Prof K. S Wagh, Shivani Bhakare, Siddesh Garsund, Shravani Jadhav, Shashank Patwardhan
waghks@gmail.com, shivanibhakare99@gmail.com, chintyam.t@gmail.com, shravanijadhav8@gmail.com,
shashankpatwardhan7@gmail.com
Computer Dept, AISSMS IOIT,
Pune, India
ABSTRACT 2. ALGORITHM
Statistics show that although malware detection are 2.1 Reverse Connection
detecting and preventing malware, they do not (1) Develop a rootkit which consists
guarantee a 100% detection and/or prevention of
malware. This is especially the case when it comes to i. An IP address
rootkits that can manipulate the operating system such
that it can distribute other malware, hide existing ii. A sequence of executable code
malware, steal info, hide itself, disable anti-malware
software etc. all without the knowledge of the user. This
paper will demonstrate that by implementing hybrid
(2) Patch this rootkit to a legitimate file and upload
rootkits or any other type of malware, a researcher will it on the website.
be able to better understand the techniques and
vulnerabilities used by an attacker. Such information (3) Create a webpage with a GUI that looks like a
could then be useful while implementing anti-malware legitimate file provider or file downloadable page.
techniques.
General Terms (4) After selecting download, the page should be
Metasploitable Framework. redirected to our actual webpage which has the
Keywords rootkit uploaded.
Hybrid rootkit, malware, stealth, security, Trojans,
(5) The redirected website will be clickjacking
Amazon Web Services.
enabled. In all scenarios, the file will be
1. INTRODUCTION
A Rootkit [1] is a suite or collection of one or more downloaded to the victims machine.
programs that allows a third party to hide files and
activities from the administrator of a computer system.
An intruder takes advantage of one or more known
vulnerabilities on a particular computing platform to 2.2 On victim's machine
deliver and install the rootkit. Once the rootkit is in i. Victim executes the file. The legitimate file runs,
place, the intruder can use the infected system while also a patched file runs with it in the background
remaining undetected. in stealth mode.
A battle has begun between attackers and defenders
of computer systems. An attacker, who manages to ii. This patched file consists of the IP
compromise a system seek to carry out malicious address of the attacker's machine and an
activities on the system that remain invisible to executable code sequence.
defenders. At the same time, defenders search for
successful attacker by looking for signs of system iii. The executable sequence defines a
compromise or malicious activities. [5] routine that will send a request for connection to
In this paper, we assume the perspective of the the attackers machine / IP address. This technique
attackers that is trying to run malicious software and is called Reverse Connection.
avoid its detection. By assuming this perspective, we
hope to help defenders understand and defend against
the threat posed by a new class of rootkits.
4. DESIGN ARCHITECTURE
5. APPLICATIONS
• This rootkit can be used in creating anti
malwares
6. IMPLEMENTATION
[1] Virus Analysis on IDT Hooks of Rootkits Trojan: [7] Proposal of Kernel Rootkits Detection Method by
Yong Wang, DawuGu, Wei Li, Jing Li, Mi Wen. 978- Monitoring Branches Using Hardware Features:
0-7695-3686-6/09/ 2009 IEEE. DOI 10.1109. YoheiAkao, Toshihiro Yamauchi.
[2] Implementing Rootkits to Address OS Vulnerabilities: [8] Detecting Kernel-Level Rootkits Using Data Structure
ManuelCorregedor and Sebastiaan Von Solms. 978-1- Invariants: AratiBaliga, Vinod Ganapathy, and
4577—1483-2/11/ 2011 IEEE. LiviuIftode.