Please enable JavaScript.

Coggle requires JavaScript to display documents.

Rootkits (Outline (Classification (User-level rootkits (Alter binary…

- - - - Series of techniques and tools used by an attacker to remain undetected in the infected system
      - Require root privileges
        
        Vulnerability exploitation
        
        Social engineering
      - Formerly, stand-alone malware
  - - - They are “legitimate” for the OS
      - Alter binary execution files or system libraries
        
        Use legitimate content
        
        Modify static data
      - Easy to detect
      - Normally, in form of trojans
        
        DLL Injection
        
        “ClickMeForFun.exe requires administrator
        privileges”
      - Sophisticated approach: hooking
      - The idea is to hijack the control flow.
        
        “Hook” the normal behavior of a process to
        redirect it to the malicious code
        
        Man-in-the-middle approach
      - Useful for example to hide processes, files
        or logs
    - - Targets code and data within the OS
        kernel, e.g. LKM
      - False appearance of “everything working
        fine”
      - The attacker aims to disturb the image of
        the system provided by the OS
      - Do not modify user applications, but the
        kernel functions they use
    - - What they use or modify
      - Where they operate
    - - Use of legitimate content (e.g. replacing binaries)
      - Modification of static data (e.g. hooking)
      - Modification of dynamic content
- - - - JMP, PUSH RET or CALL instruction
  - - - Pointers to functions imported from DLLs
      - Whenever a program requires an external
        (imported) function, it queries the IAT
  - - - Rather old and easy to detect
  - - - Replace the pointer in the IDT with a pointer to
        a malicious interrupt handler
      - Each time the interrupt occurs, the malicious
        handler is loaded
- - - - Logs
      - Rootkit files
      - Processes
      - Network connections