The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Persisting on Storage In this case, you’ll need to contend with media analysis Stage of Analysis Sample Countermeasures Forensic Duplication Reserved Disk Regions (e.g. HPA, DCO) Recover Deleted Files File Wiping, Scrubbing Metadata, Encryption Collect File Metadata Altering Metadata (e.g. Timestomp) Remove Known Files Preimage Attack, Flooding, Hiding File Signature Analysis Embed text in an .EXE, encode .EXE files Static Binary Analysis Encryption, Compression, Camouflage Dynamic Binary Analysis Obfuscation, Code Morphing, Landmines Defense in Depth: Utilize multiple tactics (buy time) © Below Gotham Labs, 2009 36
The Four Evil Masters Media Analysis countermeasures fall into four categories Data Destruction (file wiping, scrubbing file system metadata) Data Hiding In-Band (file system structures, e.g. FISTing) Out-of-Band (slack space) Application Layer (hiding data in the registry) Data Transformation (encryption, direct alteration, code morphing) Data Fabrication (VERSIONINFO, introduce a known bad file) © Below Gotham Labs, 2009 37
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13 and 14: Call Tables Call Table ~ array of f
Page 15 and 16: Kernel Objects The Windows OS is
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25 and 26: Technique Countermeasures As in Gon
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35: Surviving Reboot To persist or not
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

Create successful ePaper yourself

Delete template?

Save as template?