Hidden Processes: The Implication for Intrusion Detection

Slides:

Advertisements

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Advertisements

VICE – Catch the hookers! (Plus new rootkit techniques)

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Operating System Security : David Phillips A Study of Windows Rootkits.

Chap 2 System Structures.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

How an attacker can maintain control over their victim’s system without being discovered.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Day 11 Processes. Operating Systems Control Tables.

Windows Security and Rootkits Mike Willard January 2007.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

CS252: Systems Programming Ninghui Li Final Exam Review.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

CIS 450 – Network Security Chapter 15 – Preserving Access.

Rootkits in Windows XP  What they are and how they work.

COS 598: Advanced Operating System. Operating System Review What are the two purposes of an OS? What are the two modes of execution? Why do we have two.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Black Hat Briefings Las Vegas July 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas.

LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.

CE Operating Systems Lecture 11 Windows – Object manager and process management.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Black Hat Briefings Amsterdam October 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas.

Chapter 2 Processes and Threads Introduction 2.2 Processes A Process is the execution of a Program More specifically… – A process is a program.

1 Chapter 4 Processes R. C. Chang. 2 Linux Processes n Each process is represented by a task_struct data structure (task and process are terms that Linux.

Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign.

We will focus on operating system concepts What does it do? How is it implemented? Apply to Windows, Linux, Unix, Solaris, Mac OS X. Will discuss differences.

4300 Lines Added 1800 Lines Removed 1500 Lines Modified PER DAY DURING SUSE Lab.

Full and Para Virtualization

2 Processor(s)Main MemoryDevices Process, Thread & Resource Manager Memory Manager Device Manager File Manager.

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Embedded Real-Time Systems Processing interrupts Lecturer Department University.

Detecting Windows Server Compromises Joanna Rutkowska HIVERCON 2003, Dublin, Ireland, November 6 th, 2003.

Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.

Advanced Operating Systems CS6025 Spring 2016 Processes and Threads (Chapter 2)

Computer System Structures

OPERATING SYSTEMS CS3502 Fall 2017

Operating Systems: A Modern Perspective, Chapter 6

Process Realization In OS

Threads & multithreading

Hidden Processes: The Implication for Intrusion Detection

Chapter 4: Threads.

Rootkits Jonathan Hobbs.

Hiding Malware Rootkits

CHAPTER 4:THreads Bashair Al-harthi OPERATING SYSTEM

Implementing Processes, Threads, and Resources

Outline Process Management Process manager Hardware process

Crisis and Aftermath Morris worm.

Implementing Processes, Threads, and Resources

Threads CSE 2431: Introduction to Operating Systems

CS Introduction to Operating Systems

Presentation transcript:

Hidden Processes: The Implication for Intrusion Detection James Butler Dr. Jeff Undercoffer Dr. John Pinkston

Rootkits First appeared in 1993 as a collection of compromised system binaries: ls, ps, netstat, login, du, Facilitated access and masked activity Why – because they could Consider the case of Kevin Mitnick: served five years in prison, 8 months of that in solitary confinement tested then-nascent laws that had been enacted for dealing with computer crime Most famous for the “Mitnick Attack”

The Mitnick Attack

Anomaly Based IDSs Detect: Aberrant processes and services Files that are created/deleted/modified Network connections Uses and trusts the underlying operating system If the underlying operating system is compromised, the IDS fails.

Basic Types Kernel Application Library Device Driver (Microsoft) LKM (Linux) Application Library

Attack Scenario Attacker gains elevated access to computer system Attacker installs a Rootkit Rootkit’s functions Hide processes Hide files Hide network connections Install a backdoor for future access to the system Rootkits act as a part of the operating system so they have access to kernel memory.

State of Current Rootkits Advanced rootkits filter data Hook the System Call Table of the operating system (the functions exported by the kernel) Hook the Interrupt Descriptor Table (IDT) Interrupts are used to signal to the kernel that it has work to perform. By hooking one interrupt, a clever rootkit can filter all exported kernel functions.

Next Generation Rootkit Techniques Direct kernel object modification in memory A device driver or loadable kernel module has access to kernel memory A sophisticated rootkit can modify the objects directly in memory in a relatively reliable fashion.

Hiding Processes - Windows Locate the Processor Control Block (KPRCB) Located at 0xffdff120 fs register in kernel mode points to 0xffdff000 Within the KPRCB is a pointer to the Current Thread block (ETHREAD) Located at fs:[124] or 0xffdff124 An ETHREAD contains a KTHREAD structure

Hiding Processes - Windows The KTHREAD structure contains a pointer to the EPROCESS block of the current process The EPROCESS block contains a LIST structure, which has a forward and backward pointer to active processes This creates the doubly linked list of active processes in Windows

Hiding Processes - Windows To hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide

Hiding Processes - Windows Hiding Processes - Before (Windows) Hiding Processes - After (Windows)

Hiding Processes - Windows Why does the process continue to run? Scheduling in the Windows kernel is thread based and not process based. Although scheduling code to run is based upon threads, when the kernel reports what is running on the system, it reports based upon EPROCESS blocks which can be modified with no adverse affect. This is what current tools (IDS’s) rely upon to discover what is running on the system.

Hiding Processes – LINUX The LINUX kernel contains an array of task_struct’s. A task_struct is similar to an EPROCESS block in Windows task_struct contains pointers to the prev_task and next_task task_struct also contains pointers to the prev_run and next_run for the running processes

Hiding Processes – LINUX To hide a process, remove the process from the list of prev_task and next_task Leave next_run and prev_run alone

Hiding Processes - Linux Hiding Processes - Before (Linux) Hiding Processes - After (Linux)

Hiding Processes - LINUX Process will freeze? It is no longer able to be scheduled The LINUX scheduler walks the list of task_struct’s to calculate the goodness value of the process to decide rather to schedule it or not. In order to make this work, you must also hot-patch the LINUX scheduler to schedule the hidden process. Inject binary into the scheduler

Detecting Hidden Processes in Windows Methodology: Examine each thread to ensure its corresponding process descriptor (EPROCESS) is appropriately linked. This requires patching the kernel in memory. Hunt and Brubacher introduced Detours for intercepting Win32 binary functions.

Detours Overwrite beginning of target function with an unconditional jump to a Detour function Detour function calls a Trampoline function The Trampoline function contains the overwritten bytes of the original Target function and calls the Target function The Target function returns to the Detour function The Detour function returns to the source caller

Detours

Patching the Windows kernel SwapContext does context switching in Windows Overwrite the first seven bytes of SwapContext with a jump to our Detour function EDI points to the KTHREAD of the thread to be scheduled to run Our Detour function follows the KTHREAD to the EPROCESS block and determines if it is still appropriately linked in the list of active processes.

Detecting Hidden Processes in LINUX Injectso is a library similar to Detours Intended as a means of attack Uses ELF - Executable and Linkable Format Already Has stubs into code

Conclusion Detecting processes that have hidden from the OS by means of unhooking themselves from system accounting processes is computational expensive! Prevention is worth a pound of cure!