Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

More documents

Recommendations

Info

Self-Preservation: Step 2Prevent a rootkit <strong>from</strong> making itself permanentDisable any attempt to createHKLM\SYSTEM\CurrentControlSet\*\Type withtype 0 or 1 (change to 4 for disabled)Disable any attempt to modify an existing anHKLM\SYSTEM\CurrentControlSet\*\TypeLimitations:The rootkit may physically patch hal.dll,ntoskrnl.exe, etc.Be wary of accessing the registry keys throughsymbolic links
Self-Preservation: Step 3Ensure no driver except FAT/NTFS loads before usInstall ourselves at the beginning of the “BootBus Extender”Prevent any changes toHKLM\SYTSEM\CurrentControlSet\GroupOrderList
Page 2: AgendaBasics about RootkitsCurrent
Page 5 and 6: Rootkit DetectionAt the beginning o
Page 7 and 8: Rootkit Detection Anti-VirusVery ef
Page 9 and 10: Rootkit Detection Host IPSTwo layer
Page 11 and 12: Rootkit DetectionExecution Path Ana
Page 13 and 14: Rootkit Detection DifferentialQuery
Page 15 and 16: Rootkit Technologies IntroductionUs
Page 17 and 18: Rootkit TechnologiesGetting into Ke
Page 19 and 20: Rootkit TechnologiesGetting into Ke
Page 21 and 22: Better Method…IntroductionCan be
Page 23 and 24: Better Method…Windows Executive O
Page 25 and 26: Better Method…ExampleDuring syste
Page 27 and 28: Better Method…In the callback, we
Page 29 and 30: Better Method…How ToIf we want to
Page 31 and 32: Detecting Driver LoadingCreating se
Page 33 and 34: Detecting Dispatch HooksEnumerate D
Page 35 and 36: Removing a Rootkit…Still experime
Page 37: Self-Preservation: Step 1Prevent a
Page 41 and 42: SummaryPresented a method of observ
Page 43 and 44: STKIT- Shok Toolkit JRemember this

Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

Create successful ePaper yourself

Delete template?

Save as template?