The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Worst-Case Scenario In a high security computing environment You may run up against someone like this Richard Bejtlich Director of Incident Response, General Electric Former military intelligence officer (AFCERT, AFIWC, AIA) For monitored targets, anti-forensics are a necessity Counterintelligence people often start by assuming compromise Auditors may perform forensic analysis preemptively These people have the time, motivation, and skill to track you down © Below Gotham Labs, 2009 34
Surviving Reboot To persist or not to persist, that is the question… © Below Gotham Labs, 2009 35
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13 and 14: Call Tables Call Table ~ array of f
Page 15 and 16: Kernel Objects The Windows OS is
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25 and 26: Technique Countermeasures As in Gon
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33: Anti-Forensics Traditional rootkits
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?