SBN

Rootkits 101

Introduction

Rootkits are a species of malicious software with incredible damage potential. Due to their sophistication and complexity, they also present a considerable challenge to cybersecurity professionals.

On compromised systems, rootkit detection and removal is difficult at best and outright impossible at its worst. This makes the early analysis of discovered rootkit software a high priority for security experts. 

Cybersecurity Live - Boston

The standard protocol for the evaluation of any rootkit involves reverse-engineering the malicious software in question. This will enable security professionals to uncover the following main aspects of a rootkit:

  • The targeted filesystems and individual files
  • The common registry keys used 
  • The kind of data it is stealing, if any
  • The potential of secondary attacks post-infection
  • The threat of remote access to target systems
  • The type of encryption used for backdoor access

Reverse engineering will give access to precise information regarding these characteristics of a rootkit, often within a matter of hours. 

This article will explore the key concepts associated with rootkits and reverse engineering, including types of rootkits and common techniques used by rootkits, like hooking and exploitation of interrupts. 

The basic types of rootkits 

Rootkit malware typically falls into two broad categories — user mode and kernel mode. Depending on the level of privileged ring access in an infected system and the attack vectors used, rootkits can also be further classified into at least five different subtypes. But for the most part, they all fall into either user mode, kernel mode or any hybrid variant involving aspects of the base categories. 

Rootkits originated in the early days of UNIX-based systems. They can be broadly defined as a collection of malicious software and tools used to exploit security vulnerabilities in any UNIX operating system. 

But in modern parlance, since Windows systems dominate the cyber ecosystem, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Preetam Kaushik. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/LhNMKlfi8PM/

API Poll

Step 1 of 5

Do you have an API security project in 2022?