Mathieu Castets

October 17th, 2012

What is a rootkit?

History

Uses

Types

Detection

Removal

References2/11

Hackers have to access to the root-level to install a rootkit

Software that hides itself and allow intruders to maintain privileged access

Remotely run command actions or extract information

« root » traditional name of the privileged account on UNIX

« kit » software components that implement the tool 3/11

In 1986, the first virus called « Brain virus » was discovered and used cloaking techniques to hide itself

UNIX: In 1990, written by Lane Davis and Steven Dake

Windows NT: In 1999, NTRootkit

Mac OSX: In 20094/11

In 2005, Sony BMG published CDs with copy protection and DRM

The software silently installed a rootkit

To cloak itself, the rootkit hid from the user any file starting with $sys$

Software engineer Mark Russinovich discovered it on one of his computers

In 2006, Sony BMG released patches to uninstall the rootkit

5/11

Provide an attacker with full access Hide other malwares Appropriate the compromised machine as a

zombie computer Enforcement of digital rights management (DRM)

Hide cheating in online games Enhance emulation software and security

software Bypassing Windows Product Activation

6/11

Two groups:

Kernel mode/integration Patch system Detection can be complicated Most dangerous

Application level Replace original executable files Modify the behavior of applications

7/11

Alternative trusted medium: shut down computer and check its storage by booting the system with an alternative trusted media

Behavioral-based: analyzing system behavior like application calls and CPU utilisation

The other detection methods we can use are: Signature-based Difference-based Integrity checking Memory dumps

8/11

Manual removal of a rootkit is often too difficult for a typical computer user

In 2005, Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some classes of rootkits

However, the best way to remove all rootkits is to re-install the operating system 9/11

About.comhttp://netsecurity.about.com/od/

frequentlyaskedquestions/f/faq_rootkit.htm

Rootkitonline.comhttp://www.rootkitonline.com/types-of-rootkits.html

Informit.comhttp://www.informit.com/articles/article.aspx?

p=2346310/11

11/11