Post on 13-Jan-2016
Mathieu Castets
October 17th, 2012
What is a rootkit?
History
Uses
Types
Detection
Removal
References2/11
Hackers have to access to the root-level to install a rootkit
Software that hides itself and allow intruders to maintain privileged access
Remotely run command actions or extract information
« root » traditional name of the privileged account on UNIX
« kit » software components that implement the tool 3/11
In 1986, the first virus called « Brain virus » was discovered and used cloaking techniques to hide itself
UNIX: In 1990, written by Lane Davis and Steven Dake
Windows NT: In 1999, NTRootkit
Mac OSX: In 20094/11
In 2005, Sony BMG published CDs with copy protection and DRM
The software silently installed a rootkit
To cloak itself, the rootkit hid from the user any file starting with $sys$
Software engineer Mark Russinovich discovered it on one of his computers
In 2006, Sony BMG released patches to uninstall the rootkit
5/11
Provide an attacker with full access Hide other malwares Appropriate the compromised machine as a
zombie computer Enforcement of digital rights management (DRM)
Hide cheating in online games Enhance emulation software and security
software Bypassing Windows Product Activation
6/11
Two groups:
Kernel mode/integration Patch system Detection can be complicated Most dangerous
Application level Replace original executable files Modify the behavior of applications
7/11
Alternative trusted medium: shut down computer and check its storage by booting the system with an alternative trusted media
Behavioral-based: analyzing system behavior like application calls and CPU utilisation
The other detection methods we can use are: Signature-based Difference-based Integrity checking Memory dumps
8/11
Manual removal of a rootkit is often too difficult for a typical computer user
In 2005, Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some classes of rootkits
However, the best way to remove all rootkits is to re-install the operating system 9/11
About.comhttp://netsecurity.about.com/od/
frequentlyaskedquestions/f/faq_rootkit.htm
Rootkitonline.comhttp://www.rootkitonline.com/types-of-rootkits.html
Informit.comhttp://www.informit.com/articles/article.aspx?
p=2346310/11
11/11