The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Technique Countermeasures There are ways to detect if modifications have been instituted Mod Tactic Detection Countermeasures Hooking Manually parse memory, re-build tables Object Patching Cross-view detection, RAM Acquisition Code Patching Code is static → digital signature tests Filter Drivers Careful documentation, tools like DeviceTree.exe Hypervisor Time Analysis, TLB Profiling, etc. Injected Code Standard Auditing Tools, RAM Acquisition Bootkit Offline checksum of boot code NOTE: Naturally, there are counter-countermeasures © Below Gotham Labs, 2009 26
Do We Need to Hide? Traditional rootkits tend to actively conceal things: TCP/IP Port File Registry Key Concealment is based on a trick Once trick is known, it loses its effectiveness Is there a better way, one that doesn’t rely on a trick? © Below Gotham Labs, 2009 Process Driver Service 27
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13 and 14: Call Tables Call Table ~ array of f
Page 15 and 16: Kernel Objects The Windows OS is
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25: Technique Countermeasures As in Gon
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35 and 36: Surviving Reboot To persist or not
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

Create successful ePaper yourself

Delete template?

Save as template?