Hidden Rootkits in Windows - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Hidden Rootkits in Windows

Description:

DEMO Hacker Defender Anatomy 101. How they hide and ... Windows Defender. 3.1. UnHackMe. 2.3. System Virginity Verifier. 1.20. IceSword ... Windows ... – PowerPoint PPT presentation

Number of Views:457
Avg rating:3.0/5.0
Slides: 38
Provided by: task7
Category:

less

Transcript and Presenter's Notes

Title: Hidden Rootkits in Windows


1
Hidden Rootkits in Windows
Prepared by CMS Consulting Inc. Confidential
CMS Consulting Inc.
Presented by Brian Bourne, CISSP, MCSESecurity
2
DISCLAIMER
  • The contents of this presentation are the
    property of CMS Consulting Inc. No portion, in
    whole or in part can be used without the express
    written consent of CMS. You may email
    brian_at_cms.ca for permission to re-post or re-use
    any of this content.

3
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange -
SMS - ISA MOM - Clustering - Office Desktop
Deployment - SQL Terminal Services - Security
Assessments - Lockdown Wireless Training by
Experts for Experts MS Infrastructure Security
- Vista and Office Deployment Visit us online
www.cms.ca Downloads Resources White Papers
For Security Solutions For Advanced
Infrastructure For Network Solutions For
Information Worker
4
AGENDA
  • What is a rootkit?
  • Kernal mode vs user mode
  • Popular and New rootkits
  • History of Rootkits
  • What can they hide
  • DEMO Hacker Defender Anatomy 101
  • How they hide and go undetected
  • DEMO - Hacker Defender In Action!
  • DEMO Covert Channels
  • DEMO FUTo
  • Detection, Protection and Removal
  • DEMO Detection
  • Hardware Virtualization Rootkits
  • Vista
  • Trends

5
Overview
What is a rootkit?
  • A root kit is a set of tools used by an intruder
    after cracking a computer system. These tools can
    help the attacker maintain his or her access to
    the system and use it for malicious purposes.
    Root kits exist for a variety of operating
    systems such as Linux, Solaris, and versions of
    Microsoft Windows
  • Reference http//en.wikipedia.org/wiki/Rootkit

6
Types of rootkits 1 of 3
  • Persistent RootkitsA persistent rootkit is one
    associated with malware that activates each time
    the system boots. Because such malware contain
    code that must be executed automatically each
    system start or when a user logs in, they must
    store code in a persistent store, such as the
    Registry or file system, and configure a method
    by which the code executes without user
    intervention.
  • Memory-Based RootkitsMemory-based rootkits are
    malware that has no persistent code and therefore
    does not survive a reboot.

7
Types of rootkits 2 of 3
  • User-mode RootkitsThere are many methods by
    which rootkits attempt to evade detection.
    Example
  • a user-mode rootkit might intercept all calls to
    the Windows FindFirstFile/FindNextFile APIs,
    which are used by file system exploration
    utilities, including Explorer and the command
    prompt, to enumerate the contents of file system
    directories.
  • When an application performs a directory listing
    that would otherwise return results that contain
    entries identifying the files associated with the
    rootkit, the rootkit intercepts and modifies the
    output to remove the entries.

8
Types of rootkits 3 of 3
  • Kernel-mode RootkitsKernel-mode rootkits can be
    even more powerful since, not only can they
    intercept the native API in kernel-mode, but they
    can also directly manipulate kernel-mode data
    structures. A common technique for hiding the
    presence of a malware process is to remove the
    process from the kernel's list of active
    processes. Since process management APIs rely on
    the contents of the list, the malware process
    will not display in process management tools like
    Task Manager or Process Explorer.
  • Reference http//www.sysinternals.com

9
Windows Architecture
10
History of Rootkits
Reference http//www.phrack.org/archives/63/p63-0
x08_Raising_The_Bar_For_Windows_Rootkit_Detection.
txt
11
Popular Rootkits
  • AFX Rootkit 2005
  • FU
  • Hacker Defender
  • HE4Hook
  • NT Root
  • NTFSHider
  • NTIllusion
  • Vanquish
  • Winlogon Hijack

12
New Rootkits
  • FUTo
  • KIrcBot
  • SubVirt
  • Shadow Walker
  • BluePill (PoC)

13
Commercial Stealth
Commercially available products that use rootkit
type technologies.
  • Sony DRM
  • Mr. Mrs. Smith DVD (Alpha-Disc DRM)
  • Norton System Works
  • Hide Folders XP
  • Tracking and Monitoring software

14
What can they hide
  • Covert Channels
  • Custom GINAs
  • Files and Directories
  • Processes
  • Registry Keys
  • Services
  • TCP/UPD ports
  • Memory pages (New)
  • VMs (New)

15
How they hide and go undetected
  • Kernel Native API hooking
  • User Native API hooking
  • Dynamic Forking of Win32 EXE
  • Direct Kernel Object Manipulation (DKOM)
  • Interrupt Descriptor Table Hooking
  • Memory Hooking (Shadow Walker)
  • Reference www.security.org.sg / www.hbgary.com /
    www.rootkit.com

16
How they hide and go undetected 1 of 3
  • Kernel Native API hooking
  • SDT
  • This technique is typically implemented by
    modifying the ServiceTable entries in the Service
    Descriptor Table (SDT).
  • Directly unlinking the process's EPROCESS entry
    from ActiveProcessLink.
  • User Native API hooking
  • Import Address Table (IAT) / Export Address Table
    (EAT)
  • Each process and module(DLL) have their own
    Import Address Table (IAT) that contains the
    entry-point addresses of the APIs that are used.
    These addreseses will be used whenever the
    process makes a call to the repective APIs.
    Therefore, by replacing the entry-point address
    of an API (in the IAT) with that of a replacement
    function, it is possible to redirect any calls to
    the API to the replacement function.
  • Every DLL has an Export Address Table (EAT) that
    contains the entry-point addresses of the APIs
    that are implemented within the DLL. Hence, by
    replacing the entry-point of an API within the
    EAT with the relative address of the replacement
    function, we can cause GetProcAddress to return
    the address of the replacement function instead.

17
How they hide and go undetected 2 of 3
  • Dynamic Forking of Win32 EXE
  • Under Windows, a process can be created in
    suspend mode using the CreateProcess API with the
    CREATE_SUSPENDED parameter. The EXE image will be
    loaded into memory by Windows but execution will
    not begin until the ResumeThread API is used.
    Before calling ResumeThread, it is possible to
    read and write this process's memory space using
    APIs like ReadProcessMemory and
    WriteProcessMemory. This makes it possible to
    overwrite the image of the original EXE with the
    image of another EXE, thus enabling the execution
    of the second EXE within the memory space of the
    first EXE.
  • Direct Kernel Object Manipulation (DKOM) in
    memory
  • A device driver or loadable kernel module has
    access to kernel memory
  • A sophisticated rootkit can modify the objects
    directly in memory in a relatively reliable
    fashion to hide.

18
How they hide and go undetected 3 of 3
  • Interrupt Descriptor Table (IDT)
  • Interrupts are used to signal to the kernel that
    it has work to perform.
  • By hooking one interrupt, a clever rootkit can
    filter all exported kernel functions.
  • Memory Hooking (Shadow Walker)
  • Hooking pages of memory to hide code
  • Reference www.security.org.sg / www.hbgary.com /
    www.rootkit.com

19
DEMO Network
20
DEMO Introduction
  • Hacker Defender - Anatomy 101
  • Hxdef100.exe
  • Hxdef100.ini
  • Hxdefdrv.sys (Embedded in hxdef100.exe)
  • Rdrbs100.exe
  • Rdrbs100.ini
  • Bdcli100.exe
  • Reference http//hxdef.czweb.org

DEMO
21
DEMO
  • Hacker Defender In Action!
  • Security Compromise - Exploit
  • Avoiding Antivirus Detection
  • Hiding Folders/Files
  • Hiding Services
  • Hiding TCP Ports
  • Hacker Defender Covert Channel
  • Backdoor shell access via SMTP

DEMO
22
Covert Channel Summary
23
DEMO
  • FUTo
  • Security Compromise - Exploit
  • Avoiding Antivirus Detection
  • Changing Security Token
  • Hiding Process

DEMO
24
Detection
  • How to detect rootkits?

25
DEMO
  • Detecting rootkits
  • F-Secure Blacklight
  • GMER
  • Rootkit Revealer
  • IceSword

DEMO
26
Detection Results
1 Could not detect FU because it does not hide
folders/files. Only processes.
27
Detection Summary
  • All stock rootkits discovered with various
    detection tools
  • Custom recompiled rootkits by pass antivirus
    detection
  • Commercially available customized rootkits that
    hide files, services, processes, registry keys
    would not be detected in the compromised OS

28
Hardware Virtualization Rootkits
  • Dino Dai Zovi presented an essentially
    undetectable hypervisor rootkit using
  • Intel VT processor
  • Mac OS-X
  • Vitriol to be demod at BlueHat
  • Joanna Rutkowska presented an essentially
    undetectable hypervisor rootkit using
  • AMD Pacifica processor
  • Microsoft Vista Beta 2
  • SUMMARY THIS IS NOT AN AMD OR INTEL NOR VISTA OR
    MAC ISSUE!

29
Hardware Virtualization Rootkits
  • Preventing detection was a design goal
  • There is no software-visible bit whose setting
    indicates whether a logical processor is in VMX
    non-root operation. This fact may allow a VMM to
    prevent guest software from determining that it
    is running in a virtual machine -- Intel VT-x
    specification
  • The design goals of AMD and Intel were to provide
    full virtualization. This means FULL
    virtualization.
  • There is no hardware bit or register that
    indicates that the processor is running in VMX
    non-root mode
  • Read Dino and Joannas presentations for details
    regarding new CPU instructions and how
    hypervisors work.

30
Bypassing Vista Kernel Signed Drivers
  • Well Joanna did have some extra complexity to
    deal with because of Vista requiring all kernel
    drivers to be signed.
  • Essentially, she figured out a way to cause it to
    page out null.sys, then modified the pagefile.sys
    directly using raw disk access to get Vista to
    run her rootkit. The process
  • Allocate lots of memory to cause unused drivers
    code to be paged
  • Replace the paged out code (inside pagefile) with
    some shellcode
  • Ask kernel to call the driver code which was just
    replaced
  • Fixed in Vista RC2 by disabling raw disk
    access from user mode (including administrator)

31
BP Detection
  • Some ideas for BluePill detection were presented
    by both Dino and Joanna. Essentially they are
  • Attempt to use VMX to create a VM
  • Bluepill a box with Bluepill although this
    exception could be handled and the second
    Bluepill to run would end up being virtualized
    also)
  • Attempt to detect VM exit latency
  • Dino demod using CPUID, but a number of
    instructions cause a VM Exit and you could
    measure latency. Although the timer could be
    altered by the Bluepill and hence would require
    an external time source. How could is your stop
    watch?
  • Joanna came up with an undisclosed method to blue
    screen a BluePilled box, but thats not really
    great detection.

32
Hardware Virtualization Rootkits Bottom line
  • Arbitrary code can be injected into Vista x64
    kernel despite code signing requirement, and in
    really any other operating system.
  • This could be abused to create Blue Pill based
    malware on processors supporting virtualization
  • BP installs itself on the fly and does not
    introduce any modifications to BIOS nor hard disk
  • BP can be used in many different ways to create
    the actual malware
  • BP should be undetectable in any practical way
    (when fully implemented)
  • Blocking BP based attacks on software level will
    also prevent ISVs from providing their own VMMs
    and security products based on SVM technology
  • Changes in hardware (processor) could allow for
    easy BP detection

33
Protection
  • Defence in Depth practices!
  • Application Layer firewalls
  • Add rootkit detection and removal software to
    your toolkit
  • Baseline your systems in another kernel (WinPE)
    using the Microsoft Strider technique for
    comparing modified/added binaries on a regular
    basis

34
Removal
  • Rootkit removal tools (eg. Unhackme by Greatis
    Software, F-Secure Blacklight, GMER, IceSword)
  • Clean from another kernel (eg. BackTrack, WinPE,
    etc)
  • Use technology that reverts back to a previous
    state if your environment allows for it
  • Undo disks in Microsoft Virtual PC/Server
  • Microsoft Shared Computer Toolkit v1.1
  • Faronics Deep Freeze
  • Symantec Norton GoBack
  • Winternals Recovery Manager
  • Once a machine has been compromised, the only
    true cleaning method is to low-level format and
    reload!

35
Trends 1 of 2
  • Its a cat and mouse game
  • As rootkit detection methods/signatures are
    updated so are the techniques/methods of the
    rootkits evading detection just like viruses but
    much more sophisticated
  • Encrypting the memory pages where the rootkit is
    running to avoid detection
  • Polymorphism
  • Spyware and Viruses utilizing functions of
    rootkits to hide their presence and payload This
    has already happened and will continue to
    escalate to an extremely stealthy version

36
Trends 2 of 2
  • Memory Hiding (e.g. Shadow Walker)
  • Using other system writeable memory locations.
    (e.g. VideoCardKit, MTDWin, ACPI, BIOS)
  • Boot sector rootkits (e.g. BootRootKit)
  • Virtual Machine rootkits
  • Database rootkits (presented in concept by
    Alexander Kornbrust at BH2005)
  • Hardware based rootkit detection
  • Intel Rootkit detection (Code name LaGrande)
  • TPM (Trusted Platform Module)
  • Co-Pilot (PCI card) http//www.komoku.com

37
VISTA
  • Windows Defender (Beta 2)
  • Microsoft plans to move device drivers out of the
    kernel and in to the user level.
  • Address Space Layout Randomization (ASLR)
  • Digital Signatures for Kernel Modules on
    x64-based Systems Running Windows Vista
  • Microsoft Patch Guard on x64 Based Systems
  • Reference http//www.microsoft.com

38
Need to Know
Prevention
Response
LearnMore
39
CMS Training Offerings
  • INSPIRE Infrastructure Workshop
  • 4 days of classroom training - demo intensiveAD,
    Exchange, ISA, Windows Server, SMS, MOM, Virtual
    Server
  • Business Desktop Deployment Deploying
    Vista/Office
  • 3 days of classroom training - hands on labs
    (computers provide)Business Desktop Deployment
    Concepts, Tools, Processes, etc. Vista and Office
  • Securing Internet Information Services
  • Securing ActiveDirectory
  • Securing Exchange 2003
  • 1 day classroom training per topic
  • TRAINING BY EXPERTS FOR EXPERTS

40
Contacting Us.
_at_
  • Brian Bourne, President brian_at_cms.ca
  • Robert Buren, VP Business Development
    robert_at_cms.ca
  • CMS Consulting Inc. http//www.cms.ca/
  • CMS Training http//www.cms.ca/training/
  • Toronto Area Security Klatch http//www.task.to/

41
Q A
CMS Consulting Inc.
  • Thank You!
  • Visit CMS Consulting at http//www.cms.ca
  • Join Toronto Area Security Klatch at
    http//www.task.to
Write a Comment
User Comments (0)
About PowerShow.com