Section 6.53 Rootkits Flashcards
Objectives 2.4 Given a Scenario, analyse indicators of malicious activity
Rootkit
Designed to gain administrative level control over a given computer system without being detected
Administrator account
Account with the highest level of permissions is called the Administrator account
■ Allows the person to install programs, delete programs, open ports, shut ports,
and do whatever it is they want to do on that system
■ In a UNIX, Linux, or MacOS computer, this type of administrator account is §actually called the root account
Rings of permission
A computer system has several different rings of permissions throughout the system
■ Ring 3 (Outermost Ring): Where user level permissions are used - standard user
■ Ring 0 (Innermost or Highest Permission Levels): Kernel mode
Ring 0 (Innermost or Highest Permission Levels):
Kernel Mode
Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things
If you login as the administrator or root user on a system, you have root permission and you will be operating at Ring 1 of the operating system
■ Remember, the closer the malicious code is to the kernel, the more permissions it will have and the more damage it can cause on your system
Root Kit Installation and Rings
When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection
Root Kit techniques
DLL Injection
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
Root Kit techniques
Dynamic Link Library (DLL)
Collection of code and data that can be used by multiple programs
simultaneously to allow for code reuse and modularisation in software
Root Kit techniques
Shim
Piece of software code that is placed between two components and that
intercepts the calls between those components and can be used redirect them
Detect Rootkits
Rootkits are extremely powerful, and they are very difficult to detect because the operating system is essentially blinded to them
To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti-malware scanning solution from a live boot Linux distribution