Home > Reviews, Technology > Detection and Prevention of Rootkits

Detection and Prevention of Rootkits

I’m very happy to be a part of seminar on “Detection and Prevention of Rootkits by CICSO official”. Here are some of the excerpts I want to share with you.

The seminar has started at 10:00AM at the “Main Seminar Hall” of National Institute Technology Karnataka, Surathkal. The whole seminar hall was full with enthusiastic security professors and students.

What is a Rootkit?

A Root kit is a set of programs or code that allows a permanent and consistent, undetectable presence on a computer.

The definition of the Rootkit aptly tells that it is a set of programs or program that cannot be detectable by any “Anti Virus” even the user  or administrator of the system that the system has been compromised.

One possible way of inserting malicious program is using the vulnerabilities. Vulnerabilities in the code due to flaws of  a programmer such as buffer overflow. Buffer overflow occurs when the programmer allocates the buffer but doesn’t delete the buffer, attacker uses this and adds his malicious code inside the buffer and makes that run by the compiler. Compiler doesn’t make any distinction between the data or code, whenever it sees a code it executes it In this way the attacker compromises the system.

RootKits are coolection of tools that allow an attacker to

-Keep backdoor access into a system

-Collect information on other system on the network via sniffing

-Mask the fact that the system is compromised

-Replace official sytems programs with modified alternatives

Rootkits are typically Trojan combined with a backdoor

There are two types of Rootkits

1) User mode Rootkits: (Application Rootkits) These replace the user mode applications such as “ls” command in Linux with the changed program so user or administrator never knows that the behavior of the system.

One example of the application rootkit is that it changes the command “ps” inorder not to list the trojan.

2) Kernel mode Rootkits: This type of Rootkits change the Kernel mode applications or programs such as changing device driver program code so as to hide themselves. These type of Rootkits are more sophisticated than that of Application Rootkits.

These are installed via loadable modules, but can also install via /dev/kmem

Nefarious program that runs in the user mode is hidden by the Kernel Rootkits

Virtual Machine Rootkit:

It makes the system as virtual machine. The root kit acts as a “Base” Operating System the actual operating sytem works as a “Guest” Operating System. Till now there is no way for the operating system to know whether it is running as a host operating sytem or Guest operating system.

This is the most concerning security aspect but there are special products through which we can detect the Virtual Machine Rootkits too.

One example of this kind is the “Subvirt”

Before going to the Prevention mechanism Let us see the different trends of these Rootkits

1) First Generation: In the year 1989 the first Rootkit came into existence called “Phrack”

2) Second Generation: Kernel Rootkits

3) Third Generation: Patched OS Kernel

4) Fourth Generation: Virtual Machine Rootkits

Detection and Prevention:

Application rootkits may not replace all the commands so find the difference between “ls-R” and “find” if any contradictory results are observed

Try to find the difference between the keyboard response time and consumed CPU cycles.

Find for the Keyboard sniffing and network sniffing activities

Look for the filters

As you know the mechanism of the Rootkit you can come up with some ideas how to prevent it

Here are some of the existing methods to prevent these

Don’t let the attacker to get the root access

Filter all calls to CreateService() method calls

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: