1
00:00:02,030 --> 00:00:08,780
The last exercise in the module and the last class of malware or route kids the discussion will cover

2
00:00:08,780 --> 00:00:11,780
the definition of root kits and methods for detecting them.

3
00:00:13,730 --> 00:00:17,010
A root kit is not necessarily malicious or harmful program

4
00:00:19,660 --> 00:00:23,440
it's used to hide the existence of some process from users and administrators

5
00:00:27,090 --> 00:00:33,440
what can be hidden using modern route kids this category can include other programs or their payloads

6
00:00:33,440 --> 00:00:34,530
in the system.

7
00:00:37,170 --> 00:00:43,590
Also internal system mechanisms can be hidden as well as services files directories user accounts an

8
00:00:43,590 --> 00:00:49,150
active network connections a root kit can hide anything really.

9
00:00:49,290 --> 00:00:52,960
This doesn't make it malicious per say.

10
00:00:53,040 --> 00:00:57,980
Unfortunately it is often used to conceal the existence of programs that can harm your system.

11
00:01:01,180 --> 00:01:07,860
Historically speaking the first virus brain made use of stealth techniques as well.

12
00:01:07,910 --> 00:01:10,980
It wasn't strictly speaking a rootkit.

13
00:01:11,060 --> 00:01:18,170
It didn't attempt to hide other objects but it did take cover in a system road kids have a relatively

14
00:01:18,170 --> 00:01:23,660
long history the first root kit was written for Unix in the 60s.

15
00:01:25,450 --> 00:01:28,450
The solution employed for the program was very simple.

16
00:01:28,630 --> 00:01:33,700
It came to replace Unix systems tools for displaying files directories and processes with utilities

17
00:01:33,700 --> 00:01:36,650
that did not display some files or selected processes.

18
00:01:40,050 --> 00:01:42,410
Root kits have come a long way since that time

19
00:01:45,280 --> 00:01:51,110
rude kids can be divided into three subgroups based on the working principle.

20
00:01:51,140 --> 00:01:56,390
The first group of root kits are designed to hook user interface but not the kernel they execute in

21
00:01:56,390 --> 00:01:57,500
the user mode.

22
00:01:59,970 --> 00:02:04,510
The second class of rou kids alter kernel processes.

23
00:02:04,660 --> 00:02:09,010
The third group modify data structures under the kernels API.

24
00:02:09,010 --> 00:02:10,890
These are kids run at the lowest level

25
00:02:16,880 --> 00:02:20,170
let's not discuss each type.

26
00:02:20,230 --> 00:02:25,410
Let's start with user mode root kits that hook user api.

27
00:02:25,450 --> 00:02:30,300
Imagine that a user launches Windows Task Manager.

28
00:02:30,390 --> 00:02:35,740
The program is used to display active processes to perform this function.

29
00:02:35,750 --> 00:02:42,730
The application calls a Windows API function implemented and TDL library.

30
00:02:42,820 --> 00:02:48,550
If a root kit is placed in this library task manager would receive only selected information instead

31
00:02:48,550 --> 00:02:51,650
of information on all active processes.

32
00:02:51,820 --> 00:02:59,390
Explore when logon and malicious malware see information that a rootkit is trying to hide is filtered

33
00:02:59,390 --> 00:03:02,800
then the user mode.

34
00:03:02,910 --> 00:03:07,820
What are the strengths of user mode root kits.

35
00:03:07,840 --> 00:03:11,610
Above all they can be run and executed without administrator permission.

36
00:03:12,660 --> 00:03:18,010
A weakness for an attacker is that root kits that hook the user api are easy to detect.

37
00:03:19,890 --> 00:03:22,360
Will show possible detection methods in a minute.

38
00:03:24,360 --> 00:03:29,950
The popular hacker defender is an example of a user mode rootkit.

39
00:03:30,020 --> 00:03:32,660
The free demo version of the rootkit is still available at.

40
00:03:32,660 --> 00:03:38,330
W w w dot rootkit dot com.

41
00:03:38,370 --> 00:03:43,270
It used to be developed extensively and personalized versions were sold for more than $100 dollars per

42
00:03:43,270 --> 00:03:51,320
item in official free version of the rootkit was easily detected by anti-virus is in rootkit detectors

43
00:03:52,680 --> 00:03:57,380
a tailored version was practically undetectable.

44
00:03:57,430 --> 00:04:01,570
You could also buy a rootkit subscription from the vendor that guaranteed that the rootkit would not

45
00:04:01,570 --> 00:04:10,400
be detected for six months.

46
00:04:10,410 --> 00:04:16,390
The second type of root kits or kernel mode root kits that hook the kernel API.

47
00:04:16,580 --> 00:04:22,370
Let's go back to the example given before a user or administrator wants to display a list of active

48
00:04:22,370 --> 00:04:25,110
processes.

49
00:04:25,140 --> 00:04:32,210
This time the list is not filtered user side but in a system function call a rootkit operates kernel

50
00:04:32,210 --> 00:04:35,450
side and filters the calls by modifying kernel API

51
00:04:38,360 --> 00:04:42,540
kernel mode root kits are much more difficult to detect which makes them more effective.

52
00:04:45,910 --> 00:04:52,920
A drawback for attackers is that they require administrator permissions to run writing kernel mode rootkit

53
00:04:52,980 --> 00:04:57,560
takes a lot more skills than other types of root kits.

54
00:04:57,640 --> 00:05:03,130
It can be an example of malware that has been blocked at least for now through the use of defense mechanisms

55
00:05:03,130 --> 00:05:08,590
such as the requirement to assign modules in kernel mode drivers or technologies that prevent patching

56
00:05:08,590 --> 00:05:09,160
the kernel

57
00:05:12,480 --> 00:05:15,340
enty a rootkit is a popular rootkit of this type.

58
00:05:16,730 --> 00:05:31,000
It was created by the webmaster of w w w dot rootkit dot com.

59
00:05:31,180 --> 00:05:35,680
A third type of root kits that execute at an extremely low level and are quite complex.

60
00:05:35,680 --> 00:05:41,960
Our root kits that directly modify kernel data structures instead of kernel interface.

61
00:05:41,990 --> 00:05:45,740
This makes rootkit code invisible even from the kernel but it still run

62
00:05:49,370 --> 00:05:52,970
a system has to assign C-p time to the root kit from time to time.

63
00:05:52,980 --> 00:05:58,340
Or the rootkit wouldn't have a chance to perform its function.

64
00:05:58,380 --> 00:06:06,040
The cloaking is not performed by filtering API but in hiding directly in the kernel an example of a

65
00:06:06,040 --> 00:06:09,340
root kit of this type is the aptly named F-you root kit.