Presented by: Brian Bourne, CMS Consulting Inc.
The contents of this presentation are the property of CMS Consulting Inc. No portion, in whole or in part can be used without the express written consent of CMS. You may for permission to re-post or re-use any of this content.
Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless Training by Experts for Experts MS Infrastructure – Security - Vista and Office Deployment Visit us online: Downloads – Resources – White Papers For Security Solutions For Advanced Infrastructure For Network Solutions For Information Worker For Mobility Solutions
1. ~~~~~~~~~ 2. ~~~ ~~ ~~ 3. ~~~~ What is a rootkit? Kernal mode vs user mode Popular and New rootkits History of Rootkits What can they hide DEMO – Hacker Defender Anatomy 101 How they hide and go undetected DEMO - Hacker Defender In Action! DEMO – Covert Channels DEMO – FUTo Detection, Protection and Removal DEMO – Detection Hardware Virtualization Rootkits Vista Trends
A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows Reference: What is a rootkit?
Persistent Rootkits A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention. Memory-Based Rootkits Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
User-mode Rootkits There are many methods by which rootkits attempt to evade detection. Example: a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.
Kernel-mode Rootkits Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Reference:
Primitive Binary file replacement (password logging / UNIX) Hiding traces/tracks (log cleaners) Primitive Binary file replacement (password logging / UNIX) Hiding traces/tracks (log cleaners) More advanced hiding - “stealthy” (Hxdef,HE4Hook) Hooking techniques More advanced hiding - “stealthy” (Hxdef,HE4Hook) Hooking techniques Direct dynamic manipulation of kernel structures (FU) Difficult for detection software to identify Direct dynamic manipulation of kernel structures (FU) Difficult for detection software to identify Advanced Memory hooking/hiding (Shadow Walker) Used in collusion with 3rd Generation rootkit Extremely “stealthy” Advanced Memory hooking/hiding (Shadow Walker) Used in collusion with 3rd Generation rootkit Extremely “stealthy” First Generation Second Generation Third Generation Fourth Generation Hardware Virtualization Boot Root Kits Hardware Virtualization Boot Root Kits Fifth Generation
AFX Rootkit 2005 FU Hacker Defender HE4Hook NT Root NTFSHider NTIllusion Vanquish Winlogon Hijack
FUTo KIrcBot SubVirt Shadow Walker BluePill (PoC) BootRoot and VBootKit
Sony DRM Mr. & Mrs. Smith DVD (Alpha-Disc DRM) Norton System Works Hide Folders XP Tracking and Monitoring software Commercially available products that use rootkit type technologies.
Covert Channels Custom GINA’s Files and Directories Processes Registry Keys Services TCP/UPD ports Memory pages (New) VM’s (New)
Kernel Native API hooking User Native API hooking Dynamic Forking of Win32 EXE Direct Kernel Object Manipulation (DKOM) Interrupt Descriptor Table Hooking Memory Hooking (Shadow Walker) Reference: / /
Kernel Native API hooking SDT This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). Directly unlinking the process's EPROCESS entry from ActiveProcessLink. User Native API hooking Import Address Table (IAT) / Export Address Table (EAT) Each process and module(DLL) have their own Import Address Table (IAT) that contains the entry-point addresses of the APIs that are used. These addreseses will be used whenever the process makes a call to the repective APIs. Therefore, by replacing the entry-point address of an API (in the IAT) with that of a replacement function, it is possible to redirect any calls to the API to the replacement function. Every DLL has an Export Address Table (EAT) that contains the entry- point addresses of the APIs that are implemented within the DLL. Hence, by replacing the entry-point of an API within the EAT with the relative address of the replacement function, we can cause GetProcAddress to return the address of the replacement function instead.
Dynamic Forking of Win32 EXE Under Windows, a process can be created in suspend mode using the CreateProcess API with the CREATE_SUSPENDED parameter. The EXE image will be loaded into memory by Windows but execution will not begin until the ResumeThread API is used. Before calling ResumeThread, it is possible to read and write this process's memory space using APIs like ReadProcessMemory and WriteProcessMemory. This makes it possible to overwrite the image of the original EXE with the image of another EXE, thus enabling the execution of the second EXE within the memory space of the first EXE. Direct Kernel Object Manipulation (DKOM) in memory A device driver or loadable kernel module has access to kernel memory A sophisticated rootkit can modify the objects directly in memory in a relatively reliable fashion to hide.
Interrupt Descriptor Table (IDT) Interrupts are used to signal to the kernel that it has work to perform. By hooking one interrupt, a clever rootkit can filter all exported kernel functions. Memory Hooking (Shadow Walker) Hooking pages of memory to hide code Reference: / /
Hacker Defender - Anatomy 101 Hxdef100.exe Hxdef100.ini Hxdefdrv.sys (Embedded in hxdef100.exe) Rdrbs100.exe Rdrbs100.ini Bdcli100.exe Reference:
Hacker Defender – In Action! Security Compromise - Exploit Avoiding Antivirus Detection Hiding Folders/Files Hiding Services Hiding TCP Ports Hacker Defender – Covert Channel Backdoor shell access via SMTP
FUTo Security Compromise - Exploit Avoiding Antivirus Detection Changing Security Token Hiding Process
How to detect rootkits? Darkspy1.0.5 F-Secure BlackLight Beta GMER IceSword1.20 KProcCheck0.2-beta2 Malicious Software Removal ToolV1.29 5/12/2007 Process Magic by WinEggDropV1.0 RootKit Shark3.11 RootkitRevealer1.7 Strider (Microsoft)beta System Virginity Verifier2.3 Windows Defender UnHackMe4.5
Detecting rootkits F-Secure Blacklight GMER Rootkit Revealer IceSword
*1 Could not detect FU because it does not hide folders/files. Only processes. NameVersionAFX Rootkit 2005FU Hacker Defender VanquishNotes Blacklight Yes Flister0.1YesNo *1Yes Need to type in the exact dir path Keensense2.0Yes NoInstalls system driver and requires a reboot. Unstable. Process Guard3.150Yes Install requires a reboot. All Global Protection optiosn manually turned on. Needs to “learn” a baseline of the system. GMER Yes Choice of reboot for advanced features IceSword1.18Yes Choice of reboot for advanced features Rootkit Revealer1.55YesNoYes StriderbetaYesNo *1Yes Hidden directory/file compare of comprimised state and clean state from a WinPE boot CD using windiff.
All “stock” rootkits discovered with various detection tools Custom recompiled rootkits by pass antivirus detection Commercially available customized rootkits that hide files, services, processes, registry keys would not be detected in the compromised OS
Dino Dai Zovi presented an essentially undetectable hypervisor rootkit using: Intel VT processor Mac OS-X “Vitriol” to be demo’d at BlueHat Joanna Rutkowska presented an essentially undetectable hypervisor rootkit using: AMD Pacifica processor Microsoft Vista Beta 2 SUMMARY: THIS IS NOT AN AMD OR INTEL NOR VISTA OR MAC ISSUE!
Preventing detection was a design goal: – “There is no software-visible bit whose setting indicates whether a logical processor is in VMX non-root operation. This fact may allow a VMM to prevent guest software from determining that it is running in a virtual machine” -- Intel VT-x specification The design goals of AMD and Intel were to provide full virtualization. This means FULL virtualization. There is no hardware bit or register that indicates that the processor is running in VMX non-root mode Read Dino and Joanna’s presentations for details regarding new CPU instructions and how hypervisors work.
Well Joanna did have some extra complexity to deal with because of Vista requiring all kernel drivers to be signed. Essentially, she figured out a way to cause it to page out null.sys, then modified the pagefile.sys directly using raw disk access to get Vista to run her rootkit. The process: Allocate lots of memory to cause unused drivers code to be paged Replace the paged out code (inside pagefile) with some shellcode Ask kernel to call the driver code which was just replaced “Fixed” in Vista RC2 – by disabling raw disk access from user mode (including administrator)
Some ideas for BluePill detection were presented by both Dino and Joanna. Essentially they are: Attempt to use VMX to create a VM Bluepill a box with Bluepill – although this exception could be handled and the second Bluepill to run would end up being virtualized also) Attempt to detect VM exit latency Dino demo’d using CPUID, but a number of instructions cause a VM Exit and you could measure latency. Although the timer could be altered by the Bluepill and hence would require an external time source. How could is your stop watch? Joanna came up with an undisclosed method to blue screen a BluePill’ed box, but that’s not really great detection.
Arbitrary code can be injected into Vista x64 kernel despite code signing requirement, and in really any other operating system. This could be abused to create “Blue Pill” based malware on processors supporting virtualization BP installs itself on the fly and does not introduce any modifications to BIOS nor hard disk BP can be used in many different ways to create the actual malware BP should be undetectable in any practical way (when fully implemented) Blocking BP based attacks on software level will also prevent ISVs from providing their own VMMs and security products based on SVM technology Changes in hardware (processor) could allow for easy BP detection
Defence in Depth practices! Application Layer firewalls Add rootkit detection and removal software to your toolkit Baseline your systems in another kernel (WinPE) using the Microsoft Strider technique for comparing modified/added binaries on a regular basis
Rootkit removal tools (eg. “Unhackme” by Greatis Software, F-Secure Blacklight, GMER, IceSword) Clean from another kernel (eg. BackTrack, WinPE, etc) Use technology that reverts back to a previous state if your environment allows for it: Undo disks in Microsoft Virtual PC/Server Microsoft Shared Computer Toolkit v1.1 Faronics Deep Freeze Symantec Norton GoBack Winternals Recovery Manager Once a machine has been compromised, the only true cleaning method is to low-level format and reload!
It’s a cat and mouse game As rootkit detection methods/signatures are updated; so are the techniques/methods of the rootkits evading detection; just like viruses but much more sophisticated Encrypting the memory pages where the rootkit is running to avoid detection Polymorphism Spyware and Viruses utilizing functions of rootkits to hide their presence and payload; This has already happened and will continue to escalate to an extremely “stealthy” version
Memory Hiding (e.g. Shadow Walker) Using other system writeable memory locations. (e.g. VideoCardKit, MTDWin, ACPI, BIOS) Boot sector rootkits (e.g. BootRootKit, VBootKit) Virtual Machine rootkits Database rootkits (presented in concept by Alexander Kornbrust at BH2005) Hardware based rootkit detection Intel Rootkit detection (Code name: LaGrande) TPM (Trusted Platform Module) Co-Pilot (PCI card)
Windows Defender Microsoft plans to move device drivers out of the kernel and in to the user level (starting with Vista) Address Space Layout Randomization (ASLR) Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista Microsoft Patch Guard on x64 Based Systems Reference:
Stop rootkits from entering and executing in your environment. Prevention Non-critical systems can be cleaned and/or reloaded. Critical systems require professional assistance, particularly if forensic evidence is desired. Non-critical systems can be cleaned and/or reloaded. Critical systems require professional assistance, particularly if forensic evidence is desired. Response Participate in the Toronto Area Security Klatch Participate in the Toronto Area Security Klatch Learn More
November 20 – 21, 2007, MTCC, Toronto, ON, Canada
INSPIRE Infrastructure Workshop 4 days of classroom training - demo intensive AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server Business Desktop Deployment – Deploying Vista/Office 3 days of classroom training - hands on labs (computers provide) Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office Securing Internet Information Services Securing ActiveDirectory Securing Exchange day classroom training per topic TRAINING BY EXPERTS FOR EXPERTS
@ Brian Bourne, President – Robert Buren, VP Business Development – CMS Consulting Inc. – CMS Training – Toronto Area Security Klatch –
Thank You! Visit: CMS Consulting at Join: Toronto Area Security Klatch at Register: Security Education in Toronto at CMS Consulting Inc.