Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Rootkits
July 2009
Slide 1
What is a rootkit?
A rootkit is a pro ra! t"at# on$e installed# tries to "ide itsel% %ro! dete$tion& 't does not rant ad!inistrati(e-user pri(ile es& 't "as to )e installed )y so!eone *it" t"e ri "ts to !odi%y t"e %ile syste!&
Rootkits
July 2009
Slide 2
What is a Rootkit?
T"e purpose or %un$tion o% t"e rootkit *ill (ary dependin on *"at it *as *ritten to do& So!e rootkits install keylo ers# pro(ide )a$k-doors %or a$$ess# )ut in eneral# t"ey pro(ide a$$ess to t"e syste! to unaut"ori,ed users&
Rootkits
July 2009
Slide +
Rootkits vs Viruses
A rootkit *ill not nor!ally try to spread to ot"er syste!s on$e it is installed# unlike a (irus# )ut it *ill try to !aintain its $ontrol o% t"e syste!& A rootkit !ay )e installed )y a (irus# usually in t"e %or! o% a tro.an&
Rootkits
July 2009
Slide -
0ootkits need to )e installed )y a ad!inistrati(e-le(el user& T"is $an )e a$$o!plis"ed )y p"ysi$al a$$ess to t"e syste!# or )y t"e un*ittin installation o% appli$ations or de(i$e dri(ers t"at $ontain a tro.an# )y t"e syste! ad!in&
Rootkits
July 2009
Slide /
Slide 1
5or e3a!ple# t"e rootkit *ill !ost likely !odi%y t"e output o% a pro$ess list so t"at it doesn6t s"o* itsel%& Like*ise# a %ile listin *ill not s"o* t"e rootkit6s %iles&
Rootkits
July 2009
Slide 4
Slide 7
Detector - chkrootkit
chkrootkit
"ttp<==***&$"krootkit&or =
$"krootkit is a tool t"at $"e$ks %or si ns o% a rootkit& 't $"e$ks %or $"an es in )inaries# >'2 pro!is$uous !ode# lastlo deletion# lo ta!perin # rootkit $on%i %iles# and "idden pro$esses& $"krootkit "as )een tested on<
Linu3 2&0&3# 2&2&3# 2&-&3 and 2&1&3# 5ree?S: 2&2&3# +&3# -&3 and /&3# 8pen?S: 2&3# +&3 and -&3&# >et?S: 1&1&3# Solaris 2&/&1# 2&1# 7&0 and 9&0# HP-U@ 11# Tru1-# ?S:' and Ma$ 8S @
Rootkits
July 2009
Slide 9
Rootkits
July 2009
Slide 10
Detector - rkhunter
Rootkit Hunter
"ttp<==***&rootkit&nl=pro.e$ts=rootkitI"unter&"t!l
0ootkit Hunter 9rk"unter; is a rootkit s$annin tool& 't $"e$ks %or $"an es in )inaries# rootkit %iles# "idden %iles# and *ron )inary per!issions# a!on ot"er t"in s& 't is supported on !ost Linu3 and ?S: distri)utions# and Solaris Sun8S& 't is not supported on >et?S:&
Rootkits
July 2009
Slide 11
Rootkits
July 2009
Slide 12
Detector - OSS C
OSS C
"ttp<==***&osse$&net=!ain=
8SSH2 is an 8pen Sour$e Host-)ased 'ntrusion :ete$tion Syste! 9H':S;& 't per%or!s lo analysis# %ile inte rity $"e$kin # poli$y !onitorin # rootkit dete$tion# real-ti!e alertin and a$ti(e response& 't runs on !ost operatin syste!s# in$ludin Linu3# Ma$ 8S# Solaris# HP-U@# A'@ and Windo*s&
Rootkits
July 2009
Slide 1+
Other !ools
T"ese tools are !eant to )e run )e%ore in%e$tion# and periodi$ally t"erea%ter to $"e$k %or syste! $"an es<
"ID
"ttp<==***&$s&tut&%i=Kra!!er=aide&"t!l
nviron$ent%
A':H is a %ree repla$e!ent %or Trip*ire& 't does t"e sa!e t"in s as t"e se!i-%ree Trip*ire and !ore& "FIC& #"nother File Integrit' Checker%
"ttp<==a%i$k&sour$e%or e&net=
A5'2A is a se$urity tool# (ery $lose %ro! t"e *ell kno*n Trip*ire& 't allo*s to !onitor t"e $"an es on your %iles syste!s# and so $an dete$t intrusions&
Rootkits
July 2009
Slide 1-
Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL
Rootkits
July 2009
Slide 1/
Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL Hasy *ay< 0e%or!at and reinstall t"e 8S
Rootkits
July 2009
Slide 11
Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL Hasy *ay< Hard *ay< 0e%or!at and reinstall t"e 8S ?oot *it" a $lean# read-only $opy o% an 8S 9(ia li(e 2:# et$&; and re!o(e t"e in%e$ted %iles !anually
Rootkits
July 2009
Slide 14
"ttp<==en&*ikipedia&or =*iki=0ootkit
Rootkits
July 2009
Slide 17
Conclusion
A )inary6s do*nload sour$e=repository s"ould )e (eri%ied as le iti!ate and t"e %iles $"e$ked *it" an anti-(irus=rootkit s$anner )e%ore installation& P"ysi$al se$urity o% a syste! is also (ital& Alt"ou " rootkits !ay not )e e3tre!ely pre(alent# usin a rootkit $"e$ker alon *it" %ile inte rity $"e$ker s"ould )e $onsidered ood pra$ti$e&
Rootkits
July 2009
Slide 19
*uestions?
L
Rootkits
July 2009
Slide 20
!hank +ou
Rootkits
July 2009
Slide 21