WEBVTT

00:01.090 --> 00:07.660
Rootkit is a collection of malicious computer software designed to enable access to a computer that

00:07.660 --> 00:09.580
is not otherwise allowed.

00:09.760 --> 00:17.200
A rootkit contains malware that can steal data and take over a system for malicious purposes all while

00:17.200 --> 00:19.030
remaining undetected.

00:19.060 --> 00:26.110
Typically, a hacker installs the rootkit after having obtained privileged access to the system.

00:26.320 --> 00:34.090
Obtaining this access is a result of a direct attack on the system, such as exploiting a known vulnerability

00:34.090 --> 00:41.050
or getting a valid password obtained by cracking or social engineering tactics like phishing.

00:41.080 --> 00:49.720
Once the rootkit is installed, it becomes possible to hide the intrusion as well as to maintain privileged

00:49.720 --> 00:50.560
access.

00:50.980 --> 00:58.600
A rootkit can hide the keylogger, capturing your keystrokes and sending your confidential information

00:58.600 --> 01:01.090
to its master who controls it.

01:01.120 --> 01:09.070
It can also allow hackers to use your computer for illicit activities, such as launching a denial of

01:09.070 --> 01:13.450
service attack against other computers or sending out spam.

01:13.900 --> 01:22.150
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended

01:22.150 --> 01:23.230
to find it.

01:23.680 --> 01:31.780
Rootkits could remain in place for a very long time because their role is to hide any trail of their

01:31.780 --> 01:32.710
existence.

01:32.830 --> 01:40.120
So finding rootkits is a challenge, especially if it loads kernel modules and compromises.

01:40.120 --> 01:43.930
The kernel by modifying kernel system calls.

01:43.960 --> 01:51.340
Kernel good kicks can hide files, directories, processes or network connections without modifying

01:51.340 --> 01:52.820
any system binaries.

01:52.840 --> 01:55.990
I want you to remember something very important.

01:56.020 --> 02:04.060
If the system was compromised by a rootkit and you find out about it by any means, you must reinstall

02:04.060 --> 02:05.380
the entire system.

02:05.410 --> 02:09.450
Never, but never trust a compromised machine.

02:09.460 --> 02:10.240
Period.

02:10.690 --> 02:17.920
Now that you know how dangerous a rootkit can be, let's go ahead and see how you can scan for rootkits

02:17.920 --> 02:20.080
and malware on a Linux system.

02:21.160 --> 02:26.500
We'll take a look at two security tools, a good kit hunter and check out Kit.

02:26.530 --> 02:30.370
It's recommended to run these tools from a rescue disk.

02:30.400 --> 02:37.930
Typically a live one or optionally, they can use an alternate directory from which to run all of their

02:37.930 --> 02:38.800
own commands.

02:38.830 --> 02:45.610
This way allows the rootkit scanner to trust the commands upon which they depend a bit more.

02:46.180 --> 02:53.800
A good kit Hunter or Ark Hunter is a security monitoring tool for Linux, which scans for ROOTKITS and

02:53.800 --> 02:56.170
other possible vulnerabilities.

02:56.200 --> 03:04.060
It does so by searching for the default directories of rootkits misconfigured permissions, hidden files

03:04.060 --> 03:12.040
kernel modules containing suspicious strings and comparing hashes of important files with known good

03:12.040 --> 03:12.670
ones.

03:12.700 --> 03:19.150
It is written in bash so it's portable and can be run on any Linux based systems.

03:19.360 --> 03:24.580
Lexy stole Aki Hunter from the official Ubuntu repositories.

03:26.600 --> 03:29.750
AP to install Erik Hunter.

03:36.560 --> 03:37.580
Installing it.

03:43.100 --> 03:50.690
After installing Arc Hunter and prior to running it for the first time, update the File Properties

03:50.690 --> 03:51.680
database.

03:52.310 --> 03:59.840
One of the checks Ark Hunter performs is to compare various current file properties of various commands

03:59.870 --> 04:03.320
against those it has previously stored.

04:04.480 --> 04:07.840
I'm running RJ Hunter minus minus.

04:07.960 --> 04:09.670
Prop up the.

04:11.410 --> 04:19.330
This comment causes Aki Hunter to update its data file of stored values with the current values.

04:20.410 --> 04:23.440
Let's run a full system check aka Hunter.

04:24.370 --> 04:26.200
Minus, minus check.

04:31.230 --> 04:35.220
This comment performs various checks on the local system.

04:36.810 --> 04:44.130
The result of each test will be displayed at the terminal, and if anything suspicious is found, then

04:44.130 --> 04:45.900
a warning will be displayed.

04:48.650 --> 04:55.400
A log file of the tests and the results will be automatically created in slash via slash log.

04:56.690 --> 05:00.470
Let's take a look at the log file in another terminal.

05:04.440 --> 05:10.230
I'm splitting the terminal in two and I'm connecting to the VP's again.

05:11.870 --> 05:13.940
This is a new connection to the same server.

05:13.940 --> 05:19.730
So tell minus f slash var log arc hunter dot look.

05:23.070 --> 05:25.710
And we see there a lot of information.

05:26.010 --> 05:28.170
All the tests it performs.

05:28.740 --> 05:30.600
I am pressing enter to continue.

05:39.330 --> 05:41.400
I'm waiting for it to finish.

05:57.390 --> 05:58.380
And it's done.

05:59.590 --> 06:04.990
There is only one wording that says that zero taxes is allowed.

06:09.140 --> 06:15.590
If you want to print ad console, only the warnings, run it with the minus minus report warnings only

06:15.590 --> 06:16.850
option like this.

06:28.820 --> 06:35.150
Note that it still updates the log file along with all the checks it makes.

06:38.140 --> 06:39.250
Out of the box.

06:39.280 --> 06:45.790
A good kid Hunter will throw up some false warnings during the file properties checks.

06:46.540 --> 06:52.330
This is because a few of the core utilities have been replaced by different scripts.

06:54.350 --> 07:00.260
For example, on this Ubuntu VM, Eric Hunter reports this warning.

07:01.310 --> 07:07.880
I know this is a false positive since I've just installed the system from a trustworthy source.

07:09.130 --> 07:16.330
These warnings can be muted by whitelisting them in the AK hunter config file.

07:18.850 --> 07:19.660
Here.

07:19.810 --> 07:23.620
I'm writing script white list.

07:29.310 --> 07:33.270
And the path to the binary that generated the warning.

07:44.800 --> 07:51.880
Let's take a look at another tool called K Rootkit that locally checks for a ROOTKITS.

07:51.970 --> 07:56.740
I'm installing it app to install c k rootkit.

08:03.570 --> 08:08.700
And to start us can simply run as route see HK rootkit.

08:10.170 --> 08:14.520
It's performing lots of tests, displaying the results on the screen.

08:14.670 --> 08:20.370
Note that the warning doesn't necessarily mean that the system was compromised.

08:20.490 --> 08:25.260
It's just a red flag that needs to be further investigated.

08:25.440 --> 08:32.490
The first thing you should do is search on Google for check rootkit and the warning it has displayed.

08:33.320 --> 08:41.030
We can also run it in quiet mode by using the minus Q option, and it will print out only the warnings

08:41.030 --> 08:42.290
if there are any.

08:45.460 --> 08:51.280
And it's recommended to frequently run a chronic job that scans for good kicks.

08:51.550 --> 08:55.060
That's all about good kicks and good kid scanners.

08:55.090 --> 08:55.900
Thank you.