home >> rootkits and enterprise

Rootkits & Enterprise

Irrespective of the size of the enterprise, securing oneself against rootkits play a vital role for every organization. Though, the impact of rootkits on large enterprise would be much higher than the medium or small business organizations, it is not directly proportional to the size alone. There are various other factors that come into effect when one has to analyze risk based on rootkits. Risk analysis for rootkits on enterprise depends on:

    Rootkit details:
  • Where is the rootkit installed?
  • What type of rootkit is it?
  • Can it be fully cleaned or isolated
  • Is recovery possible at all
  • Will it act as a worm and spread around the network

  • System Details:
  • What type of system is this?
  • Is it a priority host [server or resource for enterprise] or a single user host?
  • How can we protect the data and prevent espionage at system level

  • Network Details:
  • Are network policies put in place?
  • Is it easy to isolate the compromised host?
  • Is there a detection technique for covert channels?

Well, there are many other factors that decide the risk an enterprise goes through when they are compromised with rootkits. Though there are many anti-rootkit software, one must understand that each of these use different kinds of detection and prevention techniques and no single software currently exists that performs all those tasks. Also, one has to take into fact that this is an ongoing war between the good and the bad. Hence, when the bad updates his techniques and methodologies used, the good has to update their tools based on analysis of the rootkits. Which means that the tools that were released in 2005 or even 2007 are out of date as compared to the tools that are releasing currently, but this also doesn't mean that the tools releasing today have better detection techniques as compared to the old tools that were used before since it really depends on the techniques used, efficiency of the tool, accuracy in detection [FP/FN vs. TP] and other factors.

The science of Rootkit analysis has been playing a vital role in the enterprise. Many small and medium business enterprises haven't been really researching or funding themselves for securing their data from rootkits or even from intrusion. This could be due to lack of:

  • Awareness
  • Funding
  • Due diligence
  • Time

Everything falls under one of the 4 listed above, though some large business organizations on the other hand has been assuming that they are secure, though they really aren't. In general, it is good for one to try to be secure. If not possible, one should accept that they are insecure and make efforts for securing themselves in the near future. But the ones who really think that they are secure and are really aren't, will the ones who get affected for the most part as they do not know even that they are compromised.

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat5940
dwtf5027
KsiD4471
SHC3529

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets