Windows Security and Rootkits - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Windows Security and Rootkits

Description:

http://www.sysinternals.com. CSU Windows Security Guidelines (requires eID) ... http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89 -b655 ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 15
Provided by: tylerw5
Category:

less

Transcript and Presenter's Notes

Title: Windows Security and Rootkits


1
Windows Security and Rootkits
  • Mike Willard
  • Mike.willard_at_colostate.edu
  • January 2007

2
Introduction
  • Presentation Content
  • Root kit technologies overview
  • Demonstrations HackerDefender, Pwdump, Password
    hash cracking.
  • CSU Windows Network Security Recommendations
    overview.

3
Rootkits
4
Rootkits
  • What is a rootkit?
  • Wikipedia.org - A rootkit is a set of software
    tools intended to conceal running processes,
    files or system data from the operating system
  • Term originally from UNIX hackers. Compiled
    modified versions of common system utilities.
    (ps, ls, etc.)
  • Refers to a technology rather than specific
    program.

5
How do Rootkits work?
  • Hardware is the lowest level and controls all
    access to physical resources.
  • Intel/x86 architecture implements security rings
    concept. Four rings (0-3). The lowest number is
    the innermost ring and has the greatest
    control.
  • Windows uses only ring 0 (kernel) and ring 3
    (Userland).

6
How do Rootkits work?
  • Running code in ring 0
  • Patch/replace the kernel on disk.
  • Modify the kernel in memory - kernel loadable
    modules (device drivers, etc).
  • Virtual Machine Based Rootkits (VMBR)

7
How do Rootkits work?
  • Manipulating the kernel
  • Can hide processes, files, network activity, etc.
    Intercept keystrokes. Access data.
  • Once hidden, can intercept keystrokes, etc.
  • Do this by manipulating tables in protected
    memory space. (Interrupt Descriptor Table, Import
    Address Table)

8
How do Rootkits work?
  • Surviving Reboot
  • Run key in registry.
  • Some .INI files (win.ini)
  • Replace or infect an existing EXE or DLL file.
  • Register as a driver.
  • Register as an add-on to an existing application
    (internet browser search bar).
  • Modify the boot loader (modify kernel before
    booting)

9
Detecting Rootkits
  • Watch for inconsistencies.
  • Remote file scan.
  • RootkitRevealer (Sysinternals)
  • Integrity Checkers (e.g. Tripwire)

10
Future of Rootkits/Hacking
  • Operating systems becoming more and more hardened
  • Embedded Systems.
  • Application Exploits.
  • Hardware Bios and Memory (e.g. Video Cards)

11
Demonstrations
12
CSU Windows Security Recommendations
13
  • Windows Security Tasks
  • Auditing
  • Physical Security
  • Setup and Patching
  • Account Management
  • Restrict Anonymous Access and NTLM Authentication

14
Resources
  • Rootkits by Greg Hoglund and James Butler
  • Rootkit web site
  • http//www.rootkit.com
  • Top Security Tools Compilation
  • http//sectools.org
  • Sysinternals (now part of Microsoft) Utilities
  • http//www.sysinternals.com
  • CSU Windows Security Guidelines (requires eID)
  • http//windows.colostate.edu/index.aspx?pagefor_
    it_admins
  • Windows Server 2003 Security Guide
  • http//www.microsoft.com/downloads/details.aspx?Fa
    milyID8a2643c1-0685-4d89-b655-521ea6c7b4dbdispla
    ylangen
Write a Comment
User Comments (0)
About PowerShow.com