Security in Computing (3rd Edition)

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Rootkits CS 161/194-1 Anthony D. Joseph December 2, 2005 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 2 Administrivia • Final exam: – 1 LeConte Hall – Tuesday 12/13 12:30-3:30 – Comprehensive – Open books, notes, … – No electronic devices • No office hours for me next Mon/Tue – Substitute hours: Th 12-1, Fr 10-11 • Project 2 is on web page
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 3 Outline • How to tell you’ve been 0wned? • What is a rootkit? • History of rootkits • User-mode rootkits • Kernel module/hooking rootkits December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 4 You’ve Been 0wned! • How can you tell when your machine has been compromised or taken over? • “Odd” processes • “Odd” windows • “Extra” files • Changed registry/configuration files • “Extra” network connections, open ports • …
Background image of page 2
3 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 5 What Is a Rootkit? • Software or techniques that attempts to hide cracker’s software from detection – Cracker’s software can be anything • Simple methods – Delete entries from login records, shell history • Then, last command won’t show intruder • Cloaking methods (aka Ghostware) – Hide executables, libraries, config files, processes, … • Hide from ls , dir , ps , taskmgr , … December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 6 Rootkit Functions 1. Maintain access 2. Attack local or other systems 3. Destroy evidence Which OS’es are vulnerable?
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 7 Rootkit Function: Maintain Access • Backdoor: telnet, rsh, ssh, irc, custom – UDP/TCP/ICMP protocol running on “high” port – Could require activation by “magic” TCP/IP packet, be a stealthy network sniffer, or use a covert channel, … • Outbound connection – Works behind firewalls, no open inbound port to detect – Can be tunneled over outbound port 80 December 2, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 8 Rootkit Function: Attack Local or Other Systems
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 01/29/2008 for the course CS 194 taught by Professor Joseph during the Fall '05 term at University of California, Berkeley.

Page1 / 11

Rootkits - Rootkits CS 161/194-1 Anthony D Joseph December 2 2005 Administrivia Final exam 1 LeConte Hall Tuesday 12/13 12:30-3:30 Comprehensive

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online