Points to be covered Introduction History Uses Classification
Installation and Cloaking Detection Removal
Slide 4
INTRODUCTION A set of software tools used by a third party
after gaining access to a computer system in order to conceal the
altering of files, or processes being executed by the third party
without the user's knowledge.
Slide 5
INTRODUCTION Ctd The term rootkit is a concatenation of the
root user account in Unix operating systems and the word kit, which
refers to the software components that implement the tool.
Slide 6
HISTORY The very first documented computer virus to target the
PC platform in 1986 For SunOS 4.1.1 earliest known rootkit in 1990
For Windows NT operating system rootkit appeared in 1999
Slide 7
USES Provide an attacker with full access via a back door
Conceal other malware Conceal cheating in online games from
software Appropriate the compromised machine as a zombie computer
for attacks on other computers.
Slide 8
USES Ctd Detect attacks Enhance emulation software and security
software Anti-theft protection Enforcement of DRM
CLASSIFICATION Ctd User-mode : User-mode rootkits run in Ring 3
as user rather than low-level system processes. Kernel-mode :
Kernel-mode rootkits run with the highest operating system
privileges (Ring 0) by adding additional code or replacing portions
of the core operating system, including both the kernel and
associated device drivers.
Slide 11
CLASSIFICATION Ctd Computer security rings
Slide 12
CLASSIFICATION Ctd Boot loader level (Bootkit): Bootkit is used
predominantly to attack full disk encryption systems. Hypervisor
level: This type of rootkit runs in Ring -1 and hosts the target
operating system as a virtual machine, thereby enabling the rootkit
to intercept all hardware calls made by the original operating
system.
Slide 13
CLASSIFICATION Ctd Hardware/Firmware: A firmware rootkit uses
device or platform firmware to create a persistent malware image in
hardware.
Slide 14
INSTALLATION AND CLOAKING Rootkits employ a variety of
techniques to gain control of a system The most common is to
leverage security vulnerabilities. Another approach is to become a
Trojan horse The installation of rootkits is commercially driven,
with a Pay-Per-Install (PPI) compensation method for
distributors.
Slide 15
DETECTION Alternative trusted medium Behavioural-based
Signature-based Difference-based Integrity checking Memory
dumps
Slide 16
REMOVAL Some experts believe that the only reliable way to
remove them is to re-install the operating system from trusted
media. Microsoft's monthly Malicious Software Removal Tool is able
to detect and remove some rootkits.
Slide 17
Thank you reference: http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Rootkit