Upload
elisabeth-brooks
View
214
Download
2
Embed Size (px)
Citation preview
LKM Rootkits
Instructor: Dr. Harold C. Grossman
Student: Subhra S. Sarkar
What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion
Agenda
tools to conceal information hides files and processes prevents detection backdoor creation remote injection/execution of scripts stealing of confidential information
What are rootkits?
Ken Thompson’s rootkit Brain virus SunOS rootkit, 1990 SonyBMG rootkit Greek wiretapping CarrierIQ rootkit on smartphone and handheld
devices
Brief history
Insertion of malicious code into kernel on the fly Enables overriding kernel system calls Enables manipulation of /dev/kmem device file,
allowing intruder to virtually control the kernel on runtime, monitoring every read/write memory operations
Allows for CPU register hooking Facilitates Kernel object hooking Allows direct kernel object manipulation
What are LKM rootkits?
As per the proposed malware classification by Joanna Rutkowska in Black Hat 2006, malwares can be classified as below –
Type 0 malware Type 1 malware Type 2 malware Type 3 malware
Malware classification and rootkit’s standing
Based on the analysis of Nick Petroni and J. Hicks from University of Maryland, College Park, the objectives of each rootkit fall in one or more of the following categories HID PE REE REC NEU
Rootkit objectives
File hiding Process hiding Backdoor creation Defense neutralization Survival beyond system reboot Keystroke logging Network layer obfuscation
LKM rootkit features
Phalanx’s special features include the following – SSH credential stealing Manipulating memory operations by hijacking
/dev/kmem Sophisticated socket, process and file hiding
mechanisms TTY sniffer, keystroke logging Doesn’t show up in process listing via ps or ls /proc
Case study - Phalanx
Use of signature based rootkit detection software like rkhunter, chkrootkit etc.
Regularly examining systems where SSH keys are used as part of password less authentication mechanism
Encouraging users to use keys with passphrases Applying regular security patches to the system LKM filtering HIDS LIDS State based control-flow integrity test (SBCFI) Detection based on distribution of system calls (Anderson-
Darling)
Detection mechanisms
In this presentation, we have provided a general overview of rootkit, LKM rootkits in particular, their objectives, specific features, infection mechanisms/attack methodologies and various detection mechanisms for both user-space and kernel-space rootkits.
Conclusion
Below is the list of references – http://smartech.gatech.edu/jspui/handle/1853/34844 http://www.cs.umd.edu/~mwh/papers/CS-TR-4880.pdf http://
bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf
http://dl.acm.org/citation.cfm?id=1368515 http://
research.microsoft.com/pubs/153181/hookmapraid08.pdf
http://www.mobile-download.net/Soft/Soft_2334.htm http://en.wikipedia.org/wiki/Rootkit http://packetstormsecurity.org/search/?q=phalanx
References
Questions?
Thank You