Almost Under the Radar

1
Almost Under the Radar

• A brief history, overview, and tutorial of
  rootkits.
• By Adam Cecchetti

2
Outline

• Background
• Technical
• Tutorial
• The Future
• Defense and Etc

3
Rootkit

• A rootkit is a general description of a set of
  programs which work to subvert control of an
  operating system from its legitimate operators.
• -Wikipedia

4
What does a rootkit do?

• Maintain access
• Hide self and intruder activities
• Vectors for going deeper
• Avoid AV, HIDS, detectors, humans
• Steal info net, key, screen loggers
• DRM
• Helps set the evil bit to 1

5
Are rootkits evil?

• Used for Spam, Botnets, DRM, Copy protection,
  Phishing, DDoS, Trojans Backdoors, Espionage,
  etc.
• Many legitimate things look and act like rootkits
  making detection hard(er)
• Host Firewalls, HIDS, AV, Debuggers, VMs, BIOS
  checkers, Drivers, Pentesters,

6
History

• 1994 Early SunOS kits detected
• 1996 First Linux rootkits publicly appear
• 1997 LKM Trojans proposed in "Phrack
• 1998 Non-LKM kernel patching proposed by Silvio
  Cesare
• 1999 Adore LKM kit released by TESO
• 2000 T0rnkit v8 libproc library Trojan released
• 2001 KIS Trojan and SucKit released
• 2002 Sniffer backdoors start to show up in kits

7
Binary rootkits

• Original rootkits were trojaned binaries and
  utilities.
• Going back as far as SunOS 4.1.1
• ls,ps,cd,
• Easy to detect and mitigate
• Checksum of binaries before taken over
• You did that right?
• Maintain root access post compromise

8
Kernel Rootkit

• Alters system kernel
• Replaces syscalls, modules, drivers etc
• Hides below user land
• Allows user land Ring 0 access
• Hide processes, sockets, files
• Filter processes, sockets, files

9
PCI/PXE Rootkit

• John Heasman
• PCI expansion roms
• Hiding malicious code in firmware
• "If a Legacy cards option ROM code hooks INT 19h
  during its initialization call it controls the
  boot process."
• Contact a malicious PXE server to update a kernel
  rootkit

10
Bios Rootkits

• Replace bios with own code
• Hide rootkit in BIOS
• Difficult and system dependent
• Error prone hw revisions etc
• Viruses have done this forever
• BIOS have some checks
• Write protection is generally useless
• Signing hasnt happened yet

11
Microcontroller Rootkit

• Ring -1 (sorta)
• Intel AMT 3.0
• Active management technology.
• ASUS Mother board
• Embedded onto the P5E3 Deluxe is a Linux
  environment that features a Firefox-rebranded web
  browser and the Skype VoIP client!
• Remote updates for microcontrollers.
• Boot check, on board remote management.

12
Database Rootkits

• Alexander Kornbrust
• Level 1 Alter reporting views to admin
• Level 2 Update management tables, scripts
• Level 3 Loadable module that will help more
  stealthily maintain access.
• Loadable module
• Oracle, MSSQL, MySQL loadable libraries
• Load from sql injection in a blob

13
App/App Server Rootkits

• Jboss, J2EE, Perl, Python, Ruby, etc
• Replace mod_ components
• Logic errors
• Backdoor access across apps
• Copy sensitive data
• Run code on special url/web request

14
Browser Rootkits

• A lot of ad/spyware in 2002-2007
• Hook backend of browsers
• Frameworks make a browser more like OS
• Malicious Extensions
• GnuCitizen.org / InvisibleThings

15
Hypervisor/VM Rootkits

• Johanna , Dino
• AMD / Intel VM processor extensions
• Doesnt have too just easier
• Swap out native OS into a VM
• Hypervisor
• Sits between OS and hardware
• Xen, XBox360, VMWare ESX, AV Vendors
• Cisco and company

16
Line blurry yet?

• Im a rootkit

17
Outline

• Background
• Technical
• Tutorial
• The Future
• Defense and Etc

18
Rootkit exploit techniques

• Kernel memory patching
• Call manipulation
• Interrupt, Syscall hooking
• Call replacing

19
Call Hooking

• Tables of pointers to syscalls, int handler
• Replace pointer with your own code
• Run malicious portion
• Call original syscall with args passed
• Easy to detect

0x333333
0xAAAAA
0xAAAAA
0xBBBBB
0x333333
0xCCCCC
0xCCCCC
0xBBBBB
0xDDDDD
0xDDDDD
20
Call Patching

• Replace entire or partial syscall with malicious
  code
• Size, locking, race conditions

42 4d 46 b0 63 00 00 00 00 00 36 00 00 00 28 00
00 00 a8 06 00 00 fe 04 00 00 01 00 18 00 00 00
00 00 10 b0 63 00 00 00 00 00 00 56 34
12 56 34 12 56 34 12 56 34 12 56 34 12 56 34 12
00 00 a8 06 00 00 fe 04 00 00 01 00 18 34 12 56
34 12 56 34 12 56 34 12 56 34 12 56 34
21
Call Manipulation

• Leave code intact but alter call paths
• Change logical execution
• You didnt need that security check

a
a
if
b
if
b
return
return
c
c
22
Kernel Memory Patching

• Replace sections of kernel memory
• Can be dangerous
• Search for signatures
• Replace with your own code or updates

23
Kernel Object Manipulation

• Kernel stores data structures in memory
• Process lists, interrupt handlers, etc
• Alter these objects to hide procs, sockets,
  files, self

24
Surviving Reboots

• Write out malicious code to on disk drivers or
  swap area
• Have your driver load on next reboot re-enable
  your rootkit
• Inject into an Admin/root level program or
  service
• Inject into MBR, BIOS, etc
• PCI/Firmware techniques

25
Outline

• Background
• Technical
• Tutorial
• The Future
• Defense and Etc

26
Syscall Hook Example

• Step 1 Find the call You want to hook
• mkdir (lame but I ran out of time)
• Step 1.5 get your code into kernel space
• static int mkdir_hook( struct thread td, void
  syscall_args )

27

• static int mkdir_hook( struct thread td, void
  syscall_args )
• struct mkdir_args uap // char path int
  mode
• uap ( struct mkdir_args ) syscall_args
• char path255 size_t done int error
• error copyinstr( uap-path, path, 255, done
  )
• / EVIL GOES HERE /
• return(mkdir(td, syscall_args))

28
Syscall Hook Example

• Step 2 Replace the original call
• sysentSYS_mkdir.sy_call ( sy_call_t )
  mkdir_hook
• This causes a LOT of basic alarms to go off and
  is easily detectable.

29
Syscall Hook Example

• Step 3 Call the Syscall
• mkdir test_my_hook
• Will cause your code to execute then to call the
  original Syscall code. To the user the dir gets
  made and nothing bad happens.

30
Outline

• Background
• History
• Technical
• Tutorial
• The Future
• Defense and Etc

31
The Future

• GPU Rootkit
• CPUless Rootkits
• Microcode Rootkits
• Cell Processors
• Mobile Network RKs
• Hardware Rootkits
• Full Crypto Virtual Machine
• More of the same

32
GPU Rootkit

• nVIDIA, ATI, Intel
• Become general computing solution
• And How! DDR3, 20 pipelines, in line
  manipulations etc etc
• What shade will your next rootkit be?
• PPUs and AIPUs will follow

33
No CPU for You

• Easier and easier to get cycles off core.
• GPU DMANet
• GPU for cpu / memory
• DMA for bus transport to network interface
• No CPU or main memory access will make detection
  hard

34
Microcode Rootkit

• Microcode interoperates machine code to signals
  on the CPU
• These signals control executions stages ,
  latches, etc
• Intel / AMD allow for Microcode updates
• Creating a MC Rootkit is Difficult
• Different per processor spec and revision

35
Cell Processors

Currently PS3 1 CPU 8 ALUs

Chain from ALUALU

Future chain on different procs and across the
network

Let say.

One ALU along the way becomes corrupted and
trolls for select information.

Im working on a PoC Fun times..

36
Mobile Network Rootkits

• Fucking iPhone.
• Same root password on 1.5 million devices
• Running code across 1.5 million procs sounds fun
• Call interception, voicemail spamming
• Email Spamming, etc.

37
Hardware Rootkits

• Hak5 made version 0.001
• USB Switchblade
• Firewire Exploits -Forensics Devices
• FPGAs, PCI, USB, Firewire
• Plug in our PCI card
• Exploit hardware vendor and ship malicious
  firmware. (Been done)

38
Full Crypto Virtual Machine

• Adam Young
• Author Malicious Cryptography
• Cryptographic AND, NOT, XOR, OR
• All operations your VM do are not decipherable
  even with perfect information of the on cpu
  instructions being performed.
• (Hence crypto)
• Game Over?

39
Outline

• Background
• History
• Technical
• Tutorial
• The Future
• Defense and Etc

40
Rootkits Can Be Undetectable
(Lies)
41
Rootkit Countermeasures

• General Security
• Timing Detections
• Call Checking , Searching Memory
• Static,Signed Firmware, Drivers, code
• Compartmentalization (SE, UAC, AppAr)
• Secure Hypervisor (XBox360)
• Write Once on Boot Sections (HW)
• Logic Probe (Moonlight Maze)
• Thermite (Cryptographically Secure VM)

42
A little of my current work

• More of the same!
• Backdoor the scheduler of multi-core system
• Overwrite scheduler to lie about reporting,
  remove unwanted processes from run queue (AV,
  HIDS, etc)
• Remove CPU from system
• Boot my own code

43
Sources

• Malicious Cryptography
• Rootkits
• Rootkits.com
• Bios Disassembly
• Designing FreeBSD Rootkits
• Linux Kernel Development

• Windows Internals
• Mac OSX Internals
• Linux Device Drivers
• Intel Manuals
• Database Hackers Handbook
• Many Many Papers
• List forth coming

44
Questions ?