SecurityTubeBeta Watch ... Learn ... Contribute |
 |
 |
 |
 |
 |
  |
|
Kernel Mode Rootkits Primer and Removal Techniques
This is Part 3 of the rootkits primer created by Corey from WatchGuard. Begin by watching Part 1, if you have not done so already. In this video Corey talks about kernel mode rootkits. He begins the discussion with the basics of user mode and kernel mode, and talks about Ring 0 to Ring 3. Ring 0 has the highest privilege and is generally the kernel code of the system. Ring 3 has the least privilege and this is where all the userland programs operate. The operating system ensures that a lower privilege process, cannot read or write to the memory of a higher privilege process. As an example, a userland program such as a word processor cannot read / write to the windows kernel memory. This mechanism ensures that the system remains uncorrupted even if userland programs malfunction. Most Anti-Virus and Firewalls work in kernel mode, so that they can continuously monitor userland programs for malicious activity. Thus all userland rootkits can easily be detected by kernel mode AV tools. But what if the rootkit itself was in kernel mode? Enter the world of kernel mode rootkits! A kernel mode rootkit runs in Ring 0 and thus has the highest privilege . Such a rootkit is very tough to detect as it can easily subvert AV mechanisms and is even tougher to remove from an infected system.
In this video Corey explains how kernel mode rootkits work at a very high level and talks about rootkit detection software such as Rootkit Revealer, BlackLight and IceSword. Note that we also covered the Helios Lite Rootkit Remover from Miel E-Security a couple of videos back. Enjoy!
In this video Corey explains how kernel mode rootkits work at a very high level and talks about rootkit detection software such as Rootkit Revealer, BlackLight and IceSword. Note that we also covered the Helios Lite Rootkit Remover from Miel E-Security a couple of videos back. Enjoy!
Related Videos from: Rootkit Basics
 |  |  |  |  | |
You are Viewing this Video Now! | |||||
3344 views | 4741 views | 2927 views | 6956 views | 4039 views |
Author
Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net
©2007 Freak Labs |