{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Security in Computing (3rd Edition)

Info icon This preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Rootkits CS 161/194-1 Anthony D. Joseph December 2, 2005 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 2 Administrivia Final exam: – 1 LeConte Hall – Tuesday 12/13 12:30-3:30 – Comprehensive – Open books, notes, … – No electronic devices No office hours for me next Mon/Tue – Substitute hours: Th 12-1, Fr 10-11 Project 2 is on web page
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 3 Outline How to tell you’ve been 0wned? What is a rootkit? History of rootkits User-mode rootkits Kernel module/hooking rootkits December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 4 You’ve Been 0wned! How can you tell when your machine has been compromised or taken over? • “Odd” processes • “Odd” windows • “Extra” files Changed registry/configuration files “Extra” network connections, open ports • …
Image of page 2
3 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 5 What Is a Rootkit? Software or techniques that attempts to hide cracker’s software from detection – Cracker’s software can be anything Simple methods – Delete entries from login records, shell history • Then, last command won’t show intruder Cloaking methods (aka Ghostware) – Hide executables, libraries, config files, processes, … Hide from ls , dir , ps , taskmgr , … December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 6 Rootkit Functions 1. Maintain access 2. Attack local or other systems 3. Destroy evidence Which OS’es are vulnerable?
Image of page 3

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon