Confidential © 2005 Trend Micro, Inc. We Ensure Digital Operational Continuity Against Unpredictable Threats. Different Techniques in Rootkit Aldous de.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Evolution of Rootkit Technology  “ROOT” - most powerful account in Unix-based operating systems  “KITS” - collection of applications and utilities

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Rootkit Definition  ROOTKIT: It is a program (or collection of programs) installed after gaining root system privileges.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Purpose of Rootkit  To gain more privilege on the system.  To be invisible or undetectable.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. System Service Call Cycle User Application call to CreateFile API Kernel32.DLL call stub NtCreateFile API NTDLL.DLL EAX = 0x00000020 call INT 2Eh USER MODE KERNEL MODE NTOSKRNL.EXE Switch Back to USER MODE return NtCreateFile result return CreateFile result

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. NTDLL Interface  Kernel32.DLL imports solely on the library NTDLL.DLL  NTDLL.DLL is an interface to Int 2Eh function of Windows NT  Int 2Eh signals a need to switch from user mode to kernel mode  Int 2Eh is internally known as KiSystemService().  Int 2Eh handler looks up on a table in NTOSKRNL called KeServiceDescriptorTable()

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. NTOSKRNL Exports The structure of KeServiceDescriptorTable: typedef struct ServiceDescriptorTable { PVOID ServiceTableBase; PVOIDServiceCounterTable(0); unsigned int NumberOfServices; PVOID ParamTableBase; }

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Getting Into The Root Application: Call to CreateFile() API Kernel32.DLL: Call to NtCreateFile() -- Native API NTDLL.DLL NTOSKRNL.EXE: Call to KeServiceDescriptor Table Invokes KiSystemService()

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. KeServiceDescriptor Table ServiceTableBaseParamTableBase … … @ NtCreateFile0x2C bytes … … @NtCreateProcess0x20 bytes … @ NtOpenProcess0x10 bytes … …… 0x20 0x29 0x6A

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Hooking System Service  Choose a system service exported by NTOSKRNL.EXE  Obtain the address of this function  Verify if the function starts with a MOV EAX, 0xXXXXXXXX construct.  Retrieve the index value associated with the function.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Hooking System Service  Import the undocumented structure KeServiceDescriptorTable.  Locate the function index  Overwrite the corresponding ServiceTableBase value with the new system service handler.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Service Registration  For Windows 9x/ME – RegisterServiceProcess()  For Windows NT Systems:  Service Registration with Service Control Manager (SCM)  OpenSCManager()  CreateService()  StartService()  CloseServiceHandle()  Control Handler Registration  RegisterServiceCtrlHandlerEx()

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Driver Installation  Driver installation goes the same way as with any other service.  The only difference is:  Service type parameter of CreateService() is set to SERVICE_KERNEL_DRIVER  This makes the driver to be installed in the kernel

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Using SystemLoadAndCallImage  Driver loading using SystemLoadAndCallImage  Call to NtSetSystemInformation() function  NtSetSystenInformation() structure: NtSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength );

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Using SystemLoadAndCallImage  SystemInformationClass constant value: SystemLoadAndCallImage  SystemInformation.ModuleName points to the full pathname of the driver  SystemInformationLength is the length of the parameter NtSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength );

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. IAT Modification Headers Code Section CALL [CreateFileA] CreateFileA(): … Import Section CreateFileA: 0x12345678 Kernel32.dll PE File Before IAT Patching

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. IAT Modification Headers Code Section CALL [CreateFileA] CreateFileA(): … Import Section CreateFileA: Addr of Hook Kernel32.dll PE File Before IAT Patching Hook: JMP 0x12345678

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Dynamic Code Patching  DYNAMIC CODE PATCHING: It is the direct code modification in the API functions.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Dynamic Code Patching FindNextFileA: 195D6: 55PUSH EBP 195D7: 8BECMOV EBP, ESP 195D9: 81EC60020000SUB ESP, 260 Continue_Here: 194DF: 53PUSH EBX 195E0: 8D85A0FDFFFFLEA EAX, [EBP-260] 195DF: XX<…original code continues…> Original FindNextFile() API Function

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Dynamic Code Patching FindNextFileA: 195D6: E9XXXXXXXXJMP Hook 195DB: 90NOP 195DC: 90NOP 195DD: 90NOP 195DE: 90NOP Continue_Here: 194DF: 53PUSH EBX 195E0: 8D85A0FDFFFFLEA EAX, [EBP-260] 195DF: XX<…original code continues…> Hook: call Saved_Original ret Patched FindNextFile() API Function

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Rootkit Revealer  It is an advanced root kit detection utility  It runs on Windows NT 4 and higher  It checks for Registry and file system API discrepancies  These discrepancies may indicate the presence of a rootkit

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Rootkit Revealer Here’s the list of discrepancies found in the system that might indicate the presence of a rootkit. This button is either Abort (when scanning) or Scan (when not scanning).

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Rootkit Detector  It is a diagnostic tool that provides information about Hidden proccess and Services Hooked by an NT rootkit  It also attempts to kill those hidden tasks  It also rescan the service database to detect hidden services and hidden regkeys

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. DLL Injection Malware Process Call to CreateRemoteThread() Victim Process Call to LoadLibrary() Malicious DLL Using CreateRemoteThread(), a call to LoadLibrary() API of can cause a malicious DLL to be loaded on the remote process’ address space.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. Direct Memory Writing HEADERS Code Section VirtualAllocEx() VirtualProtectEx() WriteProcessMemory() CreateRemoteThread() HEADERS Code Section Heap Install_Hooks(); Attacking ProcessVictim Process Patching Another Process

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. APISEE TOOL  This a tool used to dump 1000 bytes of code of the loaded API.  This tool was created by Trend Micro.

We Ensure Digital Operational Continuity Against Unpredictable Threats. Confidential © 2005 Trend Micro, Inc. APISEE TOOL This is the sample output of APISEE whereby APIs in KERNEL32.DLL was dumped by 1000 bytes of code each

We Ensure Digital Operational Continuity Against Unpredictable Threats. 2002 December BKDR_HACKDEF.51

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. What’s so special about BKDR46_HACKDEF.51 ??? 1.The Backdoor Trojan is called Hacker Defender v0.51, Homepage: www.rootkit.host.skwww.rootkit.host.sk 2.The Trojan runs only on WinNT, Win2K and WinXP. 3.It hooks API inside Kernel32.DLL and ADVAPI32.DLL 4.Once hooked, the Trojan cannot be seen on disk, registry or Task Manager

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. The BIG Problem We can’t hit what we cannot see!  we cannot see the infected process, file or registry entry

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Trojan Components 1.HXDEF051.EXE – Main program which hooks the APIs. Also acts as the Backdoor Server 2.HXDEF051.INI – Specifies what system objects to hide (files/folders/registry etc) 3.BDCLI051.EXE – Backdoor Client 4.RDRBS051.EXE – Port Redirector, used for added Backdoor functionality 5.READMEEN.TXT – Readme in English 6.READMECZ.TXT - Readme in Czech

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Demo Run on Windows 2000: Create dummy files 1.Create a folder C:\TESTDIR 2.Create two files CALC1.EXE and CALC2.EXE in C:\ and C:\TESTDIR directory. (CALC1.EXE and CALC2.EXE are copies of the calculator program) 3. Create a registry key: HKLM\Software\TestKey 4. Run C:\CALC1.EXE and C:\CALC2.EXE 5. Make sure that Windows Explorer shows All Hidden Files And Folders

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. [Hidden Table] CALC1.EXE CALC2.EXE TESTDIR [Root Processes] CALC1.EXE [Hidden Services] CALC2.EXE [Hidden RegKeys] TESTKEY [Startup Run] [Password] hxdef-rulez Demo Run on Windows 2000: Modify HXDEF051.INI [Hidden Table] ~ ß@¬.exe hxdef* rcmd.exe [Root Processes] ~ ß@¬.exe hxdef* rcmd.exe [Hidden Services] HackerDefender* [Hidden RegKeys] HackerDefender051 LEGACY_HACKERDEFENDER051 [Startup Run] [Password] hxdef-rulez Modify

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Comparison before and after running the Trojan Becomes

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Even Installwatch is fooled ! Note that the files C:\CALC1.EXE and CALC2.EXE are STILL ALIVE AND RUNNING !!!

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Other Trojan properties: Even if the folder C:\TESTDIR is hidden, you can still browse it using the command interpreter:

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Tracing the Trojan To be able to come up with a solution for attacks using the same exploit, we have to know first how the Trojan has accomplished this new Stealth technique

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Tracing Methodology This Trojan was created using Delphi and is only 51,200 Bytes. It would be sheer madness to trace DELPHI- made programs from START to FINISH since it is loaded with Initialization codes and calls to native DELPHI commands. Therefore, we must have a systematic and efficient way of tracing this Trojan!

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Our GAMEPLAN #1 - Using IDAPro, identify which CALLS points to Native DELPHI commands, System APIs or merely local CALLS to codes in different parts of the Trojan body. #2 - Still in IDAPro, identify a “choke point”. This is an instruction which we know is a crucial piece of code used by the Trojan. We can use this instruction as a starting point where we analyze the Trojan either in a debugger* or in IDAPro itself. *Usage of OLLYDEBUG is much more preferable than SOFTICE when analyzing applications coded in high- level language.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Our GAMEPLAN #3 – Still in IDAPro, once we know the “Choke Point”, try to go through each subsequent CALLS and rename each of them properly ! This technique will enable you to cover the full extent of the critical virus codes. #4 – If the parameters passed to the API calls are not understandable in IDAPro, or if the motive of the API calls are unclear, that is the ONLY time where actual tracing SHOULD BE DONE !

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Cleaning Up ! #5 – Once all CALLS are renamed and properly resolved starting from the “Choke Point”, simply go back to the “Choke Point”, then document the step-by-step instructions made by the Trojan! Then Were Done! Tip: Always formulate a plan on how you are going to analyze a particular Trojan. Don’t just load it in a debugger and pump away… Remember that if you can press F8 in one second, you can cover only 46,800 instructions in a 13 hour-shift. Big-time Trojans sometimes reaches Million lines of code.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. A journey of a thousand miles begins with but a single step … Lets do Step #1: Open the Trojan in IDAPro. Immediately upon opening the file, we get an error message! Talk about rotten luck! But don’t worry, there are ways to solve this problem …

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Manually Adding FLIRT to Delphi-made programs Since this is a DELPHI made program, simply add all FLIRT modules present for DELPHI. I added all 7 FLIRT modules with DELPHI in its name and we that IDAPro has resolved hundreds of CALLS made to native DELPHI codes.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. What does @System@@LStrToPChar$qqr do ? Unfortunately, some DELPHI procedure names are not so intuitive like: @System@@LStrToPChar$qqrv. If this is really a crucial piece of code, we need to trace the Trojan up to here so we would know its actual function!

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Step 2 Already ? Lets now do Step #2: Identifying a Choke Point. We need to identify an instruction done prior to hooking the APIs…

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Locating the Choke Point Remember that the Trojan reads the INI file so it knows what Files, Registry Keys and Processes to hide. So one possible Choke point would be processing this INI file. We browsed the IDAPro codes and found this Instruction: We could make this our Choke Point and start analysis from here!

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Step 3: Name CALLS properly Now comes the most tedious part! You have to go to each Subroutine and label each of them properly according to their behavior! The labels need not be exact. Just make sure that you will know what it is used for when you encounter it later! Tip: When naming local subroutines, precede it with an escape character like the “$” sign. That way you would know that it is a local subroutine.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. A Slight Change Of Plans Change is inevitable even for straightforward presentation such as this :-p The reason being, the Trojan has too many levels of local CALLS and it is quite impossible to name them all properly! Plus I don’t think these CALLS are made in sequence… They could be called again in some other parts of the Trojan… If when using IDAPro, you cannot even understand the flow of logic, what more when you place the program on a debugger ??? You will just be wasting your time…

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Conclusion At this point in time, it is still NOT FEASIBLE to trace DELPHI applications* * Conclusion drawn from experience of researcher on analyzing this Trojan. Also drawn from several anecdotal evidence (I.e. experience with other similar malwares)

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Workaround OK, so we can’t trace the Trojan directly so we have to try some workaround solutions.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Restatement of the problem How do we know what system changes are made by the Trojan (i.e. What APIs are hooked), and what are the behavior of these modifications WITHOUT tracing the Trojan? - This is a very relevant question since we would soon be seeing API hooking Trojans. Much like in DOS where viruses hooks Interrupt vectors and trap calls to DOS services.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Simplest Solution Problem: How do we know what system changes are made by the Trojan (i.e. What APIs are hooked), and what are the behavior of these modifications WITHOUT tracing the Trojan? My recommended solution: Dump the first 1000 bytes from the start of each API’s entry point before and after running the Trojan. Then simply compare the logs and determine the modifications. If you want, you can even trace the modified areas in a debugger.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Duhh…How do I dump data from the start of each APIs to disk ? Use any debugger which can access the System Area in Memory. Then manually determine the RVA of each API, then cut and paste to file.  -or- use APISEE™  A specialized tool built-specially for this task!  APISEE uses Direct-Memory Access to DLL Address Space other than using the ReadProcessMemory API which could also be infected already.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. APISEE Usage

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. APISEE in action 1. Run APISEE for the following DLLS:  KERNEL32.DLL  USER32.DLL  GDI32.DLL  ADVAPI32.DLL  WSOCK32.DLL  WS2_32.DLL 2. Run the Trojan 3. Run APISEE again for the named DLLs. 4. Use the following command to compare data before and after FC \*.* \*.* /b > LOGFILE

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. KERNEL32 API Modifications Notice that the patched-up bytes always start with an E9 (FAR CALL)

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. ADVAPI32 API Modifications

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. WS2_32 API Modifications

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. All other DLLs don’t have modifications

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. ALL APIs Hooked by the Trojan:  ADVAPI32.DLL: ControlService, EnumServiceGroup, EnumServicesStatus, I_ScGetCurrentGroupState, I_ScSetServiceBits, OpenSCManager, OpenService, RegConnectRegistry, RegDeleteKey, RegDeleteValue, RegEnumKey, SetServiceBits, StartService  KERNEL32.DLL: CreateProcessW, FindClose, FindCloseChangeNotification, FindFirstChangeNotification, FindFirstFile, FindFirstFileEx, FindNextChangeNotification, FindNextFile, GetFileType, GetOverlappedResult, GetQueuedCompletionStatus, PostQueuedCompletionStatus, ReadDirectoryChanges, ReadFile, RegisterWaitForInputIdle  WS2_32.DLL: recv, recvfrom, WSARecv

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. IMPACT of this Trojan to future malware analysis  InstallWatch, SocketSpy, FileMon, RegMon, and other “MON” tools are no longer sufficient for “surface” analysis.  A Trojan merely has to hooks APIs then store itself somewhere in memory. No file, registry or process changes will be detected.  The fact that this Trojan runs on ALL NT systems means that new Windows versions are not safe from this exploit.  In fact, if this Backdoor did not came with a text file which states its behavior, we could have tagged it as NOT A VIRUS !  The solution: Use APISEE ! If there’s any API modification done, APISEE is sure to find it !

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Back To Work Ok, so now that we know what APIs are changed by the Trojan, we can now trace its modifications in memory. Simply load any file which calls any of the “HOT” APIs immediately then trace through it. Here is the source code of the program we are about to trace:

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. Finally Were Tracing…

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line We Ensure Digital Operational Continuity Against Unpredictable Threats. The API HOOK is at last revealed

Confidential © 2005 Trend Micro, Inc. We Ensure Digital Operational Continuity Against Unpredictable Threats. Different Techniques in Rootkit Aldous de.

Similar presentations

Presentation on theme: "Confidential © 2005 Trend Micro, Inc. We Ensure Digital Operational Continuity Against Unpredictable Threats. Different Techniques in Rootkit Aldous de."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Confidential © 2005 Trend Micro, Inc. We Ensure Digital Operational Continuity Against Unpredictable Threats. Different Techniques in Rootkit Aldous de.

Similar presentations

Presentation on theme: "Confidential © 2005 Trend Micro, Inc. We Ensure Digital Operational Continuity Against Unpredictable Threats. Different Techniques in Rootkit Aldous de."— Presentation transcript:

Similar presentations

About project

Feedback