DOCSLIB.ORG

(12) Unlted States Patent (10) Patent No.: US 8,086,835 B2 Argus Et A]

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
(12) Unlted States Patent (10) Patent No.: US 8,086,835 B2 Argus Et A] US008086835B2 (12) Unlted States Patent (10) Patent No.: US 8,086,835 B2 Argus et a]. (45) Date of Patent: Dec. 27, 2011 (54) ROOTKIT DETECTION 2005/0081198 A1 * 4/2005 (3110 et a1. .................... .. 717/174 2005/0229250 A1 10/2005 Ring et a1. 75 Inventors: Christo her J. Ar us, Crown oint, IN Zoos/0162915 Al * 7/2008 Pris: et .al' """"""""""" " 713/2 ( ) (Us); clliase N- Doguglass portlivaynes 2008/0282350 A1 * 11/2008 Khllnanl et a1. .............. .. 726/24 IN (US); Dan J. Di Spaltro, Bend, OR FOREIGN PATENT DOCUMENTS (US); Michael D. Fuller, Seattle, WA Ep 656587 A1 7/1995 (Us) OTHER PUBLICATIONS (73) Assignee: International Business Machines Sean’s Blog, Making a bootable USB drive with BartPE or Corporation, Armonk, NY UBCD4Win, Mar‘ 31, 2006, pp‘ 1_3‘* _ _ _ _ _ PCuser, RootKitty BartPE plugin?, Dec. 4, 2006, p. 1.* ( * ) Not1ce: Subject to any d1scla1mer, the term of th1s patent is extended or adjusted under 35 * Cited by eXaminef U.S.C. 154(b) by 1111 days. Primary Examiner * Thomas Lee (21) Appl. No.: 11/757,729 Assistant Examiner * Michael J BroWn (74) Attorney, Agent, orFirm * Steven M. Greenberg, Esq.; (22) Filed: Jun- 41 2007 Carey, Rodriguez, Greenberg & O’Keefe (65) Prior Publication Data (57) ABSTRACT US 2008/0301426 A1 Dec. 4, 2008 Embodiments of the present invention address de?ciencies of the art in respect to rootkit detection and provide a method, (51) Int- Cl- system and computer program product for external rootkit G06F 9/24 (2006-01) detection and remediation. In one embodiment of the inven G06F 15/177 (2006-01) tion, an external rootkit detection tool can be provided. The (52) US. Cl. .............. .. 713/2; 713/1; 713/100; 717/174; tool can include external static memory With an input/output 726/22 (I/O) port interface to an external I/O port on a target com (58) Field of Classi?cation Search ................ .. 713/1, 2, puting platform. The tool further can include a boot image 713/100; 717/174; 726/22 disposed in the external static memory, and rootkit detection See application ?le for complete search history. and remediation logic disposed in the external static memory and referenced by the boot image. In one aspect of the (56) References Cited embodiment, the external static memory can include a uni versal serial bus (U SB) key and, correspondingly, the I/ O port U.S. PATENT DOCUMENTS can include an external USB port. 5,511,184 A 4/1996 Lin 6,240,530 B1* 5/2001 Togawa ......................... .. 714/38 10 Claims, 1 Drawing Sheet 130 Operating System Dynamic Memory 140 120 170 Boot Image 180 Rootkit Detection and Remediation US. Patent Dec. 27, 2011 US 8,086,835 B2 130 Dynamic @ Memory *7 140 f 120 170 Boot Image 180 Rootkit Detection and Remediation 210 Boot into Key 220A 220B 220C 220D 220E MD5 Hash . File Permissions String Search I I Compare Default Flles for Binaries (LKM & KLD) Hidden H93 240 250 230 Remove _ Initiate O/S YES NO Boot + FIG. 2 US 8,086,835 B2 1 2 ROOTKIT DETECTION operation of hook analysis only provides a circumvention challenge for the malicious hacker. BACKGROUND OF THE INVENTION BRIEF SUMMARY OF THE INVENTION 1. Field of the Invention The present invention relates to the ?eld of network secu Embodiments of the present invention address de?ciencies rity and more particularly to rootkit detection and remedia of the art in respect to rootkit detection and provide a novel tion. and non-obvious method, system and computer program 2. Description of the Related Art product for external rootkit detection and remediation. In one Computing security has increasingly become the focus of embodiment of the invention, an external rootkit detection information technologists Who participate in locally and glo tool can be provided. The tool can include external static bally accessible computer netWorks. In particular, With the memory With an input/ output (I/ O) port interface to an exter availability and affordability of netWork computing, even nal I/O port on a target computing platform. The tool further Within the small enterprise, many computers and small com can include a boot image disposed in the external static memory, and rootkit detection and remediation logic dis puter netWorks provide access to a substantial number of end posed in the external static memory and referenced by the users continuously. NotWithstanding, the ef?ciencies gained, boot image. In one aspect of the embodiment, the external netWork computing is not Without its price. Speci?cally, those static memory can include a universal serial bus (U SB) key computers and computer netWorks Which heretofore had and, correspondingly, the I/O port can include an external remained disconnected from the security risks of the Internet 20 USB port. noW have become the primary target of malicious Internet In another embodiment of the invention, an external rootkit hackers, crackers and script kiddies, collectively referred to detection method can be provided. The method can include as “malicious hackers”. performing bootstrap of a target computing platform through Malicious hackers utiliZe a vast selection of tools to Wreak a boot image in an external static memory, and detecting a havoc in the computing World. Whereas some tools permit the 25 rootkit component in the target computing platform from malicious hacker to launch an attack directly into a computing rootkit detection logic disposed in the external static memory. environment, oftentimes malicious hackers prefer to utiliZe In this regard, In one aspect of the embodiment, detecting a an intermediary from Which to launch an attack. The choice of rootkit component in the target computing platform from intermediary largely relates to the desirability of malicious rootkit detection logic disposed in the external static memory hackers to evade detection. To that end, malicious hackers 30 can include detecting a rootkit component in an operating often seek to transform a host computing platform into a system component of the target computing platform from “Zombie” platform commanded remotely by the malicious rootkit detection logic disposed in the external static memory. hacker to launch an attack on trusting collegial netWorks. In another aspect of the embodiment, the method further can In furtherance of the goals of the malicious hacker, a “root include mounting the external static memory read-only, kit” is a collection of programmatic tools that enable admin 35 receiving an encrypted form of an update for the external istrator-level access to a computer or computer netWork. static memory, verifying the update and applying a decrypted Typically, a malicious hacker utiliZes the rootkit ?rst by form of the veri?ed update to the external static memory. installing the rootkit onto a host after obtaining user-level Additional aspects of the invention Will be set forth in part access, either by exploiting a knoWn vulnerability or cracking in the description Which folloWs, and in part Will be obvious a passWord. Once the rootkit has been installed, the rootkit 40 from the description, or may be learned by practice of the alloWs the malicious hacker to mask intrusion and to gain root invention. The aspects of the invention Will be realiZed and or privileged access to the host and, possibly, other devices on attained by means of the elements and combinations particu a common netWork. larly pointed out in the appended claims. It is to be understood A rootkit generally includes spyWare and other programs that both the foregoing general description and the folloWing that monitor tra?ic and keystrokes. The rootkit commonly 45 detailed description are exemplary and explanatory only and also includes program code enabled to create a “backdoor” are not restrictive of the invention, as claimed. into a target for use by the malicious hacker. The rootkit yet further often includes program code enabled to alter log ?les, BRIEF DESCRIPTION OF THE SEVERAL attack other devices on a common netWork and to alter exist VIEWS OF THE DRAWINGS ing system tools to escape detection. Though robust in logic, 50 rootkits have become increasingly more dif?cult to detect all The accompanying draWings, Which are incorporated in the While having become more common. In this regard, root and constitute part of this speci?cation, illustrate embodi kits can avoid detraction by inserting themselves in to the ments of the invention and together With the description, underlying belly of the operating system making it nearly serve to explain the principles of the invention. The embodi impossible to detect While the operating system executes. 55 ments illustrated herein are presently preferred, it being Contemporary rootkit detection softWare relies upon an understood, hoWever, that the invention is not limited to the analysis of different portions of the infected operating system precise arrangements and instrumentalities shoWn, Wherein: during execution to identify established hooks into kernel FIG. 1 is a schematic illustration of a computing system system services of the operating system. To the extent, that con?gured for external rootkit detection and remediation; system services have been intercepted and modi?ed can indi 60 and, cate the possibility that the safety of the system is at risk and FIG. 2 is a How chart illustrating a process for external that spyWare, viruses or malWare are active. Still, most skilled rootkit detection and remediation. artisans recogniZe that in many system tools such as moni toring and antivirus softWare, kernel hooks are the only avail DETAILED DESCRIPTION OF THE INVENTION able technique to achieve a desirable result and thus the pres 65 ence of kernel hooks alone is not suf?cient to identify the Embodiments of the present invention provide a method, presence malWare. Additionally, knoWing the published system and computer program product for external rootkit US 8,086,835 B2 3 4 detection and remediation.
Load more

Recommended publications
  • Win Xp Pe Iso Download
    Win Xp Pe Iso Download 1 / 4 Win Xp Pe Iso Download 2 / 4 3 / 4 Download Files. Download PEbuilder 3.1.10 File: Download PEbuilder 3.1.10 File. BartPE Iso WINXP Emulated Version 155MB: .... To start working with WinPE, download and install both the Windows ... To learn how to create a bootable WinPE CD, DVD, ISO, or VHD, see .... A tutorial on installing BartPE onto a bootable USB drive. ... but instead of going straight into the BartPE OS, it loaded the BartPE ISO file into the ... Secondly, download Microsoft's Windows Server 2003 SP1 installation file (this can ... This utility has the ability to properly format a USB disk & install a Windows XP boot sector.. Jump to Boot WinPE/BartPE from an ISO file - Download firadisk.gz from the Beta ... For example, for the Avast BartPE ISO you can use a .... Download BartPE builder from http://www.nu2.nu/pebuilder/ ... When it's done building, image file "c:\pebuilder\pebuilder.iso" should be created properly.. Use Windows 7/XP ISO File or DVD to Create Bootable Install USB Drive ... it also allows you transfer Windows PE( Windows XP / Windows 7 / Vista / 2003 / 2008 ) to usb pen drive in a few clicks. ... Download it from softpedia.. Here we show you 5 Windows PE based boot discs to help technicians and ... disc is fully automated including the downloading of the Windows ISO image file.. 1.1 USB Drive; 1.2 BIOS/UEFI configuration; 1.3 ISO image ... If not, download BartPE; The original CD of Windows XP Professional, not a Windows XP Home ...
    [Show full text]
  • Bartpe and KNOPPIX
    Portable Operating Systems for the Personal Computer: BartPE and KNOPPIX Eric P. Delozier, Electronic Services Librarian Penn State Harrisburg Library Middletown, PA Abstract • This poster demonstrates how two operating environments that boot and run from a CD-ROM drive are used as platforms for managing technology and delivering instruction. Built from Windows XP or 2003 installation media, BartPE provides a GUI-based environment that is useful for managing employee and public-access computers. KNOPPIX provides a convenient and portable delivery method for educating librarians and end-users on Linux and open source software. Although based on disparate platforms, both provide a vast array of applications that can support a library’s dual-mission of delivering effective information technology services and literacy programs. Distinctions BartPE KNOPPIX Licensing Mostly NonProprietary Proprietary (Open-source) Platform Windows XP or Linux 2003 CD Capacity Under 550 MB 700 MB or Requirements higher Cost Partially Free Free 1 Similarities BartPE KNOPPIX Networking Yes Yes Supported Devices Requires installation Recognizes most of some drivers for devices automatically maximum support. with little intervention. GUI Nu2Menu KDE, IceWM, Fluxbox, TWM VNC/RDP Support TightVNC (VNC), KRDesktop (Supports Remote Desktop VNC and RDP) Client (RDP) BartPE Requirements • Building (PE Builder): • Executing: – Windows XP (SP1 or – Valid Windows higher) or 2003 License Installation Media – 128 MB RAM – Recordable CD or – Compatible SVGA DVD Drive Graphics Adapter – ISO Burning Software – Intel-compatible CPU (Nero, Easy CD (i586 or later) Creator, etc.) – Bootable CD/DVD Drive BartPE Components • PE Builder – Builds BartPE from Windows Installation Media. • Drivers – Minimal included. Others can be easily installed.
    [Show full text]
  • NTFS from Wikipedia, the Free Encyclopedia Jump To: Navigation, Search NTFS Developer Microsoft Introduced July 1993 (Windows
    NTFS From Wikipedia, the free encyclopedia Jump to: navigation, search NTFS Developer Microsoft Introduced July 1993 (Windows NT 3.1) Partition identifier 0x07 (MBR) EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (GPT) Structures Directory contents B+ tree[1] File allocation Bitmap/Extents Bad blocks $badclus Limits Max file size 264 bytes (16 EiB) minus 1 KiB [2] Max number of files 4,294,967,295 (232-1)[2] Max filename length 255 UTF-16 code units[3] Max volume size 264 ? 1 clusters [2] Allowed characters in filenames In Posix namespace, any UTF-16 code unit (case sensitive) except U+0000 (NUL) and / (slash). In Win32 namespace, any UTF-16 code unit (case insensitive) except U+0000 (NUL) / (slash) \ (backslash) : (colon) * (asterisk) ? (Question mark) " (quote) < (less than) > (greater than) and | (pipe) [3] Features Dates recorded Creation, modification, POSIX change, access Date range 1 January 1601 ʹ 28 May 60056 (File times are 64-bit numbers counting 100- nanosecond intervals (ten million per second) since 1601, which is 58,000+ years) Date resolution 100ns Forks Yes (see Alternate data streams below) Attributes Read-only, hidden, system, archive, not content indexed, off-line, temporary File system permissions ACLs Transparent compression Per-file, LZ77 (Windows NT 3.51 onward) Transparent encryption Per-file, DESX (Windows 2000 onward), Triple DES (Windows XP onward), AES (Windows XP Service Pack 1, Windows Server 2003 onward) Single Instance Storage Yes Supported operating systems Windows NT family (Windows NT 3.1 to Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008) NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista.[4] NTFS supersedes the FAT file system as the preferred file system for Microsoft͛s ͞Windows͟-branded operating systems.
    [Show full text]
  • BMA User & Reference Manual V7.5 Build 1730 EN
    BootManage® Administrator User & Reference Manual 1 Contents OPERATING SYSTEMS AND OPERATION MODES ................................................................................... 5 OVERVIEW ........................................................................................................................................................... 6 Operating system installation (with automatic hardware detection) .............................................................. 6 Imaging for installation ................................................................................................................................... 6 Diskless operation ........................................................................................................................................... 7 Performing one time activities on a Managed PC .......................................................................................... 7 Diskless Linux network boot ........................................................................................................................... 8 Remove an operating system ........................................................................................................................... 9 Hard Disk Partitioning.................................................................................................................................... 9 CLIENT INSTALLATION ................................................................................................................................ 11 Client
    [Show full text]
  • A Windows XP Diagnostic Guide Step 1
    home.comcast.net 20/11/2010 12:26 Diagnose XP Diagnose XP - Step 1 - Malware A Windows XP Removal Diagnostic Guide Malware Infection which includes Viruses, Worms, Trojans, Spyware, Adware and Rootkits can cause or mimic just about any system problem. These in- clude: Application Errors, Lock-ups (freezing), The following Free guide will help you Blue Screen Stop Errors (BSOD) and Random troubleshoot the most common causes of sys- Reboots. tem problems. Diagnosing System problems can be very complicated and time consuming. There Malware Removal Guide - Malware is short are no simple solutions. Windows XP systems should for «Malicious Software». It is a general never Lock-up (freeze), display Blue Screen Stop term that refers to any software or program Errors or Randomly Reboot. These are all warning code designed to infiltrate or damage a computer signs something is wrong or misconfigured with system without the owner’s informed consent. This your system. Unless you are a highly trained, expe- includes Viruses, Worms, Trojans, Spyware, Adware rienced PC Technician do not skip any of the fol- and Rootkits. This 3 step guide will show you how lowing steps. to remove these infections and protect yourself from future infections for free using free software. Notes - Overclocking can cause almost any system problem. It is strongly recommended to only run FACT: 89% of consumer PCs are infected with your system at the correct frequencies. Troubles- spyware hooting any problem on an Overclocked system is feedback a complete waste of time. Set the system back to its ^ TOP default frequencies before you begin troubleshoo- ting.
    [Show full text]
  • IBM Barts PE Presenatation
    BarBartt’’ss PPEE JoJossee MeMeddeieiroross MCP+I,MCP+I, MMCSCSE,E, NT4NT4 MCTMCT Course Number Presentation_ID © 1999, Cisco Systems, Inc. 1 WWhhatat iiss BBart’art’ss PEPE?? •Bart's PE Builder is a free tool that helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks. • Bart’s PE gives you a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on. •This will replace any Dos bootdisk in no time! Course Number Presentation_ID © 12990090, Cisco Systems, Inc. 2 WWhyhy DDidid II SSwitwitchch toto BBartsarts PPE?E? • DOS Boot Disks Use Lanmanger v2.1 • SMB / CIFS Authentication Issue using Microsoft Active Directory 2003 in Native Mode. • Dos and earlier version of Windows does not support NTLMv2 or SMB signing as well as earlier versions of SAMBA and MAC OS X. Presentation_ID © 1999, Cisco Systems, Inc. 3 BBart’art’ss PEPE UUsesess 3232 BBitit DDririversvers • BartBart''ss PPEE BBuilduilderer usesuses 3232 BBitit NNeetwtworkork CoControllerntroller andand SStoragtoragee CCoontrntroollerller driversdrivers • ThThisis allowallowss yyoouu ttoo accessaccess ddiskisk rraaidid arrayarrayss andand wwitithh NetwoNetworkrk conconttrorollerller ssupuppoportrt alloallowwss yyoouu ttoo imimagagee anan enenttireire serverserver overover etherneethernett ttoo aa NetwoNetworkrk shareshare oonn aa DDASAS,, NNASAS oror SSAANN ArrayArray • BartBart’s’s PPEE hhasas bbuiltuilt inin UUSSBB 2.02.0 susupppportort whwhichich allowallowss yyouou ttoo accessaccess anan exexternalternal UUSSBB 2.02.0 hardhard drive.
    [Show full text]
  • Ultimatep2v: Quickstart
    UltimateP2V using Qui Hong’s FixVM-SCSI and NU2’s BartPE Document Version 1.4 & by Chris Huss and Mike Laverick Primary Contact: [email protected] Author Contacts: [email protected] [email protected] Page 1 of 21 Tested VMware Versions: ESX 2.x Technical Developer: Qui Hong Authors: Chris Huss Mike Laverick Audience : Very simple instructions suitable for even a “novice” user to create an Ultimate- P2V CD based on a “Classic BartPE” disk Objective: A step-by-step guide to creating a custom BartPE boot CD/ISO – used to clone a physical machine and reconfigure the virtual machine. In short – Free P2V Disclaimers & Acknowledgements: Firstly, Qui Hong must take the lion share of the credit for this development/solution. It’s he who has done all the whiz bang stuff! Secondly, it is Chris who was responsible for providing the step-by-step instructions to configuring Qui’s BartPE plug-in. He opened my eyes to the possibilities of using Qui’s plug-in. I must admit that I didn’t quite grasp the purpose of Qui’s plug-in until he and I swapped a forum post on the issue. Software Required: Windows Server 2003 CD-ROM (Recommended) Windows XP Professional with Service Pack 2 Symantec Ghost 8 Note: Not all versions of Symantec Ghost may be supported or work with BartPE. You might wish to investigate other cloning/copying techniques and plug-ins if this is your situation. Known Issues: • Diskpart in Windows XP does not work correctly. Reboot after the clone process if your BartPE disk is based on Windows XP Page 2 of 21 Ultimate-P2V using Qui Hong's FixVM-SCSI Community Support Statement • Both myself, Chris and Qui are very busy people – and much of our extra- curricular work is done in our free-time.
    [Show full text]
  • Recovery Boot Disk Bartpe
    TrustPort, a.s. TrustPort Antivirus 2012 BartPE Plugin User Manual © TrustPort, a.s. http://www.trustport.com Revision : March 2012 CONTENTS 1.What is the TrustPort Antivirus BartPE Plugin? ..................................................................................2 2.Basic description how to create boot CD with TrustPort Antivirus Plugin ..........................................4 3.In depth description how to create a boot CD with TrustPort Antivirus BartPE Plugin. ....................5 i.Installation of TrustPort Antivirus on a clean non infected computer..........................................5 ii.Installation of the PE Builder........................................................................................................5 iii.Creation of the TrustPort Antivirus Plugin for the PE Builder. .................................................8 iv.Copy of the installation set Windows XP...................................................................................10 v.Creating the boot disk BartPE with the help of the application PE Builder...............................11 4.Using BartPE boot disk with the TrustPort Antivirus Plugin. ............................................................ 15 5.Possible problems .............................................................................................................................. 20 6.Contacts.............................................................................................................................................. 21 1. What is the TrustPort
    [Show full text]
  • GREG G. LARSON 4950 SIESTA OAK LOOP • WINTER PARK, FL 32792 • 407-718-8233 • [email protected]
    GREG G. LARSON 4950 SIESTA OAK LOOP • WINTER PARK, FL 32792 • 407-718-8233 • [email protected] OBJECTIVE Software development leadership position utilizing analytical, creative problem-solving, teamwork, interpersonal communication, design and architecture, and advanced programming skills. PROGRAMMING LANGUAGES and FRAMEWORKS PROFICIENT IN: Java (including Java 1.8, JSP/JSTL, JDBC, AspectJ), Spring Framework (including Spring Boot, Spring Integration, Spring Batch, Spring MVC, Spring Security, Spring Roo, Spring MVC Test Framework), Hibernate ORM, JavaScript, jQuery, JSON, CSS3, C/C++/C#.NET, XML, HTML4, SQL (including triggers and stored procedures), Perl FAMILIAR WITH: AngularJS, J2EE, HTML5, Struts, Unix Shell Scripting, XSLT, ASP.NET, VisualBasic SOFTWARE OPERATING SYSTEMS: Mac OS X, Windows (including 2003 Server), VMware ESX, Linux, UNIX NETWORK ADMINISTRATION: Opsware, Citrix Metaframe XP and PS 4.0, Terminal Services, Samba, Veritas NetBackup, Dell OpenManage, HP ISEE, Ghost, BartPE, PowerQuest PartitionMagic, OpenSSH, OpenSSL, puttySSH DATABASE: Oracle 11g, Microsoft SQL Server, SQLite, MySQL, PostgreSQL, IBM DB2 PROGRAMMING TOOLS: IntelliJ IDEA, Eclipse / STS, JUnit, Mockito, Git, Perforce, Subversion, FishEye, Maven3, JIRA, Crucible, Code Collaborator, Clover, Ant, Emacs, vi, PMD, Findbugs, Docker WEB DEVELOPMENT: Tomcat, Apache Server, Spring MVC, Red Hat OpenShift, JBoss, Microsoft Internet Information Services (IIS), IBM WebSphere, Firebug, Chrome Developer Tools WEB DESIGN AND MULTIMEDIA: Adobe Dreamweaver, Flash, Photoshop,
    [Show full text]
  • A Comparative Analysis of Rootkit Detection Techniques
    A COMPARATIVE ANALYSIS OF ROOTKIT DETECTION TECHNIQUES by THOMAS MARTIN ARNOLD, B.S. THESIS Presented to the Faculty of The University of Houston Clear Lake In Partial Fulfillment of the requirements for the Degree MASTER OF SCIENCE THE UNIVERSITY OF HOUSTON-CLEAR LAKE May, 2011 A COMPARATIVE ANALYSIS OF ROOTKIT DETECTION TECHNIQUES by THOMAS MARTIN ARNOLD APPROVED BY ____________________________________ T. Andrew Yang, Ph.D., Chair ____________________________________ Sharon Hall, Ph.D., Committee Member ____________________________________ Sadegh Davari, Ph.D., Committee Member ____________________________________ Dennis M. Casserly, Ph.D., Associate Dean ____________________________________ Zbigniew J. Czajkiewicz, Ph.D., Dean DEDICATION I would like to dedicate this thesis to my family and friends for their constant love, support, and patience throughout the process of completing my graduate degree. ACKNOWLEDGEMENTS I would like to thank Larissa, Jonah, and Wesley for their love and patience as I worked many nights and weekends to complete my Computer Science graduate degree while working full-time. I also want to thank Dr. T. Andrew Yang for being agreeing to be my thesis committee chair and for providing constant guidance and advice throughout the process of developing the thesis, performing the research, and presenting the results. I would also like to greatly thank Dr. Sadegh Davari and Dr. Sharon Perkins-Hall for serving on my thesis committee and for providing feedback during the past year. They are all fantastic professors and have directly provided me with a solid Computer Science education here at The University of Houston – Clear Lake. ABSTRACT A COMPARATIVE ANALYSIS OF ROOTKIT DETECTION TECHNIQUES Thomas Arnold, M.S. The University of Houston, Clear Lake, 2011 Thesis Chair: Dr.
    [Show full text]
  • Live Win Xp Cd
    Live win xp cd click here to download If you are regular here, few weeks ago I had written an article "how to create live XP/Vista CD/DVD/USB". Few readers had asked me to write a. Ophcrack is a Windows Password cracker based on Rainbow Tables. » ophcrack XP LiveCD: cracks LM hashes (Windows XP and earlier); » ophcrack . The Ultimate Boot CD 4 Windows uses your Windows installation discs (only Windows XP and Windows Server are officially supported) to. The creators of the previously mentioned, versatile CD/DVD burning tool program to create a live-booting Windows XP (or /) disc. You can download a Live CD ISO which you only have to burn on a CD/DVD, or you can build your own with a program called Windows PE Made this XP Live CD ages ago with Winbuilder, its pack with loads of great apps , you can also add portable apps to the ppApps folder and. How to create Windows XP Live CD, complete with preinstalled programs To create a Windows XP Live CD we will require 1. Bart PEbuilder 2. Guide to creating Windows bootable live CD using BartPE or Ultimate Boot CD This article assumes that you have a licensed copy of Windows XP (or ). You can do this from a virtual machine, which would probably be easier to use as the Startup Disk Creator than to do it in a Windows machine. BartPE Bootable Live Windows CD/DVD. Free Bart Lagerweij Windows /XP Version a Full Specs. Editors' Rating. Editors' Rating. 0. Detailed instructions on how to make your computer boot from a CD, DVD, or BD disc.
    [Show full text]
  • 10+ Things You Should Know About Rootkits September 17, 2008
    Version 1.0 10+ things you should know about rootkits September 17, 2008 By Michael Kassner Rootkits are complex and ever changing, which makes it difficult to understand exactly what you're dealing with. Even so, I’d like to take a stab at explaining them, so that you'll have a fighting chance if you're confronted with one. 1 What is a rootkit? Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that’s the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit -- all of which is done without end-user consent or knowledge. 2 Why use a rootkit? Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren’t malicious at all. One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt to prevent copyright violations. Sony BMG didn't tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.
    [Show full text]