This involves the unauthorized entry into a target system gained by hackers. These hackers are malicious individuals, or groups, which could cause serious damage to the system.
Gaining administrative privilege
This is when the attacker bypasses the normal levels of security and goes on to gain administrative access to the system. The attacker takes advantage of the security flaws or programming problems in the system. The administrative privileges consist of sensitive information and a privileged attack could devise a number of means such as deleting and installing malicious files.
There are two types of privilege escalation, such as vertical and horizontal privilege. The vertical privilege escalations mean the attacker can gain a higher access that is already in place, and the horizontal privilege escalation, which allows the attacker to gain access to a system using another user’s identity.
Attackers trying to gain administrative privilege are able to change the passwords of other non-administrative accounts once they hack into the system. These passwords can be changed with the active@password changer; it can change local administrator and user passwords.
To defend against a privilege escalation attempt.
It is possible to limit the interactive login privileges
Encode sensitive data
Limit the amount of code running on a specific privilege
Cut down programming and bug errors, by undergoing a privilege separation technique.
Continuously run the operation through tests to check for programming errors.
Malicious individuals implement an attack in the virtual machine, by installing the damaging application in it. This is called owning the system and can be used to steal private information, crack passwords, gain access to network resources, theft, creating backdoors to tamper with information.
Tools for executing application
RemoteExec - installs applications, implements programs, informs files and folders on windows systems throughout the network. This allows the attacker delete files and folders, change administrative passwords and configure the registry.
PDQ Deploy - this allows administrators install applications without the knowledge of the network infrastructure
DameWare Remote support - allows users organize notebooks, servers, and laptop in an off-premise location.
Rootkits interrupt the server’s activities by hiding its presence and the activities it carries out. In addition, it takes over the normal activities of the server, placing its own activities there. When attackers try to send rootkits, they search for weaknesses in the server, hide the rootkits in some kind of software like a game, use social engineering methods to get this malicious software into the corporate or even execute zero-day attacks such as buffer overflow, privilege escalation, windows kernel exploration and other methods.
Rootkits are usually executed in systems to -
Gain access to through the backdoor, and intercept the system.
To hide its malicious intent, as well as the attacker's activities.
To gain unauthorized access to the system, gain access to sensitive information from the servers.
To save malicious programs, which could act as a server reserve for updating bots.
Types of Rootkits
There are six types of rootkits -
Hypervisor level rootkit: it configures the boot sequence, and requires the host computer system to load the operating system as a virtual machine.
Hardware/firmware rootkit: it takes advantages of hardware and firmware that are not usually monitored or checked for veracity.
Bootloader level rootkit: exchanges the original bootloader, with the one created by a remote attacker.
Kernel level rootkit: exchanges the original OS kernel with a malicious code.
Application level rootkit changes the usual behavior of applications by infusing a malicious code into the system, or sends a fake Trojan to that system, in order to exchange with the normal application binaries.
Library level rootkit: exchanges the normal system calls with fake calls, for the purpose of hiding the attacker's location
Rootkit avatar: the avatar rootkit uses an infection method twice; first the dropper and next to the rootkit driver. The attacker executes its activities from a remote location, the rootkit runs in the background of the infected system. The infection method is limited in the way it works, for instance, and it does so by creating a code signing policy for kernel-mode modules.
Necurs: this is designed to allow the malicious software backward access when installed. This allows the attacker have control over the infiltrated computer at a remote location. This attack allows for control over a system that has been infected, in such a way that rogue security software is sent to the system. That attack allows for extra options, like downloading extra malware into the system, hide its constituents, and halt security claims from working.
Azazel: this is a software written in c language, that has many functions, one of which is that it hides process and logins, has a software for creating backdoors and allowing for local and remote entry, it hides files and directories.
Zeroaccess: this is a kernel-mode rootkit which uses elite techniques to mask its presence. It allows for other malware to be installed in the already infected system, operates on a 32 and 64-bit operating system. The major role of the zero access is the peer-to-peer bonnet to allow for downloading more files. When the rootkit is executed on a 32-bit system, the functionalities surrounding its execution includes masking the malicious software form attention on the infected systems, allow for authorization, so encoded files can be decoded and extracted and executing a defense.
How to discover Rootkits
Rootkits can be discovered using various methods -
Trust-based detection: this associates boot records, file systems, and memory with a trusted guideline through a snapshot system.
Behavior-based detection: this uses the behavior of the system, to discover the presence of rootkits in the system. This is done by checking if there are any changes in system operations.
Signature-based detection: this method uses a system of database fingerprints, to check the characteristics of executable files and system processes.
Runtime execution path profiling: these systems compare the system before and after the rootkit infection, using runtime execution paths of all system files and executable processes in the system.
Published with the express permission of the author.