1 00:00:00,860 --> 00:00:02,730 What is a rootkit? 2 00:00:02,730 --> 00:00:05,290 A rootkit is a specific type of software 3 00:00:05,290 --> 00:00:08,280 that's designed to gain administrative level control 4 00:00:08,280 --> 00:00:11,510 over a given computer system without being detected. 5 00:00:11,510 --> 00:00:13,300 Now, this is really important, 6 00:00:13,300 --> 00:00:14,640 because when we talk about root 7 00:00:14,640 --> 00:00:16,600 or administrative level permissions, 8 00:00:16,600 --> 00:00:18,480 this is the highest level permissions 9 00:00:18,480 --> 00:00:21,460 that someone can have on a given computer system. 10 00:00:21,460 --> 00:00:23,730 If you're using a Windows machine, for example, 11 00:00:23,730 --> 00:00:26,150 this is called the Administrator account. 12 00:00:26,150 --> 00:00:29,900 This allows somebody to install programs, delete programs, 13 00:00:29,900 --> 00:00:31,750 open ports and shut ports. 14 00:00:31,750 --> 00:00:33,950 Basically, they can do whatever it is they want 15 00:00:33,950 --> 00:00:35,220 on that computer. 16 00:00:35,220 --> 00:00:38,640 In a UNIX, Linux, or Mac OSX computer, 17 00:00:38,640 --> 00:00:41,000 this would be called root access. 18 00:00:41,000 --> 00:00:43,850 Either way, gaining Administrative or root access 19 00:00:43,850 --> 00:00:45,250 is great for an attacker, 20 00:00:45,250 --> 00:00:48,040 but it is horrible for you and your security. 21 00:00:48,040 --> 00:00:50,790 Now, let's talk for a moment about how this works. 22 00:00:50,790 --> 00:00:52,660 If you look at a computer program, 23 00:00:52,660 --> 00:00:55,300 it has several different rings of permissions 24 00:00:55,300 --> 00:00:56,510 throughout the system. 25 00:00:56,510 --> 00:00:58,610 The outermost ring, Ring 3, 26 00:00:58,610 --> 00:01:01,380 is where the user sits if you're a standard user. 27 00:01:01,380 --> 00:01:03,100 As you use different programs, 28 00:01:03,100 --> 00:01:06,280 they have a way to get down, all the way down to Ring 0, 29 00:01:06,280 --> 00:01:08,290 which is what we call kernel-mode. 30 00:01:08,290 --> 00:01:10,510 This allows a system to control access to things 31 00:01:10,510 --> 00:01:13,640 like device drivers, the sound card, the monitor, 32 00:01:13,640 --> 00:01:15,410 and other things like that. 33 00:01:15,410 --> 00:01:17,730 Now, if you're able to get Administrative permissions, 34 00:01:17,730 --> 00:01:18,990 or root permissions, 35 00:01:18,990 --> 00:01:21,080 you may be sitting at Ring 1, 36 00:01:21,080 --> 00:01:22,950 and this would be a lot closer to the kernel 37 00:01:22,950 --> 00:01:24,470 where you could do more damage. 38 00:01:24,470 --> 00:01:26,500 Again, the closer you are to the kernel, 39 00:01:26,500 --> 00:01:28,710 the more permissions you have and the more damage, 40 00:01:28,710 --> 00:01:30,800 or dangers, that you can cause. 41 00:01:30,800 --> 00:01:32,930 With rootkits, they try to get them installed 42 00:01:32,930 --> 00:01:34,950 down into Ring 0, or Ring 1, 43 00:01:34,950 --> 00:01:36,230 and this allows them to hide 44 00:01:36,230 --> 00:01:38,130 from other functions of the operating system, 45 00:01:38,130 --> 00:01:39,720 and avoid detection. 46 00:01:39,720 --> 00:01:42,740 In fact, rootkits are able to perform malicious operations 47 00:01:42,740 --> 00:01:45,450 on a target computer at any date they want, 48 00:01:45,450 --> 00:01:48,320 without the knowledge of the administrators or the users 49 00:01:48,320 --> 00:01:50,260 and even sometimes without the knowledge 50 00:01:50,260 --> 00:01:54,020 of the operating system themselves, if they are done right. 51 00:01:54,020 --> 00:01:56,980 Again, rootkits can really get dug into your system 52 00:01:56,980 --> 00:01:59,450 really deeply, and when they're in there, 53 00:01:59,450 --> 00:02:01,073 it's really hard to detect them. 54 00:02:01,950 --> 00:02:04,700 Rootkits use a technique called DLL injection 55 00:02:04,700 --> 00:02:07,760 that allows them to maintain persistent control. 56 00:02:07,760 --> 00:02:10,770 With a DLL injection, what ends up happening 57 00:02:10,770 --> 00:02:13,700 is malicious code is inserted into a running process 58 00:02:13,700 --> 00:02:16,130 on a Windows machine by taking advantage 59 00:02:16,130 --> 00:02:18,810 of the DLLs, or Dynamic Link Libraries, 60 00:02:18,810 --> 00:02:20,810 that are loaded at runtime. 61 00:02:20,810 --> 00:02:22,800 This means that the Windows system 62 00:02:22,800 --> 00:02:24,600 doesn't even understand the fact 63 00:02:24,600 --> 00:02:26,630 that it has a rootkit installed. 64 00:02:26,630 --> 00:02:29,920 This also can occur by doing driver manipulation. 65 00:02:29,920 --> 00:02:32,270 This is an attack that relies on compromising 66 00:02:32,270 --> 00:02:33,930 the kernel-mode device drivers 67 00:02:33,930 --> 00:02:37,070 that operate at a privileged or system level. 68 00:02:37,070 --> 00:02:40,000 Both DLL injection and driver manipulation 69 00:02:40,000 --> 00:02:42,070 occur by the use of a shim. 70 00:02:42,070 --> 00:02:44,440 A shim is simply a piece of software code 71 00:02:44,440 --> 00:02:46,730 that is placed between two components, 72 00:02:46,730 --> 00:02:49,280 and that intercepts the calls and redirects them. 73 00:02:49,280 --> 00:02:52,640 So, the rootkit will allow an interception to happen 74 00:02:52,640 --> 00:02:54,450 between the Windows operating system 75 00:02:54,450 --> 00:02:56,100 and the Dynamic Link Library, 76 00:02:56,100 --> 00:02:58,860 and then redirect that call with the malicious code 77 00:02:58,860 --> 00:03:00,250 embedded into it. 78 00:03:00,250 --> 00:03:02,790 Now, again, both of these are just concepts 79 00:03:02,790 --> 00:03:04,840 that you should be familiar with seeing the word 80 00:03:04,840 --> 00:03:07,800 and remembering that either a DLL injection 81 00:03:07,800 --> 00:03:11,260 or a driver manipulation have to do with rootkits. 82 00:03:11,260 --> 00:03:13,490 If you remember that for the exam, you're going to do fine. 83 00:03:13,490 --> 00:03:15,930 Rootkits are extremely powerful, 84 00:03:15,930 --> 00:03:18,390 and again, they're very difficult to detect 85 00:03:18,390 --> 00:03:21,540 because the operating system is essentially blinded to them. 86 00:03:21,540 --> 00:03:23,580 To detect them, the best way is to boot 87 00:03:23,580 --> 00:03:25,740 from an external device and then scan 88 00:03:25,740 --> 00:03:27,560 the internal hard drive to ensure 89 00:03:27,560 --> 00:03:30,143 that you detect those rootkits.