technology to be able to run. Until
practicality. A premise of all rootkit technologies is that they lie.
the deployment of these specialized chips are ubiquitous, these
They fool the system, and thus its users, into believing a set of
hardware dependencies make the installation of hardware assisted
data that are not truthful. In the physical world, one way of
virtualized rootkits slightly less practical.
detecting lies is to review the situation from multiple witnesses
Once a virtualized rootkit has been installed underneath the and differing angles. Any subtle difference may indicate that
existence of the original operating system, the VMM can take someone is not telling the truth. This analogy is very similar to the
many liberties with the requests to hardware. For example, the “diff-based” approach to detecting rootkit implementations. A
rootkit can log all network packets of the original operating number of questions are asked of the operating system while
system by simply modifying the software version of the network running live on the potentially compromised host system. The
interface that is presented to the subverted system. As far as the system is then rebooted directly to a secure read only operating
compromised system is concerned, the API to the network system, typically located on a compact disc, and the same
interface has not changed and it will not notice if the underlying questions are asked of the underlying system. If there are deltas in
subversion system is logging, monitoring, modifying, or dropping the returned data, someone has lied. This technique is particularly
packets that it sends or receives on the interface. [3] useful when looking for file and data directory hiding. It doesn’t
matter if the stealth system is deployed in user-land, kernel mode,
A second example of the effectiveness of a virtualized rootkit is
or in a virtual machine, the results will differ when compared to
the capture and decryption of supposedly encrypted
the same questions asked from a known good secure base [2].
communications. By trapping requests to encrypted socket system
write calls, a virtualized rootkit can intercept and log all traffic An additional method of detection a lies being told from the
before it is sent out the network interface in an encrypted fashion. operating system is to bypass as many layers as possible and
[3] directly examine the underlying hardware. This can be done while
the operating system is still live and does not require a reboot to
The majority of current research on rootkits is being conducted in
be successful. One location that many rootkits fail to execute well
the arena of virtualized subversive malware. New advances in
on is the details involved with the file system. Using statically
both attacks and defenses are continually being released.
compiled tools such as ils and fls from the Coroner’s Toolkit [31]
and Sleuth Kit [32 one can directly access the disk without
4.Detection Techniques requiring any kernel mode or user land calls to occur, thus
Detecting the installation of a rootkit is a very difficult prospect. If bypassing the higher layers. With this technique we can look at
all of the requests for data points can be subverted, how do we the data from a different angle and determine if any
know that the evidence of an installation can be trusted? Generally inconsistencies exist between what the operating system is telling
speaking there are two high level methods to detection of rootkits, us and what direct evidential analysis provides.[25]
detection of presence and detection of behavior. [23]
Along the same line of bypassing operating system layers and
Additionally, there are techniques that can be used to detect
directly analyzing the hardware is to directly review kernel
specific types of rootkit installations that may not be effective on
memory without actually conducting the appropriate system calls
other types of subversive malware.
to gain access to the data. By directly reviewing memory we can
4.1General Detection of Rootkits see if there are deltas in the responses returned by system calls
There are a number of general rootkit detection techniques that when compared with the data gathered from the memory itself. If
are not dependant upon a certain type of rootkit for detection. discrepancies exist, then again we have discovered the existence
These general detection routines take drastically different of a rootkit.
approaches, but all achieve the primary objective of detecting and A final option for the generic detection of stealth systems and
alerting on the existence of stealth based code. rootkits is the utilization of assembly code to directly invoke the
Detecting the presence of a rootkit can be as simple as the transition into the kernel. This method avoids the most common
installation of system monitoring tools, as interesting as difference user and kernel mode Win32 API code and thus the location
based analysis, or as advanced as inline memory scanning for where kernel level rootkit systems will reside. By bypassing this
rootkit evidence. Detection of rootkits as they are being installed API it is possible to have an unfettered look at the underlying
into the system is a method with less false negatives due to the systems without the filtration of return results by an un-trusted
fact that once a system has been infested with a subversive rootkit, intermediary. One issue with this method is that it is not effective
it is difficult, if not impossible to fully trust any request made on against virtualized rootkits that lie below the kernel system. There
the compromised system. An alternative is to scan memory is no known way from user-land or kernel mode starting points to
looking for patterns of evidence that a rootkit may have already bypass a virtualized rootkit that lies between the hardware and the
been installed. While this may seem simpler in some respects, a operating system itself.
rootkit that is already installed can be designed to impede the
memory walks of these types of detection systems. [23] A
4.2Detection of Application Rootkits
Detection of application rootkits can typically be accomplished by
using trusted binaries to analyze the compromised system for
6. anomalies. Trusted binaries are compiled offline in a trusted particular operating system and patch level being reviewed.
environment with statically linked libraries and used in place of However, in this case, the review will be conducted against
the compromised system binaries. In this manner it is possible to system level libraries and comparisons will be done against
analyze the system with confidence that application layer rootkits known good hashes for those same system libraries.
can not obfuscate the return of evidentiary data.
Of high importance when conducting this type of rootkit detection
The difficulty in using this model is the secure transfer of the is that the compilation of the testing tools is done in a secure
binaries into a location where they can be executed on the target environment and utilizes statically linked libraries. By compiling
system. One typical path is to mount the binaries on the target the libraries directly into the binary in a static fashion, we can be
system via the CDROM drive. The question then becomes; what if sure that the safe binaries are not reaching out to compromised
the mount system has been subverted and thus the effectiveness of system libraries on the target host to make required library calls.
the tools undermined? The answer to this is that live state analysis This is of extreme importance when reviewing a system for library
can never be fool-proof. One must be able to analyze the situation level rootkits installations.
from multiple angles to create a situation where there is enough
Again a prevention strategy can be highly effective in detecting a
confidence to conclude that the system is likely secure. If this can
rootkit deployment as it occurs. By installing and actively
not be achieved by live state analysis alone, then the investigator
monitoring a HIDS system, modifications to libraries can be
must move to include other forensics mechanisms.
detected as they happen allowing the system administrator and
In addition to using trusted binaries in live state recovery one incident responder timely notification of the incident.
must know where to look to determine “anomalous” activities. Additionally, some HIDS systems have capabilities built in to not
One such method is to gather cryptographic hashes of potentially only alert the administrator of potentially malicious activities, but
compromised system binaries that can be compared to known they can also block and ask permission of system administrators
good binaries of the same operating system and patch level to prior to allowing execution. While this technique is a not a
determine if they have been modified. Using a trusted program to panacea it can be useful against user level application and library
conduct the hashing of the system files and then systematically targeting rootkits. [22]
comparing them to known good values is relatively easy and will
discover a number of user-land rootkits installations. 4.4Detection of Kernel Rootkits
Detection of kernel based rootkits is significantly more difficult
While looking for anomalous activities on the target system, a than the detection of application and library level stealth systems.
second common location for evidence is within system and user This is primarily due to the fact that we have limited ways of
level configuration files. If an attacker has compromised a target executing trusted binaries against the compromised system. In
host and modified system or user configuration files, these user-land rootkits we are able to isolate our testing and analysis
activities can be detected with a diligent search. System files that tools from the rootkit by ensuring that the binaries we use are
control the configuration of network services, along with history secure and do not rely on the target system in any way. However,
files and event log files, are common places for rootkit based once the kernel itself has been compromised, it is extremely
modification and/or evidentiary artifacts. These techniques are difficult to ensure that our testing tools do not require the
older and thus not commonly discovered in the more advanced underlying kernel to execute our commands.
rootkit systems being created and researched today.
It is said that “an ounce of prevention is worth a pound of 4.4.1Detecting Kernel Hooks
response”. In the case of incident handling and detection of One of the more prominent methods of kernel rootkit related
rootkits, specifically application level rootkits, this is a very true modifications is SSDT hooking. SSDT hooking, as described
statement. Properly preparing for a potential rootkit compromise previously, is redirection of system calls to rootkit defined code.
will allow a quicker and more thorough response to occur. One The SSDT table holds the specific locations to be executed for
method of prevention that can be used is to install a host based each system call. One can attempt to detect modifications to the
intrusion detection engine (HIDS). Many different HIDS solutions SSDT table by checking that the addresses pointed to by the
exist in the market today ranging from signature based solutions SSDT table fall within an expected and acceptable address range.
to heuristic systems and finally more advanced anomaly detection Defining an address range is typically not that difficult as all
engines that compare normal usage patterns to activities to SSDT values should be within the address range of the kernel
determine and alert on any deltas. By installing system monitoring process. By ensuring that the SSDT points to the appropriate
solutions, installation of an application level rootkit becomes ranges it is possible to check with a high probability that the
significantly more complex. [22] SSDT table has not been modified. This same method can be used
to look for kernel hooking in other kernel tables such as the
4.3Detection of Library Level Rootkits Interrupt Descriptor Table (IDT), Import Address Table (IAT),
The techniques used in detection of library level rootkits are very and the Drivers’ I/O Request Packet (IRP) handler.
similar to those used in the detection of regular application level Some rootkits attempt to take this type of discovery method into
rootkit deployments. The primary difference being that system account by attacking higher up the call chain and redirecting the
libraries are the point of infestation instead of the individual system call to a completely fabricated table. While this method of
binaries belonging to the operating system. evasion is another layer of complexity, it is still possible to
Once again the primary method for detecting library level rootkits determine its existence. This time the detection routine must look
is the execution of trusted binaries to determine hash values that at the address that points to the SSDT as a whole and ensure that
can then be compared to known good hash values for the it is located at the correct location in the kernel. If we are being
7. subverted to a different table and redirected for sub function it can Once the target operating system is successfully being executed
be discovered using this method. [22] [23] inside of a virtual machine it is possible to execute a separate
monitoring and analysis function outside of the target operating
4.4.2Detecting Direct Kernel Object Modification system. This engine can directly analyze the kernel and memory
(DKOM) segments that are running in the potentially compromised
Detection of direct kernel object modification based rootkits is an operating system. At this point detection of modified kernel
extremely difficult proposition. Once a piece of rootkit malware components, process blocks, system call tables, etc. can be
has entered the kernel it has a distinct advantage when compared trivially detected without the fear of a kernel level rootkit
with any kernel mode detection routine that attempts to find it at a manipulating investigatory requests [8].
later point in time. Any detection routine that runs at the kernel Two basic techniques of virtual machine based kernel mode
level or higher could potentially be subverted by the rootkit. rootkit detection are cross view detection and kernel integrity
Detection of DKOM rootkits is no exception. If our detection monitoring. Once the virtual machine is in place and monitoring
routines are operating at the same level as the rootkit system we of the guest operating system is occurring cross view detection is
can only hope to analyze the system in a fashion that the rootkit the ability for the virtual machine to inspect responses from the
does not contain anti detection routines for. If there exists an guest operating system as they traverse the VM boundary. It is at
installed kernel level rootkit a detection engine can only hope to that point that the complete unfiltered answer will be seen while
utilize a section of the kernel that has not been subverted to be the guest operating system may present a different answer to the
able to detect the infestation. [14] end user. This again compares inside and outside the
There are two common detection methods for DKOM style compromised system to detect the kernel in a “lie”. [8]
rootkits; thread analysis and direct heuristic memory searching for Kernel integrity checking is the creation of a hash of specific
blocks of data that resemble process management objects. sections of kernel memory during a known good state that is then
Thread analysis detection is enumeration of every thread running used as a comparison baseline periodically to ensure that these
on the operating system and then using that information to back sections of the kernel have not been tampered with. Because the
track to process objects. Thread objects must contain references to tests are conducted at a level of abstraction below the kernel, in a
the process that owns them and as such it is possible to use these virtual machine monitor, there can be assurances that the
references to enumerate a list of all processes on the system. If the information obtained is accurate. [8]
process list that was enumerated by thread backtracking results in Virtual machine monitor usage in kernel mode rootkit detection
a different process list than standard process list walking we have has the potential to be a highly effective mechanism for the
encountered a situation where there is a high chance that the detection of both kernel land and user land subversive malware.
kernel has been directly modified. [8] This method can be
subverted by a rootkit system that hides or modifies threads as 4.4.4Prevention Via Binary Analysis
well as process listings directly in the kernel. Current research has devised a technique that uses binary analysis
The second, and somewhat less direct approach, is creating a at run-time to determine if a particular module could contain
heuristics based system that scans the general kernel memory potentially malicious modifications of the kernel. Due to the
space looking for objects and object signatures that appear similar difficulties in determining, post installation, if a kernel based
to those of a kernel process object. If the system finds an object rootkit has been deployed it is good practice to attempt to analyze
that appears to be a kernel process object it can then determine it modules prior to their execution and insertion into the running
the location in memory is currently linked to the active kernel kernel. [1]
process linked list. If it is not then there is a chance that these The primary basis for binary analysis prevention of rootkit
processes block is an unlinked process that may indicate that a installation is that rootkit related loadable kernel modules and
rootkit has attempted to hide this data from discovery. [8] device drives differ significantly from non-malicious modules.
The first step in determining the difference between safe and
4.4.3Virtual Machine Monitor Usage in Kernel Mode unsafe modules is to profile the behavior of the unsafe rootkits.
Rootkit Detection Subversive malware such as rootkits generally attempt to write to
As seen with the above description of the detection methods for kernel locations that are not normally accessed by safe modules.
DKOM and kernel hooking rootkits, once a rootkit has been Modules that overwrite system call tables, file system functions,
deployed at the kernel it is extremely difficult to ensure that or the list of active processes tend to be malicious in nature.
detection can be achieved. When looking at user space rootkits it
was clear that the most effective detection mechanism was to To be more exact, prevention of kernel mode rootkit installation
install the detection routines at a system layer lower than user via binary analysis looks for two specific malicious behaviors:
space. The same principle applies to kernel mode rootkits. Based “1. The module contains a data transfer instruction that performs a
on research [8] it appears as if the most effective way of detecting write operation to an illegal memory area, or
kernel mode rootkits is to install the detection engine at a layer
below the kernel, in this case a virtual machine monitor. 2. the module contains an instruction sequence that i) uses a
Installation of a VMM that traps, monitors, reviews, and analyzes forbidden kernel symbol reference to calculate an address in the
all calls to the underlying hardware and presents a standard, kernel’s address space and ii) performs a write operation using
software emulated, hardware interface to the original operating this address.” [1]
system should be able to achieve the highest successful detection
rate.
8. By creating white lists of locations in kernel memory that it is safe potentially malicious virtualization layer. The difficult part,
for a module to write to, it is possible to create a system that however, is installing a detection system that actually resides at
detects when unsafe writes to kernel space are about to occur. [1] that lower layer. One mechanism to gain control of a system at a
layer below the installed VMM would be to utilize secure
The primary benefit of using behavioral approaches for detection
hardware. The Intel’s LaGrande system [33], AMD’s platform for
of malicious kernel modules is that, in a similar model to
trustworthy computing [34], and Copilot [35] can all be used to
behavioral based virus detection, it is possible to detect malicious
develop a system that resides below the rootkit’s VMM. It is also
behavior without having to have analyzed and previously created
possible to gain control of a lower level than the virtualized
a signature that matches that activity. [1]
rootkit by booting from a safe medium such as CDROM or USB
key and running the detection system from that safe location. One
4.5Detection of Firmware Rootkits final possible method of gaining access to a layer lower than the
Detection of firmware level rootkits is as theoretical and cutting
virtualized rootkit is to utilize a secure boot system that imbeds its
edge as the creation and execution of firmware rootkits. The most
own virtual machine monitor into the stack by using a safe boot
obvious way to detect firmware rootkits is to disassemble the
routine. Once the safe VMM has been run the boot sequence can
ROMs on a system specifically looking for the following answers:
then boot the original host operating system, thus layering the
• Is it a known good ROM image? results of that boot sequence on top of the safe VM. [3]
• Which interrupts does it hook? 4.6.2From a Layer Above
• Does it contain 32-bit code? While it is most effective to detect virtualized rootkits from a
layer below the malicious software it is also possible to discover
• Are there any suspicious strings or addresses? indications that a virtualized rootkit may be deployed while sitting
at a vantage point above the rootkit installation. The primary
• What does it actually do? [28]
method of rootkit detection is determining locations where the
Static analysis of each individual ROM on a system is the most underlying virtual machine has caused the guest operating system
effective, and yet the most time consuming, method of detecting to either behave differently than normal or in a fashion that is not
firmware level rootkits. standard.
Like other types of rootkit technologies, a little bit of prevention One method of virtualized rootkit detection while located in the
could go a long way towards preventing the installation of a kernel or user space level is by monitoring and comparing timing
firmware rootkit. Some hardware that contains a writeable ROM based functions. The virtualized rootkit adds a layer of overhead
will have a write protect jumper, however this is currently found in processing time that can be detected when compared against an
to be the rare exception. Additionally, requiring signed firmware external time source. The added time to process requests as it
updates for installation would prevent the deployment of a travels through the installed virtual machine monitor will result in
firmware rootkit; but once again this technology is typically not delays that can be timed and tested. This is not a foolproof method
deployed with today’s hardware. of detection as timing methods can be hindered by CPUs that use
temperature based or other power optimization techniques. [7]
As firmware rootkits continue to be researched additional counter
measures must be developed. The concept of a Trusted Platform Another detection method from above the virtualized rootkit is to
Module should be designed and implemented on systems that intentionally execute “buggy” behavior directly in the processor.
must maintain a high level of security assurance. “This TPM Errata exists for the majority of modern day x86 processors that
performs crypto functions (RSA, SHA-1, RNG), can create, details specific “bugs” or errors that may occur in certain
protect and manage keys, contains a unique Endorsement Key (an circumstances. By executing and detecting the existence of these
RSA key), and holds platform measurement hashes. The Secure bugs one may be able to determine if the hardware that is
Startup process builds on top of the TPM to measure each system underneath the operating system is physical hardware or software
boot event and store the hashes in Platform Configuration emulated virtual hardware. [36]
Registers. It then compares these hashes against PCRs on
Additional options for detection become available when dual core
subsequent boot ups to ensure that firmware has not been
systems are utilized. A detection engine could create a thread
modified. [28]
utilizing one core that is a simple loop counter. This loop counter
is set to start and stop in a synchronized fashion with a thread
4.6Detection of Virtualized Rootkits executed on the main core that will be intercepted by the virtual
Defenses against virtualized rootkits come in two flavors, those machine. This allows the system to effectively time the execution
defenses that reside at a layer lower than the virtual machine of the command as it travels through the virtualized rootkit.
rootkit, and those that run at a layer higher than the malware Results will vary greatly between a system with and without a
installation. Depending upon the layer that the detection engine is virtualized rootkit installed. [7]
running at will determine the techniques and ultimately the
effectiveness of the defense strategy. [3] Detection from above is a very difficult prospect lending again to
the idea that prevention of initial rootkit installation is a better
4.6.1From a Layer Below option. Preemptive loading of a hypervisor that intercepts and
The most effective way of detecting a virtualized rootkit is to denies all future attempts at loading a malicious virtualized rootkit
install the detection engine at a layer that exists below the rootkit is a potential option for prevention. The preventative hypervisor
itself. By installing the detection components below the rootkit itself could be created with a minimalist design as it would not
hardware and data access does not have to travel through the have to hide its own presence as a malicious hypervisor would. It
9. would simply need to intercept the commands utilized in Software based memory acquisition is generally less reliable than
hypervisor installation and deny and alert on their execution. [7] other methods of direct memory capture. This is largely because a
rootkit or other subversive piece of malware can easily modify the
Finally, if the virtualized rootkit in question is utilizing hardware
memory being acquired as it is being captured. This will result in
extensions to create a hardware assisted virtualized rootkit, there
data that may have been tampered with and that should not be
exists the option for the hardware manufacturer to physically add
fully relied upon as a sole source of evidence. [5]
security to the underlying processor itself. “In the July 2007
revision of the AMD64 Programmer’s Manual, AMD documents Other options exist that are more likely to return an accurate
a “revision 2” of the SVM architecture, which has the ability to depiction of the running memory. The most common example is
lock the SVM Enable flag, and optionally, to provide a 64-bit key hardware based memory acquisition. Hardware based memory
to unlock it again. If a key is not set before the lock is activated, acquisition requires a physical piece of hardware that is inserted
the SVM Enable flag cannot be changed without a processor into the target system. This device utilizes direct memory access
reset.” [7] By modifying the security model of the underlying to read the physical memory on the host machine. There is no
hardware its possible to limit the effectiveness of hardware software that is required to run on the host and the hardware is
assisted virtualized rootkits. operating system dependant. [5]
Acquiring a memory capture via hardware is highly accurate. It
5.Forensic Implications does not talk to the CPU in any fashion, instead directly
When responding to an incident there is always the question of communicating with the memory. If the operating system in
whether to turn off the machine or to conduct a live state analysis question is compromised with a rootkit, hardware based memory
first. Depending on the choice you make there is a tradeoff that can bypass the malicious modifications and capture an untainted
occurs. If you choose to turn off the machine and conduct a memory snapshot. [5]
forensic examination of the devices without utilizing live state
forensics the results will be steadfast, however you lose access to While hardware based memory acquisition may seem like the
data that is stored in memory and that you otherwise would have perfect solution to live state memory acquisition, recent research
been able to gain evidence from. However if you choose to has been conducted demonstrating that it is possible to subvert
conduct live state analysis you must be aware that the results that hardware based memory acquisition systems on the market today.
are gained from this method are less certain that the standard This attack is based on redirecting the DMA request from the
offline forensic analysis. The primary difference between live and normal hardware location to a location controlled by the attacker.
dead state analysis is the certainty of the results. [12] Rootkit This new location is modified to contain data that can be used to
technologies are specifically designed to undermine the results subvert what is presented to the acquisition device. [5]
gathered from live state forensic techniques. Many times it is a
secondary goal of subversive malware to create a detriment to 5.1.2Live Disc Data Acquisition
obtaining an accurate view of the state of a running system. Similar to live state memory acquisition, live disc data acquisition
can be hindered significantly by subversive rootkits. Without
5.1Live State Evidence Acquisition having a method of bypassing malicious traps created by malware
Live state analysis is the act of gathering data that represents a it is extremely difficult to rely upon live state acquisition of disc
snapshot of the live system that could not possibly be gathered at data. The positive for forensics and incident response is that no
a later date. When compared to dead state analysis, live state additional data will be lost by conducting dead state analysis of
forensics allows an investigator to gather evidentiary data quickly disk drives when compared to the data that can be acquired from
in order to determine the extent of compromise without having to live state analysis. One should always utilize traditional disc based
execute the time consuming, and often tedious, forensic disk forensics as confirmation that any live state disc based evidence
duplication and analysis process. [13] collection is accurate.
Live state analysis is typically used for situations in which turning 5.2Rootkit Data as Source of Evidence
off the target system is a significant detriment to the business Many times the goal of an investigation is to look for evidence
operation that the host is utilized for. It is also common place to that can help to prove or disprove that a particular action or
utilize basic live state forensic techniques as an early responder to activity has occurred. To that extent, detection of a rootkit on a
a potential incident. Many times incident reports turn out to be target host can act as evidence simply by its presence on the
false positives, and the quickness of live state forensics lends system. One must treat the components of the rootkit as any other
itself well to determine the validity of an incident report. In other piece of evidence and take care not to disturb or otherwise taint
cases, live state analysis is used because the investigator does not the data such that it can no longer be used in a court of law.
want the suspect to know that the analysis is occurring. [12]
5.1.1Memory Acquisition 6.Current and Future Research
One of the first steps of live state evidence acquisition is to The majority of current research that is being conducted is
capture of copy of the operational memory on the target system. focused on the following areas: the creation and detection of
This can be accomplished by using either software based or virtualized rootkits, the creation and detection of hardware
hardware base acquisition mechanisms. Software based assisted virtual rootkits, and moving firmware rootkits from the
mechanisms typically involve using tools such as dd [37], Encase realm of theoretical into the practical arena. However, to truly
[38], or ProDiscover [39] in order to take a bit by bit capture of combat the threat that is subversive malware we must think about
the operational memory state. implementing fixes at the lowest computing layer possible, the
10. hardware. Truly trusted systems must utilize software as well as Warsaw Poland
hardware that can be trusted to not be subverted. http://www.invisiblethings.org/papers/ITUnderground2004_
Win_rtks_detection.ppt
7.Conclusion [9] Ford, R., Allen, W., 2007. How Not to be Seen. Security &
This paper has surveyed both the common and cutting edge Privacy Magazine, IEEE.
methods that a subversive processes may use to hide themselves http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=408559
while operating surreptitiously within a target host operating 7
system. We’ve also analyzed the impact of these subversive pieces [10] Ring, S., Cole, E., 2004. Taking a Lesson from Stealthy
of software on the digital forensics process. With the advent of Rootkits. Security & Privacy Magazine, IEEE.
highly effective subversive systems, live state forensics should be http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourceP
considered only one piece of the forensics arsenal and should ath=/dl/mags/sp/&toc=comp/mags/sp/2004/04/j4toc.xml&D
never be relied upon as the sole source of evidentiary data. There OI=10.1109/MSP.2004.57
are many locations within an operating system that a malicious
intruder can implant themselves in order to taint gathered [11] Wang, Y,. Beck, D., 2005. Fast User-Mode Rootkit Scanner
evidence. Continued research surrounding the creation and for the Enterprise. Lisa Conference 2005,
detection of all types of rootkits technologies, as well as their http://www.usenix.org/events/lisa05/tech/full_papers/wang/w
impact on digital forensics, should be conducted in an effort to ang.pdf
ease the burden of live state forensics. [12] Carrier, B.D. 2006. Risks of live digital forensic analysis.
Commun. ACM 49, 2 (Feb. 2006), 56-61. DOI=
8.REFERENCES http://doi.acm.org/10.1145/1113034.1113069
[1] Kruegel, C., Robertson, W., Vigna, G., 2004. Detecting [13] Adelstein, F. 2006. Live forensics: diagnosing your system
Kernel-Level Rootkits Through Binary Analysis. 20th without killing it first. Commun. ACM 49, 2 (Feb. 2006), 63-
Annual Computer Security Applications Conference 66. DOI= http://doi.acm.org/10.1145/1113034.1113070
(ACSAC'04) [14] Quynh, N. A. and Takefuji, Y. 2007. Towards a tamper-
http://csdl.computer.org/dl/proceedings/acsac/2004/2252/00/ resistant kernel rootkit detector. In Proceedings of the 2007
22520091.pdf ACM Symposium on Applied Computing (Seoul, Korea,
[2] Wang, Y., Beck, D., Vo, B., Roussev, R., and Verbowski, C., March 11 - 15, 2007). SAC '07. ACM Press, New York, NY,
2005. Detecting Stealth Software with Strider GhostBuster. 276-283. DOI=
2005 International Conference on Dependable Systems and http://doi.acm.org/10.1145/1244002.1244070
Networks (DSN'05) [15] Preda, M. D., Christodorescu, M., Jha, S., and Debray, S.
http://csdl.computer.org/dl/proceedings/dsn/2005/2282/00/2 2007. A semantics-based approach to malware detection. In
2820368.pdf Proceedings of the 34th Annual ACM SIGPLAN-SIGACT
[3] King, S.T., Chen, P.M., Wang, Y., Verbowski, C., Wang, Symposium on Principles of Programming Languages (Nice,
H.J., Lorch, J.R., 2006. SubVirt: Implementing malware with France, January 17 - 19, 2007). POPL '07. ACM Press, New
virtual machines. 2006 IEEE Symposium on Security and York, NY, 377-388. DOI=
Privacy (S&P'06) http://doi.acm.org/10.1145/1190216.1190270
http://csdl.computer.org/dl/proceedings/sp/2006/2574/00/25 [16] David Geer, "Hackers Get to the Root of the Problem,"
740314.pdf Computer, vol. 39, no. 5, pp. 17-19, May, 2006 DOI=
[4] Rutkowska, J., 2006. Subverting Vista Kernel for Fun and http://doi.ieeecomputersociety.org/10.1109/MC.2006.163
Profit. SyScan ’06 Singapore & Blackhat Briefings 2006 Las [17] Chuvakin, A., “An Overview of UNIX Rootkits”.
Vegas. www.rootsecure.net/content/downloads/pdf/unix_rootkits_ov
http://www.invisiblethings.org/papers/joanna%20rutkowska erview.pdf
%20-%20subverting%20vista%20kernel.ppt
[18] Overton, M., “Rootkits: Risks, Issues and Prevention.” Virus
[5] Rutkowska, J., 2007. Beyond The CPU: Bulletin 2006 Conference,
Defeating Hardware Based RAM Acquisition https://www.virusbtn.com/pdf/conference_slides/2006/Marti
(part I: AMD case). Blackhat Briefings 2007 Washington nOvertonVB2006.pdf
DC. http://invisiblethings.org/papers/cheating-hardware-
memory-acquisition-updated.ppt [19] Ferrie, P., “Attacks on Virtual Machine Emulators”,
Symantec Advanced Threat Research,
[6] Dai Zovi, D.A., 2006. Hardware Virtualization Rootkits. http://www.symantec.com/avcenter/reference/Virtual_Machi
Blackhat Briefings 2006 Las Vegas ne_Threats.pdf
http://www.blackhat.com/presentations/bh-usa-06/BH-US-
06-Zovi.pdf [20] McAfee Whitepaper, “Rootkits Part 1 of 3: The Growing
Threat”,
[7] Myers, M., Youndt, S., 2007. An Introduction to Hardware- http://www.mcafee.com/us/local_content/white_papers/threat
Assisted Virtual Machine (HVM) Rootkits. _center/wp_akapoor_rootkits1_en.pdf
http://www.crucialsecurity.com/documents/hvmrootkits.pdf
[21] Symantec Security Response, “Windows Rootkit Overview”,
[8] Rutkowska, J., 2004. Rootkits Detection on http://www.symantec.com/avcenter/reference/windows.rootki
Windows Systems. ITUnderground Conference 2004, t.overview.pdf
11. [22] Levine, J., Grizzard, J., and Owen, H. 2004. A Methodology [30] Intel VT Technology Web Site
to Detect and Characterize Kernel Level Rootkit Exploits http://www.intel.com/technology/platform-
Involving Redirection of the System Call Table. In technology/virtualization/index.htm
Proceedings of the Second IEEE international information [31] The Coroner’s Toolkit
Assurance Workshop (Iwia'04) (April 08 - 09, 2004). IWIA. http://www.porcupine.org/forensics/tct.html
IEEE Computer Society, Washington, DC, 107.
[32] Sleuth Kit http://www.sleuthkit.org/
[23] Hoglund, G., Butler, J. “Rootkits: Subverting the Windows
Kernel”, 2006 Pearson Education, Inc. [33] Intel Corp. LaGrande Technology Architectural Overview,
2003
[24] Tripwire Web Site http://www.tripwire.com
[34] AMD platform for trustworthy computing. In Win-HEC,
[25] Farmer, D., Venema, W., “Forensic Discovery'', Free version September 2003
of book is available online at:
http://fish2.com/forensics/pipe/ [35] J. Nick L. Petroni, T. Fraser, J. Molina, and W. A. Arbaugh.
Copilot–a Coprocessor-based Kernel Runtime Integrity
[26] Wikiepedia definition of the terms “virtual machine monitor” Monitor. In Proceedings of the 2004 USENIX Security
and “hypervisor”. Symposium, August 2004
http://en.wikipedia.org/wiki/Virtual_machine_monitor
[36] T. Garfinkel and K. Adams, Compatibility is Not
[27] Kong, J. “Designing BSD Rootkits – An Introduction to Transparency: VMM Detection Myths and Realities.
Kernel Hacking”, 2007 No Starch Press http://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_ho
http://www.oreilly.com/catalog/1593271425/ tos07.pdf
[28] Heasman, J. “Firmware Rootkits and the Threat to the [37] dd UNIX man page.
Enterprise”, Blackhat DC, 2007 http://www.research.att.com/~gsf/man/man1/dd.html
http://www.ngssoftware.com/research/papers/BH-DC-07-
Heasman.pdf [38] Encase Forensic Toolkit http://www.guidancesoftware.com/
[29] AMD-V Product Web Site http://www.amd.com/us- [39] ProDiscover Forensic Toolkit http://www.techpathways.com/
en/Processors/ProductInformation/0,,30_118_8796_14287,0
0.html