Malware: Rootkits

00:00

Hey, everyone, welcome back to the course. So in this video, we're going to talk about root kits. We'll talk about what route kits actually are. We'll also talk about

00:09

the different types of root. Kits will talk about different examples of root kits will also talk about different ways. You can detect root kits, and then finally, we'll talk about ways you can defend against root kits.

00:20

So what is a root kit? Well, basically, a root kit is a program that hides itself on the victim's machine. It also hides

00:29

the militia's activities. So basically the victim, in theory, least will never know what's going on in their system. As the attacker, you'll be able to get whatever information you want or install whatever you want. Thio and have no issues with discovery.

00:43

So again, these air just hidden software programs that hide themselves as well as hiding the actions that they're actually taking.

00:51

So one of the main goals with the root kid is to get a back door into the system so we could maintain that persist persistent access

00:58

so the root kit might contain things like packet sniffers could be log wiping tools could be bots could be, uh, Adidas programs, variety of things that might contain. But generally speaking, it's gonna at least be a back door and have some kind of way to communicate back to the attacker.

01:15

An attacker might install these different ways. They might install it like through a some kind of game, download or update they might do with, like, a zero day attack. They might wrap it in some other type of software,

01:26

and they could also have you be a victim of social engineering, right? They could say, Hey, here's this great. Pdf on how toe start and grow your business for free, Just click the link to download it. You download that and you don't realize it's actually installed a root kit on your device.

01:42

So we've got several types of root kits. We've got hyper visor level hardware firmware root kits. We've got colonel level boot, loaded level application level and library level. We're talking about each one of these just a little bit,

01:55

so our hyper visor level root kit basically acts like a hyper visor, and it modifies the boot sequence of the target's computer. And what that does is it loads, loads the host operating system as a virtual machine. So basically it's modifying that boot sequence.

02:08

And one example of this is the blue pill root kit

02:14

that we have our hardware firmware root kits. So this may hide in hardware devices. Or it might also hide in firmware, where the code hasn't been, uh, regularly inspected. For Integrity Way have the kernel level root kits that add the motions code or to the colonel. Or they replace the original operating system kernel and the device driver codes.

02:35

We have a boot loader level root kits, which replaces that original boot loader with one that's controlled by that remote attacker.

02:43

And by the way, you're gonna want to know these different names. If you decide to go take the C E. H exam from Easy Council. We've also got our application level root kit. This one replaces the normal application binaries with things like Trojan code. So basically it's gonna modify the behavior of existing applications by injecting that malicious code.

03:04

And we also have library level root kits that replaced the original system. Call with fake ones, toe hide the information about the attacker. So what are some examples of root kits that have been out there. We've got the Avatar root kit, and this one runs in the background, basically gives you a remote attacker the access to the infected device.

03:21

And one thing to note here on this one is it only works on X 86 systems because it's restricted by a code setting policy that basically says Only use kernel mode modules. We've got neck Years, which has back door functionality as well. This one monitors and filters network activity. It's also

03:38

been seen out there to send things like Spam and also install

03:42

malicious security software or fake security software. We have Azazel, which is written in C, and we also have zero access, which is another kernel mode, a root kit, And this one gives you the ability to connect to a peer to peer botnet as well as download any additional malicious files.

03:58

So how do you actually detect root kits? Well, we've got integrity based detection would basically compares a snapshot of the file system, the boot records or

04:04

the memory with a known trusted baseline.

04:09

We have, of course, signature based detection, which is kind of the older way of doing things, but it compares the characteristics of certain system processes and execute herbal files with basically a fingerprint database, so to speak, of known root kit fingerprints.

04:23

We have the heuristic based or the behavioral based detection so essentially looking for anomalies. So we get that baseline of what's normal on, then this will determine. Okay, well, what doesn't look right? Then we know what normal is, what doesn't look right, and that's probably a root kit.

04:40

We've got runtime execution path profiling. Basically, this compares the runtime execution pass of system processes and the execute herbal files before and after a root kit infection.

04:48

And then we have crossed view based detection, this one in numerous key elements in the system. So things like your system files, processes, registry keys, and then it compares into an algorithm used to generate a similar data set that doesn't that isn't relying on common AP ice. And so basically, if there's a description between those comparisons,

05:09

then it can indicate that there's a root kit.

05:11

So how can you mitigate or defend against root kits? Well, one way is to reinstall software from a trusted source. After you back up your critical data, then you can basically start with a fresh image and say, Okay, there's no root kits on here. At least there shouldn't be, and we should be good to go.

05:27

You could perform Colonel Memory Dump analysis to determine if there is a root kit so you can determine the presence of root kits.

05:31

You can harden your host devices, so making sure you're firmware and software is up to date perform training for employees. So that way, they're not going out and clicking on malicious links and emails or phishing emails and downloading these root kits using network and host based firewalls, making sure you have those backups in place. So if you are infected that way, you have a clean back up to restore from

05:50

and going back to hardening the host devices. Keeping that software up to date, make sure you're patching.

05:56

You're not just your endpoints but also your servers. A swell is the firmware on your routers, switches, firewalls, etcetera, using a digital fingerprint. So essentially, when you get a software update from the vendor making sure it's legitimate and that it matches that hash and using least privilege, so making sure that even if there is a root kit on that

06:15

and use your device

06:15

that there's not the ability for the attacker to escalate their privileges and start infecting the rest of the network. They're isolated to that one device and, of course, using a good anti virus or anti malware solution that keeping it up to date

06:29

to help give to prevent against known attacks. So just a quick quiz question here for you. Which Root Kit type modifies the boot sequence

06:36

of the host to load operating system as a virtual machine. Is that firmware, hyper visor or boot loader?

06:43

All right, so the answer was honestly, in the question there, right, this is pretty easy. One thing answer is hyper visor. So if you recall it, it spins up the operating system as a virtual machine.