Rootkits Jonathan BarellaChad Petersen

Overview• What are rootkits• How do rootkits work• How to detect rootkits• How to remove rootkits

What is a Rootkit, and how does it work

Jonathan Barella

What are rootkits?• A rootkit is small sophisticated piece of support

software that can enable malicious software to run on the compromised computer

• Commonly associated with spies because of the common goals they share

• Used in almost every modern piece of malware in the wild today

What are rootkits?• Broadly defined by Symantec as “any software that acquires and

maintains privileged access to the Operating System (OS) while hiding its presence by subverting normal OS behavior”

• Designed with three main objectives• Run• Hide• Act

How do rootkits work?Subverting Normal OS Behavior• Vulnerabilities• Operating System• Applications

• Exploits• Java• HTML/Scripting

• Social Engineering• Spam• Downloading• Installation

How do rootkits work?Hooking Operating System APIs

How do rootkits work?Hiding in Unused Space on the Compromised System

How do rootkits work?

Infect the Master Boot Record (MBR)

How do rootkits work?

How do rootkits work?

This is the ultimate goal to be hidden from the systems view.

Finding And Removing Rootkits

Chad Petersen

Detection Methods• Behavioral• Integrity• Signature• Difference

Behavioral Detection• Pros• Can detect unknown rootkits

• Cons• Requires “normal” history• Not easy to use• False positives

Integrity Detection• Pros• Know what files change• When files change• What changes files

• Cons• Requires many updates• Rootkit can seed itself in update

Signature Based Detection• Pros• Reliably find known kits• Easy to use• Few false positives

• Cons• large number of updates• Does not detect new kits

Diff Based Detection• Pros• Good at finding anomalies in any

system

• Cons• does not work well if scan is ran

on infected system• Must have knowledge to

decipher flagged programs.

Be Vigilant• Lastly the user can sometimes tell when something is amis• Network traffic spike• Large decrease in performance• Rootkits can infect; user files, kernel files, the boot loader, a hypervisor, and

hardware firmware.

Steps Once Identified• Quarantine• Encryption• Permissions

• Decide• Repair or delete

Q&A