SlideShare a Scribd company logo

Rootkit

T
tech2click

Sony Rootkit problem

Technology
1 of 31
Sony’s Rootkit [most, but not all, of this is derived directly from Mark Russinovich’s blog]
[object Object],[object Object]
 
[object Object]
 
[object Object]
[object Object]
[object Object]
[object Object]
After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:
[object Object]
[object Object],Sony tests technology to limit CD burning Go back to review | Print http://news.cnet.co.uk/digitalmusic/0,39029666,39189658,00.htm June 1, 2005 As part of its mounting US rollout of content-enhanced and copy-protected CDs, Sony BMG Music Entertainment is testing technology solutions that bar consumers from making additional copies of burned CD-R discs. Since March, the company has released at least 10 commercial titles -- more than 1 million discs in total -- featuring technology from UK antipiracy specialist First4Internet that allows consumers to make limited copies of protected discs, but blocks users from making copies of the copies. The concept is known as 'sterile burning'. And in the eyes of Sony BMG executives, the initiative is central to the industry's efforts to curb casual CD burning. "The casual piracy, the schoolyard piracy, is a huge issue for us," says Thomas Hesse, president of global digital business for Sony BMG. "Two-thirds of all piracy comes from ripping and burning CDs, which is why making the CD a secure format is of the utmost importance." Names of specific titles carrying the technology were not disclosed. The effort is not specific to First4Internet. Other Sony BMG partners are expected to begin commercial trials of sterile burning within the next month. To date, most copy protection and other digital rights management (DRM)-based solutions that allow for burning have not included secure burning. Early copy-protected discs as well as all DRM-protected files sold through online retailers like iTunes, Napster and others offer burning of tracks into unprotected WAV files. Those burned CDs can then be ripped back onto a personal computer minus a DRM wrapper and converted into MP3 files. Under the new solution, tracks ripped and burned from a copy-protected disc are copied to a blank CD in Microsoft's Windows Media Audio format. The DRM embedded on the discs bars the burned CD from being copied. "The secure burning solution is the sensible way forward," said First4Internet CEO Mathew Gilliat-Smith. "Most consumers accept that making a copy for personal use is really what they want it for. The industry is keen to make sure that is not abused by making copies for other people that would otherwise go buy a CD." As with other copy-protected discs, albums featuring XCP (extended copy protection) will allow for three copies to be made. However, Sony BMG has said it is not locked into the number of copies. The label is looking to offer consumers a fair-use replication of rights enjoyed on existing CDs. A key concern with copy-protection efforts remains compatibility. It is a sticking point at Sony BMG and other labels as they look to increase the number of copy-protected CDs they push into the market. Among the biggest headaches is that secure burning means that iPod users do not have any means of transferring tracks to their device, because Apple Computer has yet to licence its FairPlay DRM for use on copy-protected discs. As for more basic CD player compatibility issues, Gilliat-Smith says the discs are compliant with Sony Philips CD specifications and should therefore play in all conventional CD players. The moves with First4Internet are part of a larger copy-protection push by Sony BMG that also includes SunnComm and its MediaMax technology. To date, SunnComm has been the music giant's primary partner on commercial releases -- including Velvet Revolver's Contraband and Anthony Hamilton's solo album. In all, more than 5.5 million content-enhanced and protected discs have been shipped featuring SunnComm technology. First4Internet's XCP has been used previously on prerelease CDs only. Sony BMG is the first to commercially deploy XCP. First4Internet's other clients -- who include Universal Music Group, Warner Music Group and EMI -- are using XCP for prerelease material. Sony BMG expects that by the end of the year a substantial number of its US releases will employ either MediaMax or XCP. All copy-protected solutions will include such extras as photo galleries, enhanced liner notes and links to other features.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
They seemed to need a lot of help … ,[object Object],[object Object],[object Object],[object Object]
Is this the author in an earlier life?
I think I have the right man By the way —I checked the Estyn report on this school, it’s a jolly good Welsh-speaking comprehensive in the Rhondda with a “very good” Computer Science Department.
[object Object]
The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:
Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:
[object Object]
[object Object]
[object Object],IMPORTANT-READ CAREFULLY: This compact disc (“CD”) product contains standard so-called “Red Book”-compliant audio files that can be played on any standard CD player, including those contained in many personal home computer systems. As an added feature, this compact disc (“CD”) product also enables you to convert these audio files into digital music files and/or may also contain other already existing digital content (such files and content, collectively, the “DIGITAL CONTENT”), any of which may be stored on the hard drive of a personal home computer system owned by you (“YOUR COMPUTER”) and accessed via YOUR COMPUTER or certain approved, compatible portable devices owned by you (each, an “APPROVED PORTABLE DEVICE”).   Before you can play the audio files on YOUR COMPUTER or create and/or transfer the DIGITAL CONTENT to YOUR COMPUTER, you will need to review and agree to be bound by an end user license agreement or “EULA”, the terms and conditions of which are set forth below. Once you have read these terms and conditions, you will be asked whether or not you agree to be bound by them. Click “AGREE” if you agree to be bound. Click “DISAGREE” if you do not agree to be bound. Please keep in mind, however, that if you do not agree to be bound by these terms and conditions, you will not be able to utilize the audio files or the DIGITAL CONTENT on YOUR COMPUTER.   As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.   Once the SOFTWARE has been installed on YOUR COMPUTER, a menu will then appear on the screen of YOUR COMPUTER, giving you the option of playing the audio files on YOUR COMPUTER, creating a copy of the DIGITAL CONTENT directly onto the hard drive of YOUR COMPUTER, or making a limited number of back-up copies of the CD onto other, recordable CDs. If you choose to create a copy of the DIGITAL CONTENT, the menu will then prompt you to select a file format for the DIGITAL CONTENT. Once you have selected a file format, a copy of the DIGITAL CONTENT will automatically be created in that file format and transferred onto the hard drive of YOUR COMPUTER, where you will be able to access it using an APPROVED MEDIA PLAYER (see below) or, at you election, transfer it from YOUR COMPUTER onto an APPROVED PORTABLE DEVICE.   In order to access the DIGITAL CONTENT on YOUR COMPUTER, you will need to have a copy of an approved media player software program that is capable of playing the DIGITAL CONTENT in the file format you selected (each such approved media player, an “APPROVED MEDIA PLAYER”) on YOUR COMPUTER. You may already have a copy of an APPROVED MEDIA PLAYER on YOUR COMPUTER. If you do, you will be able to play the DIGITAL CONTENT on YOUR COMPUTER without doing anything further. This CD may also contain an APPROVED MEDIA PLAYER for the file format you selected. If it does, the menu that appears on the screen of YOUR COMPUTER will prompt you on how to transfer a copy of that APPROVED MEDIA PLAYER onto YOUR COMPUTER. To the extent you utilize an APPROVED MEDIA PLAYER contained on this CD, your use of such APPROVED MEDIA PLAYER may be subject, in each instance, to separate terms and conditions provided by the owner of the APPROVED MEDIA PLAYER concerned. If you do not already have a copy of an APPROVED MEDIA PLAYER on YOUR COMPUTER, and if this CD does not contain a compatible APPROVED MEDIA PLAYER, then you will then need to secure a compatible APPROVED MEDIA PLAYER elsewhere (e.g., on an Internet website, where you can download one). END-USER LICENSE AGREEMENT   This End-User License Agreement (“EULA”) is a legal agreement between you and SONY BMG MUSIC ENTERTAINMENT (“SONY BMG”), a general partnership established under Delaware law. By clicking on the “AGREE” button below, you will indicate your acceptance of these terms and conditions, at which point this EULA will become a legally binding agreement between you and SONY BMG.   Article 1. GRANT OF LICENSE 1. Subject to your agreement to the terms and conditions set forth in this EULA, SONY BMG grants to you a personal, non-exclusive and non-transferable license, with no right to grant sublicenses, to: (a) install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER, solely in machine-executable form; (b) install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form; (c) use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE; in each instance, solely for your own personal and private use and not for any other purpose (including, without limitation, any act of electronic or physical distribution, making available, performance or broadcast, or any act for profit or other commercial purpose) and in accordance with the terms and conditions set forth in this EULA. 2. The DIGITAL CONTENT and the SOFTWARE contained on this CD are sometimes referred to herein, collectively, as the “LICENSED MATERIALS”.   Article 2. PRODUCT FEATURES 1. This CD contains technology that is designed to prevent users from making certain, unauthorized uses of the DIGITAL CONTENT, including, without limitation, the following: (1) making and storing more than one (1) copy of the DIGITAL CONTENT in each available file format on the hard drive of YOUR COMPUTER; (2) accessing the DIGITAL CONTENT on YOUR COMPUTER (once you have installed a copy of it on the hard drive of YOUR COMPUTER) using a media player that is not an APPROVED MEDIA PLAYER; (3) transferring copies of the DIGITAL CONTENT that reside on the hard drive of YOUR COMPUTER on to portable devices that are not APPROVED PORTABLE DEVICES; (4) burning more than three (3) copies of the DIGITAL CONTENT stored on YOUR COMPUTER (ATRAC OpenMG file format only) onto AtracCDs; (5) burning more than three (3) copies of the DIGITAL CONTENT onto recordable compact discs in the so-called “Red Book”-compliant audio file format; and (6) burning more than three (3) backup copies of this CD (using the burning application provided on the CD) onto recordable CDs and burning or otherwise making additional copies from the resulting backup copies. 2. PLEASE NOTE : Your use of the DIGITAL CONTENT and the other LICENSED MATERIALS may be subject to additional restrictions, under applicable copyright and other laws, that are not enforced or prescribed by any technology contained on this CD. The absence of any such technology designed to enforce these additional restrictions should in no way be viewed or interpreted as a waiver, on the part of SONY BMG or any other person or entity owning any rights in any of the LICENSED MATERIALS, of their respective rights to enforce any such additional restrictions regarding your use of the LICENSED MATERIALS. Your use of the DIGITAL CONTENT and the other LICENSED MATERIALS shall, at all times, remain subject to any and all applicable laws governing the use of such materials, including, without limitation, any restrictions on your use prescribed therein. 3. All of your rights to enjoy the DIGITAL CONTENT, as described herein, shall be subject to your continued ownership of all rights in and to the physical CD on which such DIGITAL CONTENT is embodied; should you transfer your ownership rights in the physical CD on which such DIGITAL CONTENT is embodied (in whole or in part) to any other person (whether by sale, gift or otherwise), your rights in both the physical CD and such DIGITAL CONTENT shall terminate. …
[object Object],[object Object]
[object Object],I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec : psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Just call your hack $sys$foo and nobody can find it …
Writing to Sony … ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
And the inevitable threat … ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The uninstaller just makes things worse ,[object Object],[object Object],[object Object],[object Object],[object Object]
to the rescue … ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object]
Another letter from Sony ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommended

Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkitNikhil Pandit
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 

Recommended

Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkitNikhil Pandit
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Security tools
Security toolsSecurity tools
Security toolsarfan shahzad
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
DR FAT
DR FATDR FAT
DR FATJohn Laycock
 

More Related Content

What's hot

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 

What's hot (20)

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
 
Application Security
Application SecurityApplication Security
Application Security
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Botnets
BotnetsBotnets
Botnets
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Metasploit
MetasploitMetasploit
Metasploit
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Security tools
Security toolsSecurity tools
Security tools
 
Malware
MalwareMalware
Malware
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 

Similar to Rootkit

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayAmy Alexander
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi Cn|u - The Open Security Community
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 

Similar to Rootkit (20)

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
DR FAT
DR FATDR FAT
DR FAT
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management Essay
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
App locker
App lockerApp locker
App locker
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 

More from tech2click

Process Synchronization And Deadlocks
Process Synchronization And DeadlocksProcess Synchronization And Deadlocks
Process Synchronization And Deadlockstech2click
 
Tutorial4 Threads
Tutorial4 ThreadsTutorial4 Threads
Tutorial4 Threadstech2click
 
Operating System 5
Operating System 5Operating System 5
Operating System 5tech2click
 
Operating System 4
Operating System 4Operating System 4
Operating System 4tech2click
 
Operating System 3
Operating System 3Operating System 3
Operating System 3tech2click
 
Operating System 2
Operating System 2Operating System 2
Operating System 2tech2click
 

More from tech2click (13)

Process Synchronization And Deadlocks
Process Synchronization And DeadlocksProcess Synchronization And Deadlocks
Process Synchronization And Deadlocks
 
Ch13
Ch13Ch13
Ch13
 
Ch12
Ch12Ch12
Ch12
 
Ch11
Ch11Ch11
Ch11
 
Ch10
Ch10Ch10
Ch10
 
Ch8
Ch8Ch8
Ch8
 
Tutorial4 Threads
Tutorial4 ThreadsTutorial4 Threads
Tutorial4 Threads
 
Operating System 5
Operating System 5Operating System 5
Operating System 5
 
Mid1 Revision
Mid1 RevisionMid1 Revision
Mid1 Revision
 
Operating System 4
Operating System 4Operating System 4
Operating System 4
 
Operating System 3
Operating System 3Operating System 3
Operating System 3
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Operating System 2
Operating System 2Operating System 2
Operating System 2
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Rootkit

  • 1. Sony’s Rootkit [most, but not all, of this is derived directly from Mark Russinovich’s blog]
  • 2.
  • 3.  
  • 4.
  • 5.  
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Is this the author in an earlier life?
  • 16. I think I have the right man By the way —I checked the Estyn report on this school, it’s a jolly good Welsh-speaking comprehensive in the Rhondda with a “very good” Computer Science Department.
  • 17.
  • 18. The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:
  • 19. Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.