Rootkits: A State of the Art

Rootkits have always been a part of computer compromises. The first thing an attacker does right after gaining sufficient access to a box, is to make himself at home, as discreetly as possible, to be able to come back later without having to rely on vulnerabilities that may or may be not present and without having to replay all the steps of an attack.
Author: Chico Del Rio (chicodelrio@gmail.com)
Source: http://hakin9.org Hakin9 6/2007

What you will learn…

• Basically rootkit methods
• Protection against rootkit

What you should know…

• C programming language
• ASM framework
• Kernel operation

Wikipedia gives us the following definition: A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits [...] have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. A less formal one could be: see me, catch me!, because the effective goal of the rootkit is to hide itself from the sysadmin and its tools. After some hesitant starts [1], majors breakthrough have been made in rootkits development, both on Windows and Linux platforms. Some cases like Debian server hacking [2] made several rootkits known to the free and open-source community, along with the numerous threats associated with them. The term rootkit became public knowledge in October 2005, when Marc Russinovitch found out that some Sony-BMG audio CDs installed a rootkit to help enforcing digital rights management. All the files, whose name began with $sys$, were hidden from the userland. Most of the time a sysadmin relies on log parsing and tools like who, last, ps, etc. to ensure its server’s integrity, so the first rootkits replaced these tools. Now, to circumvent filesystem checksums, rootkits target kernelland (suckit, adore, etc.), so we will first see how to gain access to this priviledged space, then the techniques used to hide the rootkit from the admin, to finally show some ways for an admin to detect and disable such attacks. This article aims to make a state of the art on rootkits and rootkit-forensics methods. Most of the examples run on Linux, since most of the servers run it, but can easily be applied to Windows and *bsd.

download id="127" format="1"]

<div id="headersubscriptionform">Option for individual subscribers</div>

				Username
				

					
				
				
 
			

				Email
				
				
					
				
				
 
			
   		
Disclaimer 

        By registering on this portal, I state that I'm aware and fully understand the REGULATIONS OF RENDERING ELECTRONIC SERVICES IN SOFTWARE PRESS SP. Z O.O. SPÓŁKA KOMANDYTOWA.
		 Accept the Disclaimer
            
			
 
Coupon Code
 
A password will be e-mailed to you.
			

		

You need to be logged in to see this part of the post


			

				

					
Username:
					

						
					
				
				

					
Password:
					

						
					
				
				

					

						 Remember Me
						
						
					
				
			
		
No access

[ Register ]

http://hakin9.org/rootkits-a-state-of-the-art/

Related Posts :

Conference: 2nd Annual Cyber Security Summit,...

Fake Verizon email with malicious ZIP in circ...

Google Code Playground XSS vulnerability

Brazilian banking Trojan disguised as Microso...