Applied anti-forensics: rootkits, kernel vulnerabilities and then some

No ratings

Presented at ZeroNights 2012 by

Oleksiuk Dmytro

Currently, the most well-known type of rootkits is those used in mass distribution malware. But they are also used in targeted attacks, so rootkit technologies can be divided into two large groups. The main difference between the rootkits used in targeted attacks and their mass scale counterparts is that the former should, on top of preventing the detection of system compromise on a daily basis (that is, staying invisible for users and antiviral software), be able to obstruct the detection of the rootkit to the maximum possible extent when it is specifically searched for by high-qualified forensics professionals. In the presentation, the following questions are discussed in detail: Main approaches to malware detection in the research of a compromised system. Practical aspects of rootkit development for targeted attacks. Demonstration of conceptual rootkits which use interesting techniques to conceal and execute code in ring0. Ways to detect the concepts covered in the presentation. P.S. The information which will be presented is not yet another good-for-nothing research of the new ways to intercept some useless crap in OS kernel. The speakers goal is to demonstrate examples and results of a complex approach to the development of hard-detectable malware.