presented by: brian bourne, cms consulting inc.. the contents of this presentation are the property...
TRANSCRIPT
Presented by: Brian Bourne, CMS Consulting Inc.
Hidden Rootkits in Windows
Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office Deployment
Visit us online: www.cms.caDownloads – Resources – White Papers
For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information WorkerFor Mobility Solutions
CMS Consulting Inc.
1. ~~~~~~~~~
2. ~~~ ~~ ~~
3. ~~~~
Agenda
What is a rootkit?Kernal mode vs user modePopular and New rootkitsHistory of RootkitsWhat can they hideDEMO – Hacker Defender Anatomy 101How they hide and go undetectedDEMO - Hacker Defender In Action!DEMO – Covert ChannelsDEMO – FUToDetection, Protection and RemovalDEMO – DetectionHardware Virtualization RootkitsVistaTrends
Overview
A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.
Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows
Reference: http://en.wikipedia.org/wiki/Rootkit
What is a rootkit?
Types of rootkits 1 of 3
Persistent RootkitsA persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
Memory-Based RootkitsMemory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
Types of rootkits 2 of 3
User-mode RootkitsThere are many methods by which rootkits attempt to evade detection.
Example:• a user-mode rootkit might intercept all calls to
the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories.
• When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.
Types of rootkits 3 of 3
Kernel-mode RootkitsKernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
Reference: http://www.sysinternals.com
Windows Architecture
Reference: http://www.microsoft.com
Windows USER,
GDI
Graphics drivers
NTDLL.DLL
System threads
System Processes· LSASS· Service Control Manager· Session manager· Winlogon
Services· Services.exe· Spoolsvc.exe· Svchost.exe· Winmgt.exe
Applications· Explorer· Task manager· User applications
Subsystems· OS/2· POSIX· Windows· Windows DLLs
System Service Dispatcher
(Kernel mode callable interfaces)
Config Manager (registry)
File System Cache
I/O Manager
Local Procedure
Call
Object Manager
Plug & Play
Processess & Threads
Security Reference
Monitor
Virtual Memory
Ring 0Kernel Mode
Ring 3User Mode
Hardware Abstraction Layer
Device & File Sys Drivers Kernel
History of Rootkits
PrimitiveBinary file replacement (password logging / UNIX)Hiding traces/tracks (log cleaners)
PrimitiveBinary file replacement (password logging / UNIX)Hiding traces/tracks (log cleaners)
More advanced hiding - “stealthy” (Hxdef,HE4Hook)Hooking techniques
More advanced hiding - “stealthy” (Hxdef,HE4Hook)Hooking techniques
Direct dynamic manipulation of kernel structures (FU)Difficult for detection software to identify
Direct dynamic manipulation of kernel structures (FU)Difficult for detection software to identify
Advanced Memory hooking/hiding (Shadow Walker)Used in collusion with 3rd Generation rootkitExtremely “stealthy”
Advanced Memory hooking/hiding (Shadow Walker)Used in collusion with 3rd Generation rootkitExtremely “stealthy”
FirstGeneration
SecondGeneration
ThirdGeneration
FourthGeneration
Hardware VirtualizationBoot Root KitsHardware VirtualizationBoot Root Kits
FifthGeneration
Popular Rootkits
AFX Rootkit 2005FUHacker DefenderHE4HookNT Root
NTFSHiderNTIllusionVanquishWinlogon Hijack
New Rootkits
FUToKIrcBotSubVirtShadow Walker
BluePill (PoC)BootRoot and VBootKit
Commercial Stealth
Sony DRMMr. & Mrs. Smith DVD (Alpha-Disc DRM)Norton System WorksHide Folders XPTracking and Monitoring software
Commercially available products that use rootkit type technologies.
What can they hide
Covert Channels Custom GINA’s Files and Directories Processes Registry Keys Services TCP/UPD portsMemory pages (New) VM’s (New)
How they hide and go undetected
Kernel Native API hookingUser Native API hookingDynamic Forking of Win32 EXEDirect Kernel Object Manipulation (DKOM)Interrupt Descriptor Table HookingMemory Hooking (Shadow Walker)
Reference: www.security.org.sg / www.hbgary.com / www.rootkit.com
DEMO Network
172.16.0.x
Internet
Windows Server 2003SMTP ServiceDomain ControllerIP: 172.16.0.1rk-win2k3.domain.com
Windows Server 2003ISA 2004 FirewallIP: 172.16.0.10rk-isa.domain.com
Windows XPIP: 10.10.8.200winxp.attacker.com
Windows XPIP: 172.16.0.xrk-winxp.domain.com
IP: 10.10.8.100
DEMO Introduction
Hacker Defender - Anatomy 101Hxdef100.exeHxdef100.iniHxdefdrv.sys (Embedded in hxdef100.exe)
Rdrbs100.exeRdrbs100.iniBdcli100.exe
Reference: http://hxdef.czweb.org
DEMO
Hacker Defender – In Action!Security Compromise - ExploitAvoiding Antivirus DetectionHiding Folders/FilesHiding ServicesHiding TCP Ports
Hacker Defender – Covert ChannelBackdoor shell access via SMTP
Covert Channel Summary
Firewall
Port 25 is intercepted by Backdoor
2Backdoor
ServerIntercept TCP:25
Special 256 bit key is sent
1
Remote Shell
TCP:100
SMTP ServiceTCP:25
Windows 2003
Normal email is sent to the SMTP service
1
2
33
4 Remote Shell on TCP:100 started
4
Backdoor Client Internet
DEMO
FUToSecurity Compromise - ExploitAvoiding Antivirus DetectionChanging Security TokenHiding Process
Detection
How to detect rootkits?Darkspy 1.0.5
F-Secure BlackLight Beta 2.2.1061
GMER 1.0.12.12244
IceSword 1.20
KProcCheck 0.2-beta2
Malicious Software Removal Tool V1.29 5/12/2007
Process Magic by WinEggDrop V1.0
RootKit Shark 3.11
RootkitRevealer 1.7
Strider (Microsoft) beta
System Virginity Verifier 2.3
Windows Defender 1.1.1505.0
UnHackMe 4.5
DEMO
Detecting rootkitsF-Secure BlacklightGMERRootkit RevealerIceSword
*1 Could not detect FU because it does not hide folders/files. Only processes.
Detection Results
Name Version AFX Rootkit 2005 FUHacker
DefenderVanquish Notes
Blacklight 2.2.1037 Yes Yes Yes Yes
Flister 0.1 Yes No *1 Yes Yes Need to type in the exact dir path
Keensense 2.0 Yes Yes Yes No Installs system driver and requires a reboot. Unstable.
Process Guard 3.150 Yes Yes Yes Yes Install requires a reboot. All Global Protection optiosn manually turned on. Needs to “learn” a baseline of the system.
GMER 1.0.10.10111 Yes Yes Yes Yes Choice of reboot for advanced features
IceSword 1.18 Yes Yes Yes Yes Choice of reboot for advanced features
Rootkit Revealer 1.55 Yes No Yes Yes
Strider beta Yes No *1 Yes Yes Hidden directory/file compare of comprimised state and clean state from a WinPE boot CD using windiff.
Detection Summary
All “stock” rootkits discovered with various detection toolsCustom recompiled rootkits by pass antivirus detectionCommercially available customized rootkits that hide files, services, processes, registry keys would not be detected in the compromised OS
Hardware Virtualization Rootkits
Dino Dai Zovi presented an essentially undetectable hypervisor rootkit using:
Intel VT processor Mac OS-X“Vitriol” to be demo’d at BlueHat
Joanna Rutkowska presented an essentially undetectable hypervisor rootkit using:
AMD Pacifica processorMicrosoft Vista Beta 2
SUMMARY: THIS IS NOT AN AMD OR INTEL NOR VISTA OR MAC ISSUE!
Hardware Virtualization Rootkits
Preventing detection was a design goal:– “There is no software-visible bit whose setting indicates whether a logical processor is in VMX non-root operation. This fact may allow a VMM to prevent guest software from determining that it is running in a virtual machine” -- Intel VT-x specification
The design goals of AMD and Intel were to provide full virtualization. This means FULL virtualization.
There is no hardware bit or register that indicates that the processor is running in VMX non-root mode
Read Dino and Joanna’s presentations for details regarding new CPU instructions and how hypervisors work.
Bypassing Vista Kernel Signed Drivers
Well Joanna did have some extra complexity to deal with because of Vista requiring all kernel drivers to be signed.Essentially, she figured out a way to cause it to page out null.sys, then modified the pagefile.sys directly using raw disk access to get Vista to run her rootkit. The process:
Allocate lots of memory to cause unused drivers code to be paged Replace the paged out code (inside pagefile) with some shellcodeAsk kernel to call the driver code which was just replaced
“Fixed” in Vista RC2 – by disabling raw disk access from user mode (including administrator)
BP Detection
Some ideas for BluePill detection were presented by both Dino and Joanna. Essentially they are:
Attempt to use VMX to create a VM Bluepill a box with Bluepill – although this exception could be handled and the second Bluepill to run would end up being virtualized also)
Attempt to detect VM exit latency Dino demo’d using CPUID, but a number of instructions cause a VM Exit and you could measure latency. Although the timer could be altered by the Bluepill and hence would require an external time source. How could is your stop watch?
Joanna came up with an undisclosed method to blue screen a BluePill’ed box, but that’s not really great detection.
Hardware Virtualization Rootkits Bottom line
Arbitrary code can be injected into Vista x64 kernel despite code signing requirement, and in really any other operating system.This could be abused to create “Blue Pill” based malware on processors supporting virtualizationBP installs itself on the fly and does not introduce any modifications to BIOS nor hard diskBP can be used in many different ways to create the actual malware BP should be undetectable in any practical way (when fully implemented)Blocking BP based attacks on software level will also prevent ISVs from providing their own VMMs and security products based on SVM technologyChanges in hardware (processor) could allow for easy BP detection
Protection
Defence in Depth practices!Application Layer firewallsAdd rootkit detection and removal software to your toolkitBaseline your systems in another kernel (WinPE) using the Microsoft Strider technique for comparing modified/added binaries on a regular basis
Removal
Rootkit removal tools (eg. “Unhackme” by Greatis Software, F-Secure Blacklight, GMER, IceSword)Clean from another kernel (eg. BackTrack, WinPE, etc)Use technology that reverts back to a previous state if your environment allows for it:
Undo disks in Microsoft Virtual PC/ServerMicrosoft Shared Computer Toolkit v1.1Faronics Deep FreezeSymantec Norton GoBackWinternals Recovery Manager
Once a machine has been compromised, the only true cleaning method is to low-level format and reload!
Trends 1 of 2
It’s a cat and mouse gameAs rootkit detection methods/signatures are updated; so are the techniques/methods of the rootkits evading detection; just like viruses but much more sophisticated
Encrypting the memory pages where the rootkit is running to avoid detection
Polymorphism
Spyware and Viruses utilizing functions of rootkits to hide their presence and payload; This has already happened and will continue to escalate to an extremely “stealthy” version
Trends 2 of 2
Memory Hiding (e.g. Shadow Walker)
Using other system writeable memory locations. (e.g. VideoCardKit, MTDWin, ACPI, BIOS)
Boot sector rootkits (e.g. BootRootKit, VBootKit)
Virtual Machine rootkits
Database rootkits (presented in concept by Alexander Kornbrust at BH2005)
Hardware based rootkit detectionIntel Rootkit detection (Code name: LaGrande)
TPM (Trusted Platform Module)
Co-Pilot (PCI card) http://www.komoku.com
VISTA
Windows DefenderMicrosoft plans to move device drivers out of the kernel and in to the user level (starting with Vista)Address Space Layout Randomization (ASLR)Digital Signatures for Kernel Modules on x64-based Systems Running Windows VistaMicrosoft Patch Guard on x64 Based Systems
Reference: http://www.microsoft.com
Need to Know
Stop rootkits from entering and executing in your environment.Stop rootkits from entering and executing in your environment.Prevention
Non-critical systems can be cleaned and/or reloaded.Critical systems require professional assistance, particularly if forensic evidence is desired.
Non-critical systems can be cleaned and/or reloaded.Critical systems require professional assistance, particularly if forensic evidence is desired.
Response
http://www.rootkit.comhttp://www.antirootkit.comParticipate in the Toronto Area Security Klatch http://www.task.to
http://www.rootkit.comhttp://www.antirootkit.comParticipate in the Toronto Area Security Klatch http://www.task.to
LearnMore
Security Education Conference in Toronto
November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/
CMS Training Offerings
INSPIRE Infrastructure Workshop4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
Business Desktop Deployment – Deploying Vista/Office3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
Securing Internet Information ServicesSecuring ActiveDirectorySecuring Exchange 2003
1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
@Contacting Us.
Brian Bourne, President – [email protected] Buren, VP Business Development – [email protected]
CMS Consulting Inc. – http://www.cms.ca/
CMS Training – http://www.cms.ca/training/
Toronto Area Security Klatch – http://www.task.to/
Q & AThank You!
Visit: CMS Consulting at http://www.cms.ca
Join: Toronto Area Security Klatch at http://www.task.to
Register: Security Education in Toronto at http://www.sector.ca
CMS Consulting Inc.CMS Consulting Inc.